As technology continues to advance at an unprecedented rate, the use of Artificial Intelligence (“AI”) has become increasingly prevalent in many areas and has the potential to revolutionise the way in which we interact with technology. However, with this potential comes a need for caution, especially for businesses looking to leverage AI through third-party suppliers. In this article, we’ll explore some of the key considerations which businesses should keep in mind when incorporating third-party AI into their operations.
A high-level explanation on AI
AI refers to the development of computer systems that can perform tasks that typically require human intelligence. These tasks may include problem-solving, learning, planning, natural language processing and perception. AI systems can analyse vast amounts of data, identify patterns and make decisions with minimal human intervention. Examples of AI applications include virtual assistants like Siri and Alexa, recommendation systems on streaming platforms like Netflix and predictive analytics in various industries.
Importance of conducting due diligence when engaging third parties
When businesses engage third parties, conducting due diligence is essential. This process involves thoroughly assessing the capabilities, reliability and integrity of third-party suppliers to ensure that they meet the business’s requirements and standards. By conducting thorough due diligence, businesses can minimise risks and ensure that they are partnering with trustworthy and reliable third-party suppliers. You can find more information about supplier due diligence in our blog post here.
Conducting a Data Protection Impact Assessment (“DPIA”) for AI third-party suppliers
When businesses utilise third-party suppliers for AI purposes, it’s essential to conduct a DPIA. A DPIA is a systematic and comprehensive analysis of the data processing activities that the business wishes to undertake. A DPIA is designed to identify and minimise data protection risks. A DPIA should consider compliance risks as well as broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.
Given the inherent complexities and potential risks associated with AI technologies including algorithmic biases and the potential for unintended consequences, conducting DPIAs for AI third-party suppliers is essential to proactively identify and mitigate data protection risks, ensuring ethical and responsible AI usage while safeguarding individuals’ privacy rights.
Key points that your business should consider when contemplating and using AI third party suppliers
Consider the scope and use of AI: Determine how you envision AI being utilised with your business and which specific tasks or areas could benefit the most from AI implementation.
Assess task importance and frequency: Evaluate the importance and frequency of the tasks that AI is intended to complete, prioritising those that have a significant impact on business operations.
Identify potential efficiency gains: Consider whether AI can enhance efficiency compared to current methods for completing tasks and assess whether AI can address any existing gaps in your business process.
Evaluate model suitability and limitations: Research the specific AI models offered by the third party supplier and carefully consider any known or likely limitations associated with their use. Assess whether the chosen model is suitable for your intended purpose and whether it can effectively address your business needs.
Assess reputation and reliability: Investigate the AI third party supplier’s reputation within the industry by reviewing publications, customer reviews and industry reports. Consider factors such as reliability, performance and customer satisfaction to gauge the provider’s track record and reliability in delivering quality AI solutions.
Credibility and reliability of AI output: Assess the credibility of the information generated by the AI software and verify its accuracy. Look for any discrepancies in the output and consider the potential impact of these discrepancies on your business operations. Additionally, evaluate the reliability and repeatability of the third-party AI provider’s output by running tests to ensure consistent results and identifying any anomalies.
Contractual obligations and record-keeping: Remain mindful of contractual obligations with clients outlined in agreements. Consider the potential impact of AI software issues on meeting these obligations, including the need to troubleshoot or perform tasks manually in the event of software failure. Keep detailed records of when the AI software is unavailable and the problems experienced to provide feedback to the third-party AI provider and ensure compliance with contractual requirements.
Regular security audits and controls: Conduct regular security audits of the AI software to identify and address potential vulnerabilities. Input different prompts into the software to assess if any confidential data is unknowingly generated from the data set via the generated output. Implement relevant security controls to prevent unauthorised access or disclosure of confidential information, ensuring the integrity and security of the AI software and its outputs.
The integration of third-party AI solutions into businesses requires careful consideration of various factors, ranging from data protection and security to accountability and ongoing maintenance. At Aria Grace Law CIC, we pride ourselves on our wealth of knowledge and experience in the fields of data protection and AI. If you’re considering implementing a third-party AI solution into your business and need expert guidance and support, please don’t hesitate to get in touch with us at privacy@aria-grace.com.
Article by Puja Modha (Partner) and Sarah Davies (Trainee Solicitor) – 3 April 2024