it-Condust-an-AI-Privacy-Risk-Assessment-Phases-1-3.pptx

Conduct an AI Privacy Risk Assessment Navigate AI privacy and data concerns with a comprehensive privacy impact assessment.

Table of Contents 4 Analyst Perspective 5 Executive Summary 20 Phase 1: Identify Privacy Drivers for Your Business 30 Phase 2: Evaluate AI Through a Privacy Lens 46 Phase 3: Assess Impact of AI Implementation and Controls 60 Summary of Accomplishment 61 Additional Support 64 Bibliography

EXECUTIVE BRIEF Conduct an AI Privacy Risk Assessment Navigate AI privacy and data concerns with a comprehensive privacy impact assessment.

Analyst Perspective Effective data privacy strategy leads to well-designed AI implementation. Safayat Moahamad Research Director, Security Practice Info-Tech Research Group The age of Exponential IT (eIT) has begun, with AI leaving the realm of science fiction and becoming an indispensable tool for business operations. It offers immense benefits but introduces ethical responsibilities and stringent compliance requirements, particularly when handling personal data. Organizations may become vulnerable to hefty fines and reputational risks if these requirements are not met. Trust is a cornerstone of successful business relationships. Aligning AI technology with a privacy strategy generates trust among customers and stakeholders. Privacy-conscious consumers actively seek out businesses that prioritize data protection, offering organizations a competitive edge. Building trust through data privacy will strengthen your organization's market position. It will also encourage responsible innovation and collaboration by enabling secure and ethical data sharing with your business partners. Data quality is pivotal for AI system performance. Aligning AI objectives with privacy requirements will enhance your data validation and quality checks, resulting in more effective AI models. Additionally, a proactive approach to data privacy will position your organization to be adaptable as regulations and consumer expectations evolve. Prioritizing data privacy compliance emphasizes an organization's commitment to responsible data practices and risk management. Organizations that integrate AI with a privacy strategy will be better equipped for long-term success in a data-centric world while upholding individual privacy rights.

E x ecuti v e Summary Your Challenge Common Obstacles Info-Tech’s Approach The pace set by rapid advancements in technology and the increased prevalence of AI forces IT and business leaders to engage in a state of constant evolution. Simultaneously, data privacy regulations have become increasingly stringent in an attempt to safeguard personal information from manipulation. AI relies on the analysis of large quantities of data and often involves personal data within the data set, posing an ethical and operational dilemma when considered alongside data privacy law. Achieving a carefully curated balance between innovation and regulation is a challenge for many organizations, often influenced by: Uncertainty as to where data exists and what type of data exists within the organization. Confusion around which data protection regulations apply and how they impact current data-processing operations. Lack of clarity as to what problem(s) AI will solve for the business. Design an AI implementation that is guided by data governance and data privacy best practices. Know the external (regulatory) environment. Know the internal (organization) data environment. Outline the potential AI use cases. Assess your organization’s current privacy posture. Effective AI implementation is built on a foundation of effective data privacy principles and awareness. Elevate your AI innovation by embedding privacy. As AI and privacy evolve, adapting PIAs is essential. Expanding the scope to include data governance for AI, incorporating ethical dimensions, fostering diverse stakeholder participation, and taking a continuous improvement approach to risk assessment is crucial for responsible AI implementation.

Your Challenge This research is designed to help organizations who are facing these challenges and are looking to/need to: Develop a set of relevant use cases for AI implementation based on the industry and nature of the organization’s business. Eliminate inefficiencies by streamlining less skilled tasks through use of AI. Retain trust of workforce and consumers through ethical AI implementation. Create or revise the current data governance structure within the context of the business. Align data privacy practices of the organization with the scope of the external regulatory environment. Ensure that data privacy becomes a standard preplanning process involved in all technology implementation projects. “ As artificial intelligence evolves, it magnifies the ability to use personal information in ways that can intrude on privacy interests by raising analysis of personal information to new levels of power and speed.” – Cameron Kerry, MIT Scholar, in Brookings, 2020 65% 65% of consumers have lost trust in organizations over their AI practices. 92% 96% of organizations agreed they have an ethical obligation to treat data properly. Source: Cisco, 2023 92% of organizations say they need to be doing more to reassure customers about how their data is being used in AI. 96%

Data privacy: An enabler of AI 50% 50% of organizations are building responsible AI governance on top of existing, mature privacy programs. 60% of organizations stated AI impact assessments are conducted in parallel to privacy assessments. 60% Data privacy and protection regulations, such as the EU’s GDPR, call into question many of the key data principles that AI is also subject to, including: Profiling Automating Minimizing Defined Period of Retention Transparency Right to Explanation Purpose or Intent Consent While these concepts may appear contradictory when applied to AI-powered technologies, they are fundamental in ensuring the effective deployment of AI systems. Without data privacy best practices and principles of data governance, AI is like a ship without a compass. Data privacy measures enhance the efficacy and integrity of AI systems. 40% combine their algorithmic impact assessments with their existing process for privacy or data protection impact assessments. 40% Source : IAPP, 2023

The rapid proliferation of AI is met with trepidation as business leaders carefully examine the challenges associated with implementation. Data strategy drives AI readiness. 57% of business leaders say they are taking steps to confirm their AI technology is compliant with applicable regulations. Data governance is a key strategy for effectively managing data and keeping information protected. Integrating Responsible AI: Approach from Business Leaders 55% of business leaders state that they are taking steps to protect AI systems from cyberthreats and manipulations. 52% of business leaders state that they are taking steps to ensure AI-driven decisions are interpretable and easily explainable. Info-Tech Insight Know your data and governance environment before you act. Scope the potential data that will be impacted and ensure appropriate controls are in place. 41% 55% Source: ” 2022 AI Business Survey,” PwC, 2022 52% 41% of business leaders are conducting reviews to be sure that third-party AI services meet standards. Integrating responsible AI: Approach of business leaders

Responsible AI guiding principles Data Privacy AI systems must respect and safeguard individuals' privacy by addressing potential privacy impacts and implementing protective measures for sensitive data. Explainability and Transparency Individuals impacted by the AI system’s outputs must be able to comprehend the logic and why similar situations may yield different outcomes. Organizations have a duty to make AI system development, training, and operation understandable. Fairness and Bias Detection AI must align with human-centric values, which encompass core principles such as freedom, equality, fairness, adherence to laws, social justice, consumer rights, and fair commercial practices. Accountability This involves the responsibility of organizations and developers to ensure the expected functionality of AI systems they create, manage, or use, in line with their roles and relevant regulations, demonstrated through their actions and decision making. Validity and Reliability AI systems must function effectively under various use conditions and contexts. It involves assessing potential failure scenarios and their consequences. Security and Safety AI systems must not create undue safety risks, including physical security, throughout their lifecycle. Regulations on consumer and privacy protection define what constitutes unreasonable safety risks. Without guiding principles, outcomes of AI use can be negative for individuals and organizations. Responsible AI Accountability Validity and Reliability Fairness and Bias Detection Safety and Security Data Privacy Explainability and Transparency "On an operational level, there are several ways privacy processes are used for responsible AI. AI impact assessments are typically merged or coordinated with privacy impact assessments.” – IAPP, 2023 Source: Build Your Generative AI Roadmap

Microsoft case study: Responsible use of technology World Economic Forum, 2023 SOURCE Technology INDUSTRY In 2016, Microsoft grappled with challenges following the chatbot Tay racism fiasco. The experience motivated the company to incorporate ethics into its product innovation process. Microsoft acknowledges the profound influence of technology, advocating for responsible technology development to benefit society. The company established six core ethical principles for AI: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. To translate these principles into practice, Microsoft outlined steps to support the development of ethical AI systems. Sensitive cases require reporting. In 2019, Microsoft introduced a responsible AI training course, mandatory for all employees. Now, the company employs practical tools to facilitate ethical technology development which includes impact assessments and community jury, among others. This shift promoted innovation and encouraged ethical considerations regarding technology's impact on society and recognizes the urgency of addressing the issue. Material impact on Microsoft’s business processes include: Judgment Call: A team activity where participants take on different roles to simulate product reviews from various stakeholder perspectives. This promotes empathy, encourages ethical discussions, and supplements direct stakeholder interactions in the product design process. Envision AI: A workshop that employs real scenarios, instilling a human-centric AI approach and ethical considerations, empowering them to understand and address the impacts of their products on stakeholders. Impact Assessments: Impact assessments are compulsory for all AI projects in its development process. The completed assessments undergo peer and executive review, ensuring the responsible development and deployment of AI. Community Jury: A method for project teams to engage with diverse stakeholders who share their perspectives and discuss the impacts of a product. A group of representatives serve as jury members, and a neutral moderator facilitates the discussion, allowing participants to jointly define opportunities and challenges. Additionally, Microsoft utilizes software tools aimed at understanding, assessing, and mitigating the ethical risks associated with machine learning models.

Nvidia: A case for privacy enhancing technology in AI Nvidia, n.d.; eWeek, 2019 SOURCE Nvidia Technology (Healthcare) INDUSTRY Leading player within the AI solution space, Nvidia’s Clara Federated Learning provides a long-awaited solution to a privacy-centric integration of AI within the healthcare industry. The solution safeguards patient data privacy by ensuring that all data remains within the respective healthcare provider’s database, as opposed to moving it externally to cloud storage. A federated learning server is leveraged in order to share data, completed via a secure link. This framework enables a distributed model to learn and safely share client data without risk of sensitive client data being exposed and adheres to regulatory standards. Clara is run on the NVIDIA EGX intelligent edge computing platform. It is currently in development with healthcare giants such as the American College of Radiology, UCLA Health, Massachusetts General Hospital, as well as King’s College London, Owkin in the UK, and the National Health Service (NHS). Nvidia provides solutions across its product offerings, including AI-augmented medical imaging, pathology, and radiology solutions. Personal health information, data privacy, and AI Global proliferation in data privacy regulations may be recent, but the realm of personal health information is most often governed by its own set of regulatory laws. Some countries with national data governance regulations include health information and data within special categories of personal data. HIPAA – Health Insurance Portability and Accountability Act (1996, United States) PHIPA – Personal Health Information Protection Act (2004, Canada) GDPR – General Data Protection Regulation (2018, European Union) This does not prohibit the injection of AI within the healthcare industry, but it calls for significant care in the integration of specific technologies due to the highly sensitive nature of the data being processed.

Info-Tech’s methodology for AI and data protection readiness 1. Identify Privacy Drivers for Your Business 2. Evaluate AI Through a Privacy lens 3. Assess Impact of Implementation and Controls Phase Steps Define your privacy drivers Understand data privacy principles Review Info-Tech’s privacy framework Define your AI drivers Understand AI and its applications Evaluate in the context of data privacy Review your data governance posture Understand AI risk management Consider privacy enhancing technologies Phase Outcomes Knowledge on privacy principles and frameworks Documented list of privacy program drivers Documented list of privacy objectives Level-setting on understanding of privacy from core team Knowledge of the different types of AI Documented list of AI drivers Technology-specific use cases Level-setting on understanding of AI in the context of the organization from core team Understand operational posture for data governance, security, and privacy Assessing the privacy implications of implementing AI technology

Insight Summary Implement responsible AI Elevate your AI innovation by embedding privacy. As AI and privacy evolve, adapting PIAs is essential. Expanding the scope to include data governance for AI, incorporating ethical dimensions, fostering diverse stakeholder participation, and taking a continuous improvement approach to risk assessment is crucial for responsible AI implementation. Assess the changing landscape Learn from those who paved the way before you. Once you've determined your organization's privacy strategy, analyze various use cases specific to your industry. Assess how leaders in your sector have incorporated AI technology with privacy considerations, successfully or unsuccessfully. Draw from both sets of results and strategies to get your organization ready while eliminating unsuitable use cases. Embrace a privacy-centric approach Prioritize data privacy as an integral part of your organization's values, operations, and technologies in the AI-driven future. This approach is essential for responsible AI implementation. It will offer insight and awareness for aligning AI with your current processes, data landscape, regulatory requirements, and future goals. A privacy-centric approach will enable your technology to achieve compliance and trust. Be precise Narrow down the potential ways AI can improve existing operations in your environment in order to drive efficiencies. Govern your data Know your data and governance environment before you act. Scope the potential data that will be impacted and ensure appropriate controls are in place.

Blueprint benefits IT Benefits Business Benefits An updated understanding of the different types of AI and relevant industry-specific use cases. Perspective from a privacy lens on mitigating data privacy risk through IT best practices. Guidance on completion of impact assessments that validate the integration of AI technology within the organization’s environment. Knowledge around core AI vendor solutions that maintain a privacy-first approach based on integration of explainability. Data privacy best practices and how AI technology can support a privacy-centric environment. Overview of the different types of AI and how they drive business efficiency in isolation or in combination. Understanding of the scope of data privacy regulations within the context of the organization. Comprehensive outlook around data privacy best practices that enable effective AI integration. Ability to leverage privacy as a competitive advantage in streamlining how customer data flows through the organization.

Info- T ec h Researc h Grou p | 17 Guided Implementation What does a typical GI on this topic look like? Call #1: Scope requirements, objectives, and your specific challenges. Call #2: Discuss AI project pipeline. Call #5: Assess current data governance approach and privacy posture. Call #6: Review and make modifications to privacy impact assessment for AI project. A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is four to six calls over the course of four to six months. Call #3: Review organization’s privacy drivers. Call #4: Review organization’s AI drivers.

Workshop Overview Day 1 Day 2 Day 3 Day 4 Day 5 Activities Identify Privacy Drivers for Your Business Evaluate AI Through a Privacy Lens Assess the Impact of AI Implementation Report the Impact of AI Implementation Next Steps and Wrap-Up (Offsite) 1.1 Understand personal data and the need for a privacy program. 1.2 Discuss legal, contractual, and regulatory obligations. 1.3 Understand privacy regulation and AI. 1.4 Discuss privacy and data protection by design. 1.5 Define and document program drivers. 2.1 Understand types of AI and its advantages. 2.2 Discuss industry applications of AI powered technologies. 2.3 Define and document AI project drivers. 2.4 Understanding the importance of data governance for AI. 2.5 Discuss privacy enhancing techniques for AI. 3.1 Conduct threshold analysis for AI project. 3.2 Document details of AI governance framework, technical and business requirements, and testing methods. 3.3 Document details of data governance structure for the AI system. 3.4 Document privacy practices pertaining to the AI project. 3.5 Identify potential risks and propose potential mitigation. 4.1 Document details of supply chain environments. 4.2 Document security practices pertaining to the AI project. 4.3 Identify potential risks and propose potential mitigation. 4.4 Prepare PIA report. 4.5 Debrief. 5.1 Complete in-progress deliverables from previous four days. 5.2 Set up time to review workshop deliverables and discuss next steps. Deliverables Business context and drivers behind privacy program Business context and drivers behind AI project Completed threshold analysis determining need for a lite or full PIA Completed privacy impact assessment and report Contact your account representative for more information. [email protected] 1-888-670-8889

Measure the value of this blueprint As AI technology continues to augment organizational capabilities and drive efficiency, business and IT leaders must look to integrate appropriate use cases in a responsible manner that accounts for data privacy and protection regulatory obligations . A privacy impact assessment approach ensures organizations remain compliant and can effectively implement AI technologies in a way that applies to the specific business environment. Info-Tech Project Value 12 weeks Average duration of an initial PIA Average hourly rate of external consultant for a privacy assessment $125 Info-Tech’s data privacy and AI project steps $54,375 Coordinate internal stakeholders to identify privacy and AI tech drivers. Evaluate use cases and review data governance structure and data privacy program strategy. Assess the privacy implications of implementing AI technology. “Artificial intelligence is already altering the world and raising important questions for society, the economy, and governance.” – Brookings, 2018 45 hours PIA duration leveraging this blueprint Note: The duration of a privacy impact assessment (PIA) can vary depending on the complexity of the project and the data involved. It can take several weeks to a few months. For the purposes of this blueprint, projects are assumed to be of moderate complexity. Average dedicated hours of external consultant’s privacy assessment of an organization 480 hours Estimated cost savings from this blueprint.

Phase 1 Phase 1 Identify Privacy Drivers for Your Business Phase 2 Evaluate AI Through a Privacy Lens This phase will walk you through the following activities: Define your data privacy drivers This phase involves the following participants: Privacy officer Senior management team IT team lead/director PMO or PMO representative Core privacy team InfoSec representative IT representative Identify Privacy Drivers for Your Business Perform a PIA for Your AI Technology Phase 3 Assess Impact of AI Implementation and Controls

1.1 Define your data privacy drivers 1 hour Bring together a large group comprised of relevant stakeholders from the organization. This can include those from the following departments: Legal, HR, Privacy, Finance, as well as those who handle personal data regularly (Marketing, IT, Sales, etc.). Using sticky notes, have each stakeholder write one driver for the privacy program per sticky note. Examples include: Create clear lines about how the organization uses data and who owns data Clear and published privacy policy (internal) Revised and relevant privacy notice (external) Clarity around the best way to leverage and handle confidential data How to ensure vendor compliance Collect these and group together similar themes as they arise. Discuss with the group what is being put on the list and clarify any unusual or unclear drivers. Determine the priority of the drivers. While they are all undoubtedly important, it will be crucial to understand which are critical to the organization and need to be dealt with right away. For most, any obligation relating to an external regulation will become top priority. Noncompliance can result in serious fines and reputational damage. Review the final priority of the drivers and confirm current status. Input Output Optional: Ask core team members to brainstorm a list of key privacy program drivers and objectives Documented list of privacy program drivers Documented list of privacy objectives Level-setting on understanding of privacy from core team Materials Participants Whiteboard/Flip charts Sticky Notes Pen/Marker Privacy officer Senior management team IT team lead/director PMO or PMO representative Core privacy team InfoSec representative IT representative

Understanding data privacy A privacy program focuses on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. An effective privacy program enables access to information based on regulatory guidance and appropriate control measures. See examples of personal data in the below charts: Biometrics data: retina scans, voice signatures, or facial geometry Health information: patient identification number or health records Ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Sexual orientation Full name (if not common) Home address Etc. Date of birth Passport number Social security number Banking information First, middle (if applicable), last name IP address Etc. Email address or other online identifier Photograph Social media post Location data Sensitive Personal Data Special categories of personal data (some regulations, like GDPR, expand their scope to include these) Traditional PII Personally identifiable information Personal Data Any information relating to an identified or identifiable person

A perspective on the proliferation of privacy law. The current state of privacy framework Federal/National Privacy Regulation GDPR CCPA PIPEDA HIPAA GLBA FERPA NIST Privacy Framework 1.0 ISO/IEC 27701 Info-Tech’s Privacy Framework Tool includes a best-practice comparison of GDPR, CCPA, PIPEDA, HIPAA, and the newly released NIST Privacy Framework mapped to a set of operational privacy controls. Download this tool Industry Privacy Regulation Information Security Privacy Framework Cross-border data transfer safety and data privacy rights of EU citizens Consumer rights and consent to personal data use Privacy rights document for private sector organizations National standard for privacy governance of health-specific documentation Federal law for financial institutions pertaining to customer data privacy Enforces data privacy and consent of students and their parents Privacy framework mapped across five functional areas that encourages proactive privacy planning Operational controls mapped against GDPR articles for organization's specific compliance requirements

HIPAA’s regulations under “Notices and Consent” state that “Individuals must provide written authorization for use and disclosure of any PHI that is not for treatment, payment, or healthcare operations (or other reasons listed in HIPAA).” HIPAA only applies to a subset of healthcare providers and, as a result, significant amounts of health-related information and data is being collected and leveraged through AI without explicit consent. Organizations that process personal health information not technically considered PHI (i.e. fitness applications, genetic testing companies) and leveraging AI applications must take appropriate precautions to adequately protect data. Data privacy and artificial intelligence AI and HIPAA Article 22(1) of the GDPR under “Automated Decision Making” states that “The data subject shall have the right not to be subject to a decision based solely on automated processing , including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” As a result, organizations leveraging AI technology must be able to validate and explain the process by which automated decisions are made to the respective data subjects. Article 6 of the GDPR outlines the requisite six “Lawful Bases” for processing ; this must be defined for AI processes that leverage personal data. AI and GDPR Purpose of Collection – Once the purpose for which the information was collected has been fulfilled, PI should be disposed of. This limits aggregation of personal data to be used in building AI models. The OPC has released a set of eleven proposals that outline the ethical and appropriate use of AI in an extension to PIPEDA’s baseline guidance on personal data-processing activities. Proposal 9 emphasizes an organization’s requirement to “ensure data and algorithmic traceability related to data sets, processes, and decisions made during the AI system lifecycle.” AI and PIPEDA

Review Info-Tech’s privacy framework Leverage the 12 domains and subsequent privacy controls as a basis for your privacy program framework. Domain Definition Governance The overall governing of the privacy program, including the designation of a privacy officer, what constitutes personal and private data, and having a data classification scheme. Regulatory Compliance The mapping and tracking of regulatory obligations as they pertain to data privacy. Regulations have been one of the biggest drivers of privacy initiatives in recent years, and the ability to demonstrate compliance is essential. Data Process and Handling The documentation and process creation of how personal data is being collected and used, and for what purposes. Incident Response The plans outlining what actions need to take place in case of a data breach, including when to notify affected individuals and relevant authorities. Privacy Risk Assessments The building and use of assessments to determine how much privacy risk is associated with particular projects. Notices and Consent The use of notices to inform data subjects how their information is being used, with processes built in to capture their consent for how their information is collected, shared, and/or used. Data Subject Requests The establishment of processes that allow data subjects to make requests to delete, modify, or gain access to their data. This can correspond with rights guaranteed by various regulations. Privacy by Design The integration of privacy into all operations, particularly within systems and applications, to ensure privacy is the default throughout the entire process.

Domain Definition Information Security The use of security controls to protect personal data. Third-Party Management The management of the privacy risks that exist when working with external third parties, vendors, and other entities, as they may process or interact with the personal data the organization holds. Awareness and Training The use of training to ensure that employees are aware of their privacy responsibilities, including the handling and use of personal data. Program Measurement The active measurement of the entire privacy program to demonstrate successes and weaknesses within the larger program. Can be used to communicate the status of the program with other stakeholders. The framework also contains mapping to major privacy regulations, including GDPR, CCPA, HIPAA, PIPEDA, and NIST Privacy Framework. Info-Tech Insight This best-practice framework will force you to reevaluate your current operations and understand how to integrate privacy. To gain the most benefits from your privacy program, review and understand which domains are most critical to your operations and which you will want to put the most focus on. This will ensure that this framework works for you and builds a privacy program around your organization’s specific requirements. Review Info-Tech’s privacy f ramework Download this tool Use Info-Tech’s Privacy Framework Tool to assess your privacy program maturity and build the roadmap.

Integrate the key principles behind privacy by design to embed privacy in the operations of the organization and minimize business disruption. Privacy by design is no longer a nice-to-have 1 Proactive, not reactive; preventative, not remedial 2 Privacy as the default setting 3 Privacy embedded into design 4 Full functionality: positive-sum, not zero-sum 5 End-to-end security: full lifecycle protection 6 Visibility and transparency: keep it open 7 Respect for user privacy: keep it user-centric Source: Cavoukian, “Privacy by Design,” Toronto Metropolitan University, n.d. Get a head start on integrating data protection into the foundations of your projects and processes with Info-Tech's Demonstrate Data Protection by Design for IT Systems research.

Data protection by design (DPbD) principles originate from privacy by design (PbD) but take a more actionable and direct approach to securing data. Leverage data protection by design as a tactical approach 1 Lawfulness, fairness, and transparency of processing 2 Purpose limitation (i.e. data is collected for specific purpose and not just in case it’s needed later) 3 Data minimization (i.e. collect the minimum data possible for smooth operations) 4 Data quality and accuracy 5 Storage limitation (i.e. not retained indefinitely) 6 Integrity and confidentiality 7 Accountability Use Info-Tech’s Data Protection by Design Matrix to apply the concepts of DPbD and PbD to your business based on business process, IT systems, and application development. Download this tool Source: Cavoukian, “Privacy by Design,” Toronto Metropolitan University, n.d.

Case study: Data privacy versus AI Medical Device Network, 2019; NewScientist, 2016 SOURCE GoogleHealth and DeepMind versus Royal Free NHS Trust. Healthcare INDUSTRY After its initial acquisition of the company, Google has recently confirmed full takeover of the health division of AI company DeepMind. This has incited an initial onslaught of concern from privacy professionals in the United Kingdom. DeepMind collected data from over 1.6 million UK patients through hospitals run by the Royal Free London NHS Trust in the years leading up to 2016. The data collection was done through the app Streams which provided access to highly sensitive patient data for the past five years. Initially, this was deemed “unlawful” by the ICO and resulted in a set of task items for completion, including the conduction of a privacy impact assessment as well as additional measures to promote transparency of processing to data subjects. Based on this marred history, the 2019 Google acquisition as a part of GoogleHealth, has spurred discussion around the role of data privacy and governing laws. Data subjects are to be made aware of what personal data types are being provided to the tech giant, as well as the parameters and details around how the data is being held and processed. Lawfulness, fairness, and transparency of processing Are data subjects whose data is being accessed made aware of what personal health information and personal data is being collected and subsequently processed by Google via Streams? Purpose limitation (i.e. data is collected for specific purpose and not just in case it’s needed later ) Can DeepMind reasonably demonstrate that data collected is being used only for the purposes explicitly stated within the Terms and Conditions of the application? Integrity and confidentiality Royal NHS Trust stated it applies relevant governance rules in how it provides and transfers patient data; does this align with governing regulations (GDPR)? Accountability Based on the role of controller and processor and relevant responsibilities, has a clear line of accountability been established by both GoogleHealth and Royal Free NHS Trust? Data Protection by Design Principles

Phase 2 Phase 1 Identify Privacy Drivers for Your Business Phase 2 Evaluate AI Through a Privacy Lens This phase will walk you through the following activities: Define your AI drivers This phase involves the following participants: Senior management team IT team lead/director PMO or PMO representative Core innovation team InfoSec representative Evaluate AI Through a Privacy Lens Perform a PIA for Your AI Technology Phase 3 Assess Impact of AI Implementation and Controls

2.1 Define your AI drivers 1 hour Bring together a small group of relevant stakeholders from the organization. This should be limited to those within an innovation team or IT/InfoSec team. Identify the specific AI technology that the organization is looking to implement. Using sticky notes, have each stakeholder write down one specific driving factor, or anticipated benefit, of the integration. These may vary from concerns about customers to the push of regulatory obligations. Collect these and group together similar themes as they arise. Discuss with the group what is being put on the list and clarify any unusual or unclear drivers. Next, discuss any potential privacy concerns based on the following: Industry Geographic location (federal or state-level privacy law) Special or sensitive types of data processed Customer/data subject expectations Discuss privacy concerns and identify current mitigating measures in place (i.e. PIA, AIA, privacy program strategy) to address concerns. Input Output Ask stakeholders involved to perform the activity around a specific AI tech the organization is looking to implement Documented list of AI drivers Documented list of operational objectives facilitated through AI Level-setting on understanding of AI in the context of the organization from core team Materials Participants Whiteboard/Flip Charts Sticky Notes Pen/Marker Senior management team IT team lead/director PMO or PMO representative Core innovation team InfoSec representative

The role and possibilities associated with AI can be best understood through further examination of the various types of AI, both in their current and anticipated future format. Understanding the types of AI Artificial Narrow Intelligence Artificial General Intelligence Artificial Super Intelligence This type of AI emphasizes the completion of a singular task or resolution of a siloed issue. A key facet of this type of AI is its existence within a very specific set of parameters and, as such, a predetermined, controlled environment. Artificial narrow intelligence (ANI) is the type of AI that we are most familiar with at present date. Examples of ANI include speech recognition tools as well as voice assistants (e.g. Siri). AGI emphasizes a more broad-based approach to AI versus a singular task. There is an increased level of efficiency overall that differentiates AGI from ANI. AGI can improve upon past iterations of itself through directed learning. The environment within which AGI occurs is not controlled/monitored to the extent of ANI. This is the next step; AI in its current form has not yet arrived here. We associate this type of AI with media and science fiction. This encompasses a version of AI where machines are more intelligent, powerful, and advanced. Artificial super intelligence (ASI) surpasses boundaries put in place by the human mind, including the ability to fathom and process concepts that are beyond human mental capacity. Currently, ASI does not exist, and poses significant ethical questions for future implementation.

Beyond the surface of AI Type 1 Capability-focused AI STRONG AI: Describes AI that can perform more advanced tasks with the capacity, or to the same extent, of a human being. It has the ability to amalgamate past experiences as learnings to progress forward. The more closely AI emulates human capabilities, the stronger it becomes. WEAK AI: Focuses on performing one singular task. This type of AI requires human input to arrive at an output. Weak AI becomes the input for S trong AI, when it is repeated. REACTIVE MACHINES: This is a more limited form of Type 2 AI, as it describes AI that does not learn based on past experiences but simply responds and reacts based on specific stimuli. LIMITED MEMORY: Builds upon the foundation of reactive machines to now leverage past experiences, or historical data, to perform tasks. Modern examples of AI fall under this category. THEORY OF MIND: This type of AI falls into the category of “conceptual,” and refers to the next iteration of capabilities in understanding and interpreting emotions, thoughts, and social interactions. SELF-AWARENESS: Progressing one step beyond Theory of Mind, Self-Awareness hypothesizes the capability of AI to develop emotions, feelings, philosophies, and opinions of its own. Source: Forbes, 2019

Advantages of AI Artificial intelligence is no longer limited to sci-fi and big tech. T he term “artificial intelligence” was first coined to describe what scientists had come to explore through the concepts of thinking machines. Over the subsequent decades, AI has developed far beyond its initial sci-fi roots of doomsday robots taking over the world to a field under the larger umbrella of computer science. AI has been deployed across a wide spectrum of organizations, generally with one of the following objectives: Enable machines to perform the activities of humans. Enable machines to think and reason as humans do. Enable machines to think and work without relying on human reasoning. One of the subsets of AI has become increasingly leveraged by larger organizations looking to build intelligent systems and capabilities from data; this is widely known as machine learning. “What AI is offering is fantastic, we just have to be able to define the proper control mechanisms to go in the right direction.” – Carlos Chalico, Partner, Privacy & Data Trust at EY Canada

The AI and data privacy conundrum An increase in the commoditization of data has resulted in heavy scrutiny around the use of personal data as a part of developing AI technologies. “Each time someone goes to use a large dataset the question is going to be: do we understand what the outcomes are, are they respectful of rights of individuals and their expectations?” – Constantine Karbaliotis, Privacy Counsel at nNovation LLP Data Privacy Artificial Intelligence Encourages the principle of data minimization: collecting and retaining the least amount of personal data possible. Enforces ownership and jurisdiction over data to the data subject rather than the enterprise. Establishes clarity and certainty around data subjects knowing all potential uses of their personal data. Built on the ability to leverage as much data as possible to increase accuracy and relevance of the model. Favors the organization’s business intelligence and data strategy as the decision makers around use of data. Promotes a vast number of potential permutations of data elements as well as objective outputs. Intelligent optimization of existing business processes. Protection of data subjects’ personal data. Improved brand reputation. Explainable, transparent, privacy-centric business process efficiencies.

AI is no longer limited to tech companies; businesses globally have introduced AI technologies into their daily operating models. Financial Services Retail Healthcare Manufacturing Industry use cases for AI Sales and CRM applications Customer recommendations Manufacturing Logistics and delivery Payments and payment services Assembly line integration Supply chain management Automated QA Predictive maintenance Diagnostics Clinical trials Improvements in patient experience Robotic assistance in surgical procedures Disease management Fraud detection Regulatory compliance Automated customer service offerings Financing and loans Internal audit Info-Tech Insight Learn from those who paved the way before you. Once you've determined your organization's privacy strategy, analyze various use cases specific to your industry. Assess how leaders in your sector have incorporated AI technology with privacy considerations, successfully or unsuccessfully. Draw from both sets of results and strategies to get your organization ready while eliminating unsuitable use cases.

Industry case study: Financial services “ AI in Banking,” Emerj, 2020 ; imaginovation, 2019 SOURCE Results JPMorgan Chase Financial Services INDUSTRY A major player in the financial services industry, JPMorgan Chase used a significant increase in its technology budget to take advantage of the unique ways that AI is leveraged in this industry: Contract Intelligence (COiN) Emerging Opportunities Engine (Predictive Analytics) Chatbots Since introducing the CoiN chatbot, the business has been able to reduce manual review processes for commercial credit agreements. The success of the chatbot feature enabled reduction in service desk hours spent on responding to employee tech service requests. 360,000 Between 2017 and 2018 the company’s technology budget increased from $9.5 billion to $10.8 billion, over $5 billion of which was dedicated to new fintech investments, compared to roughly $3 billion in 2017. Hours per year spent on tasks such as interpreting commercial loan agreements reduced through the COiN implementation in 2017. The COiN infrastructure leverages unsupervised machine learning, necessitating minimal human interaction throughout its lifecycle post-deployment. 67% Source: “AI in Banking,” Emerj, 2020 Sources : CIO Dive, 2019; PR Newswire, 2018

Industry case study: Retail “AI in Retail,” Emerj, 2020; Marketing Magazine, 2016 SOURCE Results The North Face and IBM Watson Retail INDUSTRY Outdoor apparel brand The North Face integrated expert personal shoppers (XPS) software, which leverages the well-known tech giant IBM’s Watson for its eCommerce customer engagement capabilities. Watson’s machine learning cognitive computing technology has been used by retailers globally to help streamline the customer purchase experience. Why? Online retailers face a large problem when it comes to the number of shopping carts that are left orphaned prior to purchase completion. The intention was that through an interactive UI and customized shopping experience, the rate of carts left unpaid for at the end of a shopper’s journey would be vastly reduced. The technology assisted customers in selecting the best jacket for their purposes, using a range of inputs including location, activity, and lifestyle preferences. Though the initial pilot program boasted click-through rates of 60% and sales conversions of 75%, the integration showed its infancy in errors such as the customer’s final selected item not being available in the requisite size. The above image shows the user interface leveraged by The North Face to streamline the customer experience through a set of qualifying questions that helped determine the ideal outerwear jacket. Source: “AI in Retail,” Emerj, 2020

Industry case study: Healthcare The University of Vermont, 2019; Quartz, 2019 SOURCE Results Vermont Conversation Lab Healthcare INDUSTRY Machine learning and natural language processing were used to assess the conversation techniques used during both caregiver/doctor to patient conversations, as well as clinical consultations for palliative care patients. Bob Gramling and a supporting team undertook the task of studying palliative care conversation patterns in efforts to better understand the impact of communication within the end-of-life patient journey. This included analyzing emotions conveyed in conversations, silence and moments of pause, and resulting reactions from patients. The intent of this study was to use AI to automatically detect the emotional connection that occurs between doctors and patients to better train medical professionals in the field of palliative care. $8.6 billion The machine learning project resulted in the collection of over 12,000 minutes of palliative care patient conversations, consisting of 1.2 million words from 231 patients. The NLP palliative care consultations project collected over 350 conversations from the Palliative Care Communication Research Institute. In projected revenue generated through the use of 22 healthcare AI tools by 2025. Source: Tractica, 2018 $34 billion Revenue opportunity for the healthcare AI market by 2025. Medical Image Analysis Computational Drug Discovery Healthcare VDAs The top three use cases for healthcare AI

AI Machine Learning Computer Vision Robotic Process Automation Generative AI Natural Language Processing Machine Learning (ML) ML uses algorithms and data to assist computers in learning tasks or performing functions, without necessitating specific programming parameters. It includes supervised, unsupervised, reinforced, and deep learning. Natural Language Processing (NLP) NLP focuses on the study and analysis of linguistics as well as other principles of AI to create an effective method of communication between humans and machines or computers. Robotic Process Automation (RPA) The focus of RPA is to drive business efficiency through automation of low-skills, tedious operational tasks , e nabling focus to high-skills tasks, while reducing human errors. Generative AI (Gen AI) This subset of AI is focused on generating text, images, music, or even entire human-like conversations. These are designed to produce new, original data by learning patterns from existing datasets. Computer Vision Computer vision moves beyond simply translating a group of pixels into a corresponding image. It incorporates classification and segmentation of images. There are many ways in which we can break down AI, including the following commonly known subsets. Artificial intelligence in action

Machine learning in the context of data privacy Machine learning you know Fraud Detection – Major financial services companies leverage machine learning to help strengthen fraud detection and prevention services by analyzing large volumes of user transactions. Online Shopping Services – The suggestions or product sales advertisements you may be presented with each time you shop online are examples of machine learning used in assessing behavioral buying patterns and suggesting items for purchase based on this data. Product Development – Retailers from across industries (food and beverage, CPGs, games and electronics) rely on machine learning capabilities to drive the creation of new product types by assessing large quantities of past product and service information to generate insights for future offerings. Data Privacy Considerations Machine Learning and Data Privacy Machine learning relies heavily on the input of large amounts of data to obtain an accurate picture of how to better perform specific tasks or actions. The larger the subset of data, the more effectively tasks can be baked into the capabilities of a device or application driven by machine learning. Data privacy, however, is based on the principles of minimizing the amount of data kept on hand and ensuring that time constraints are always applied when processing personal data. This complicates an effective marriage of these two principles. However, data protection can be achieved through the application of appropriate mitigating controls. 1 2 Centralization of data – If all data used is stored in a central repository, control over access, retention, storage, etc. can be achieved and monitored. In the same vein, centralization of data leads to potential issues around who is monitoring and controlling the standards by which the data is handled. Source: Forbes, 2018 Data bias – Automated decision-making techniques that leverage machine learning must be vetted to ensure that there is no bias in the data sets from which they are trained. The ethical limitations in machine learning are denoted in regulations including the GDPR (Article 22).

NLP in the context of data privacy Natural language processing you know Speech Recognition -- Smart speakers and sound systems such as the Amazon Echo, Siri, and Google Assistant use NLP capabilities to break down the vocal commands provided and then output a correlating responsive action. Other examples of this include verification methods for financial services institutions (e.g. voice recognition). Language Translation Services – Applications such as Babelfish and Google Translate help the world remain connected by using machine translation to bridge the language gap. Input Submission Forms – Analyzes text to enable end users to quickly fill in online submission forms. Email Filters and Analysis – The handy assistant in ensuring spam messages don’t crowd our inbox; NLP enables us to apply rules and filtration settings to our email accounts based on message preferences. NLP (+) Natural Language Processing and Data Privacy Regardless of the unstructured data contained within voice recordings, the fact that an application and its subsequent administrators have unfettered access to an individual’s vocal recordings presents a concern from a data privacy standpoint. The privacy implications of using voice as a biometric identifier, even in the context of enhancing security measures around account verification or assisted services, must be considered. In the context of text processing, any unstructured data used as a part of the model training process that contains personal data must be properly handled and is subject to best practices as per governing data privacy law. As it has undergone significant advancements and adaptations, NLP is increasingly leveraged to add a layer of security in user access accounts. This often takes the form of chatbots or automated voice recognition. NLP can be used to help identify malicious phishing attackers through the analysis of relevant text-based profiles. NLP ( − ) Deployed with the wrong intent, NLP holds damaging potential, and its full spectrum of use cases must be carefully assessed. For example, it has the capability to mimic audio inputs and use them for false outputs (impersonations). NLP can be applied in both helpful and harmful ways; a fact that must be considered when designing data protection measures.

RPA in the context of data privacy Robotic process automation you know Insurance Claims and Renewal Services – RPA plays a significant role in the financial services industry, guiding automated decision-making processes involved in insurance claims, underwriting, and in credit and loan application processing. Retail Inquiries – Many of the less complex tasks involved in retail processing ( e.g . customer item returns or general purchase inquiries) are often handed off when RPA is integrated into a retail organization’s breadth of tech tools. Call Centers – In a similar vein as retail inquiries, general or common audio questions can be handled by RPA technology. When the query or subject matter becomes more complex to resolve, RPA rolls up the currently captured data and passes it on to a human call center agent to continue the process. Service Desk – Current software applications for service desk technology often incorporates the use of RPA to facilitate initial customer or user interaction and queries. RPA and Data Privacy Much of the data that RPA processes to carry out tasks listed above includes sensitive personal data (financial information, health information, demographics, and living details) and is aggregated in large form. This data may reside in a predetermined knowledge repository , which is both invaluable to the successful implementation of RPA and a potential Achilles’ heel from a privacy perspective should the appropriate security and privacy controls fail to be put into place to maintain the contents of the repository. Top barriers to RPA adoption are process fragmentation, lack of a clear vision, lack of IT readiness, and resistance to change. 74% Of surveyed organizations are already implementing RPA into their operating models. Source: Deloitte Insights, 2022 31% Cost reduction due to streamlined technology, infrastructure, and cybersecurity through RPA integration.

Computer vision in the context of data privacy Computer vision you know Autonomous Vehicles – Leveraged by high-tech automobile manufacturers such as Tesla, computer vision drives the translation between objects identified in environmental observation in order to ensure vehicles can safely navigate their external surroundings. Facial Recognition -- A favorite of social media giants for innocuous uses such as mock aging, facial recognition technology has recently come under fire for its use by the police and other security enforcement workers. Healthcare – Medical professionals are relying on computer vision to help in analysis of X-rays, physical scans and imaging, as well as in predictive diagnostics in a variety of areas (cardiac, pediatrics, neurology, etc.). Computer Vision and Data Privacy Much of the content produced through computer vision (e.g. medical imaging) contains sensitive personal data and must meet the criteria of applicable governing data privacy regulations. The collection of data processed must be done with the intent of a specific purpose versus accumulation of data or information. Those in charge of the collection must ensure that all pieces of data collected are directly relevant to the defined purpose for collection. While in the context of medical procedures the purpose and resulting need for data collection may seem obvious, this will likely not be the case for all computer vision use cases. $82.1 Billion as an estimated value of the Computer Vision & Hardware market by 2032. Source: Allied Market Research, 2023 Data Privacy Considerations Anonymization/Pseudonymization – Can the information contained be further de-identified so that it does not track to an individual? Data Transfer Agreements – Are defined standards in place for how data obtained is shared between parties? Data Storage – Is data stored in secure environments and do procedures exist around storage periods? Lawful Bases – Have you obtained consent and, if not, what is your purpose for processing?

Generative AI in the context of data privacy Generative AI you may know ChatGPT – Developed by OpenAI, ChatGPT is a chatbot that utilizes a large language model to engage in conversation. It’s capable of producing text responses that mimic human conversation, answering various questions, discussing a wide range of topics, and crafting creative written pieces. However, it’s worth noting that it can occasionally produce answers that sound plausible but are either incorrect or nonsensical. BERT -- BERT (Bidirectional Encoder Representations from Transformers) is a neural network-based technique for NLP pretraining developed by Google. It was pretrained on two tasks: language modeling and next sentence prediction. It has become a standard in NLP experiments and is used to understand queries and provide helpful information from the web. The next step in harnessing the power of AI, generative AI, combines the capabilities of machine learning, natural language processing, and even computer vision to process data as humans would. Generative AI and Data Privacy Generative AI models, which require large amounts of data, can pose privacy risks if the data, potentially including personal or sensitive information, is not properly protected. This could lead to unauthorized access or misuse of personal information. Therefore, companies interested in the technology need to invest in privacy, enhance their skills in algorithmic auditing, and incorporate privacy and security by design methodologies. PETs for Generative AI Homomorphic Encryption Type of encryption where data is encrypted and sent from one party to a receiving party who can use the data without needing to decrypt it. Differential Privacy Quantitative privacy metric that determines how much private data needs to be revealed to validate access to specific data. Often a key criteria of data-protection methodology. Federated Learning Federated learning is a method in machine learning where a model is trained across numerous decentralized devices or servers which hold local data samples separately, without the need to share them. This approach can assist businesses in training a model across their distributed data sources while maintaining privacy.

Phase 3 Phase 1 Identify Privacy Drivers for Your Business Phase 2 Evaluate AI Through a Privacy Lens This phase will walk you through the following activities: Assessing the privacy implications of implementing AI technology This phase involves the following participants: Privacy officer Senior management team IT team lead/director PMO or PMO representative Core privacy team InfoSec representative Assess Impact of AI Implementation and Controls Perform a PIA for Your AI Technology Phase 3 Assess Impact of AI Implementation and Controls

Input Output Outputs identified in activities 1.1 and 2.1 Analysis of high-risk business processes Understanding of impact of data involved in processing activities Materials Participants Privacy Impact Assessment Tool Privacy officer Senior management team IT team lead/director PMO or PMO representative Core privacy team InfoSec representative 3.1 Complete PIA for high-risk AI systems A privacy impact assessment is used to assess how much personal data will be affected by planned processing activities. A PIA can help to identify if data processing via AI systems are both compliant with data protection regulations and that data processors are cognizant of the risks surrounding the processing of personal data. Work through the dynamic questionnaire within the PIA tool. Complete one threshold assessment per AI system. Based on the recommendation and risk score, move to complete the PIA. Complete either a lite or full version of the PIA, based on the nature of processing and risk score. Involve the process owner ( project owner ), the process reviewer ( project reviewer ) and any other relevant stakeholder (e.g. technical implementation lead). Refer to the results report (tab 4) to review each of the priority processes and subsequent next steps toward compliance. Discuss results with team. How will this impact compliance moving forward? How does this impact the environment and process around AI tech integration surrounding assumed risk and transparency?

“Garbage in, garbage out” dictates that high-quality data breeds effective AI integration. Identify the business data inputs for a privacy-centric integration Data Governance Data Privacy Beyond the initial classification of data comes the privacy implications. By understanding the relevant requirements for data in scope of privacy regulations, organizations protect against the risk of infringing upon privacy law. Privacy-Centric AI + = Organizations continue to hold more data on hand. H owever, they are often unable to harness the power and insights from this quantity of data due to a lack of formal governance structure. Data governance enables data-driven insight through structured processes. Effective AI implementation isn’t just a product of effective data governance or a strong privacy program. A comprehensive understanding of the “where” and “what” of your data, coupled with an understanding of the privacy environment, creates the foundation for responsible, privacy-centric AI.

Integrity, quality, and security of data are key outputs of data governance programs, as well as prerequisites for effective AI. Data governance as an enabler of AI Data governance focuses on creating accountability at the internal and external stakeholder level, and establishing a set of data controls in place, from both a technical, process, or policy perspective. Without a data governance framework, it is increasingly difficult to harness the power of AI integration in a responsible and business-specific manner. 57% of surveyed organizations are investing in data governance tools to enhance business intelligence and analytics capabilities. 74% Data Governance in Action Canada has recently released the Canadian Data Governance Standardization Roadmap governed by the Standards Council of Canada. The purpose of which is multipronged as it: Examines the foundational elements of data governance (privacy, cybersecurity, ethics, etc.). Lays out standards for data quality and data collection best practices. Examines infrastructure of IT systems to support data access and sharing. Focuses on data analytics and commercialization to promote effective and responsible AI solutions. Source: Government of Canada, 2021 of surveyed organizations are investing in data governance technologies to improve data quality. Source: Zaloni and DATAVERSITY, 2021 50% of surveyed organizations are measuring the value of data governance through reduced time for insight generation. Info- T ec h Researc h Grou p | 49

Align your data governance structure to Info-Tech’s methodology Core Data Governance Functions These core inputs then set into motion the business’ data architecture, data quality, master and reference data management, and policies and procedures. The resulting deliverables from this empower the organization’s people to take appropriate governing actions through a set of data policies, procedures, and a communication plan. Organization Fuel In The data governance engine of an organization requires substantial data, information, and business-needs inputs. 1 2 3 Download Info-Tech’s Establish Data Governance Data governance can be thought of as the engine that enables your data to be transformed into the power needed to drive your organization up the data value chain. Info-Tech Power Out 4 Once put into action, these deliverables incite motion up the data value chain. Data Value Chain

AI drives business value through analysis and insight. Operational augmentation with data governance “There’s going to be reaction against overly intrusive or creepy uses of personal data. So, the responsibility of the organization is to consider how data processing will be perceived. The point of a PIA is to help ensure success in use of the technology. ” – Constantine Karbaliotis, Privacy Counsel at nNovation LLP AI focuses on driving improvements in efficiencies within operational processes that already exist in the business context. The proliferation of AI is built on the collection and analysis of mass amounts of data and the ability to synthesize this data to create learning models. “Good” or effective AI requires data inputs that are reliable, valid, and of high volume to derive accurate and representative models. As a result, there exists a strong link between AI and data science and data analytics. It is imperative that organizations looking to leverage AI within the context of their operations have a strong understanding of the data environment. This requires IT and business leaders to take a step back and reexamine the current environment from the perspective of “what do we have, where is it located, and how can we use it?” before leaping too far down the AI rabbit hole. Download this research For an in-depth perspective on the field of AI and its role in business, refer Info-Tech’s research Get Started With Artificial Intelligence .

AI is often considered a black box for decision making. Results generated from unexplainable AI applications are extremely difficult to evaluate . This makes organizations vulnerable and exposes them to risks such as: Biased algorithms , leading to inaccurate decision making. Missed business opportunities due to misleading reports or business analyses. Legal and regulatory consequences that may lead to significant financial repercussions. Reputational damage and significant loss of trust with increasingly knowledgeable consumers. Ungoverned AI makes organizations vulnerable For a more in-depth perspective on building responsible, ethical, fair, and transparent AI, refer Info-Tech’s research Govern the Use of AI Responsibly With a Fit-for-Purpose Structure . Download this research

Build a successful relationship between governance and AI “Privacy architecture of the final product should fit in with overall technology and data architecture.” – Amalia Barthel, Lecturer and Advisor, University of Toronto 90% Of organizations admit they could improve their understanding of data security, privacy, and access. Source: Forbes, 2023 89% Of organizations reported missing business opportunities because of data access bottlenecks. 27% O f e xecutives, only, say their organization will invest in security safeguards for AI. Info-Tech Insight Prioritize data privacy as an integral part of your organization's values, operations, and technologies in the AI-driven future. This approach is essential for responsible AI implementation. It will offer insight and awareness for aligning AI with your current processes, data landscape, regulatory requirements, and future goals. A privacy-centric approach will enable your technology to achieve compliance and trust. Embrace the future of AI where data privacy and security is not a challenge but a priority, and aligned with your organization’s core values, business processes, and technologies. Source: Forbes, 2023 Source: PwC, 2023

Let PETs help: Role of federated learning in privacy-centric machine learning When applied, federated machine learning, or federated learning, adds a layer of effective data protection in the context of AI and machine learning. Centralization of large amounts of data has been a standard requirement of machine learning environments in order to train the model. Federated learning decentralizes traditional machine learning methodology by facilitating algorithmic learning over multiple devices. This model promotes principles of data protection and privacy by creating a framework in which the devices do not exchange or share any data. Federated Learning Model This model shows the relationship between a single data subject (1.) and the distributed shared model (4.). The single data subject processes data from the current model and then provides an improved version in the form of an updated iteration. This creates an iterative model of machine learning without ever relying on sending information back to a centralized location, as each individual data subject retains the initial input data, and only provides as output an updated or revised version. Image Adapted from Google Research, 2017 1. 2. 3. 4.

Understanding differential privacy As a formal data privacy model , differential privacy enables organizations to process and use high volumes of sensitive data for business purposes (legitimate interest, as per the GDPR’s Lawful Basis), without infringing upon privacy laws. It is a “mathematical definition of privacy in the context of statistical and machine learning analysis, which quantitatively fulfills many of the requirements of analysis and processing of sensitive personal data.” 1 A differential privacy analysis protects personal data by ensuring that an algorithm’s output does not show any sign of a specific data subject’s information as a part of the input data set. There is a broad spectrum of cross-industry uses for differential privacy. For example, tech giant Apple applies privacy at scale in an effort to better understand user patterns without putting user privacy at risk. Concerns around the limitations of methods such as de-identification in the context of data breaches are put at ease through differential privacy, as it guarantees that an individual data subject’s details cannot be leaked. Differential privacy plays a crucial role in ensuring AI technology does not cross ethical boundaries when it comes to data processing. 1 Vanderbilt Journal of Entertainment & Technology Law, 2018 “Differential privacy makes it possible for tech companies to collect and share aggregate information about user habits, while maintaining the privacy of individual users.” – The Conversation, 2018

Leverage synthetic data The value of synthetic data lies in its unique ability to produce features tailored to specific requirements or situations that may not be found in real-world data. It becomes an essential tool when there’s a shortage of data for testing purposes or when the preservation of privacy is of utmost importance. Synthetic data provides a way for data professionals to use centrally stored data while still ensuring the data’s confidentiality. It can replicate the essential characteristics of real data without revealing its actual content, thereby maintaining privacy. In the medical and healthcare industry, synthetic data is employed to simulate certain scenarios and conditions for which no real data exists. Autonomous vehicles, such as those developed by Uber and Google, leverage synthetic data for training their machine learning-based systems. In the financial industry, where safeguarding against fraud is critical, synthetic data is used to study and understand new types of fraudulent activities. Synthetic data does not represent real-world events or objects. It’s a powerful tool for data science and AI. Source: Towards Data Science, 2021 “Synthetic data is created by taking an original (real) dataset and then building a model to characterize the distributions and relationships in that data.” – IAPP, 2020

Data protection regulations such as the GDPR aim to address the issues of profiling and automated decision making through accountability and a set of recommended frameworks; the AIA is one of these tools. Article 35 of the GDPR outlines impact assessments as a feature toolset that organizations may leverage to ensure a degree of transparency and algorithmic accountability when AI is used in processes that involve sensitive or personal data. Impact assessments have taken the form of privacy impact assessments as well as surveillance impact assessments; both are predecessors to the current AIA. Canada’s AIA is open source and released for general use under an MIT license, with the objective of minimizing risks through identification of overall impact that deployment of an automated decision-making system will have. The assessment takes the form of 60 questions to determine the impact level to the business based on business processes, input data, and resulting output decisions. Algorithmic impact assessment Source: Government of Canada, 2023 Perform an algorithmic impact assessment (AIA) to validate the accountability of deployed AI technology’s algorithmic decision. Info-Tech Insight Define the objective. AIAs are powerful tools in establishing transparency in areas that were previously opaque. It helps to define what objective your organization aims to achieve in conducting an AIA, for which data subject group, and across which systems.

Understand the importance of the privacy impact assessment (PIA) tool in validating high-risk data-processing activities. Privacy impact assessment A PIA is used to assess how much personal data will be affected by planned processing activities. A PIA ensures that data-processing activities are both compliant with data protection regulations and that data processors are cognizant of the risks surrounding the processing of personal data. Info-Tech’s PIA tool can be completed in a lite or full version based on the nature of the process. Involve relevant stakeholders ( project owner, project reviewer, technical lead etc. ) throughout the assessment for oversight and validation of results. Download this tool To perform a PIA on AI systems, download Info-Tech's PIA tool. A Threshold Analysis determines whether a PIA is necessary. A PIA validates whether personal data processing poses any regulatory, compliance, or reputational risk on a set of qualifying questions and criteria.

Review Info-Tech’s research in the following domains to finalize your organization’s data posture. Connect the pieces of your data privacy foundation Data Governance Build a collaborative data governance plan Develop the data governance implementation roadmap Drive the data governance program Data Privacy Collect privacy requirements Conduct a privacy gap analysis Build the privacy roadmap Implement and operationalize Privacy Framework tool Data Governance Requirements Gathering Tool Data Governance Initiative Planning and Roadmap Tool

You’ve officially made your plan for implementing AI technologies privacy-centric. IT implementation in even the simplest of cases is often multilayered. With the advent of privacy from both a regulatory and governance perspective, as well as increased scrutiny and expectations from consumers and data subjects, both the business and IT are faced with restrictions before they even begin to think about implementation. By taking a privacy-centric approach that is focused on knowing what data the organization has and its impact on the business, as well as the data subjects it involves, you create the framework for AI technology implementation that meets the baseline standards around data privacy and protection. Not only are you compliant, but you’ve built a foundation for AI integration that supports the needs of your organization and data subjects.

Define Your AI Drivers Define Your Privacy Drivers The following are sample activities that will be conducted by Info-Tech analysts with your team: Contact your account representative for more information. [email protected] 1-888-670-8889 During this activity, an Info-Tech analyst will guide discussions around potential AI technologies that the business is looking to implement along with potential privacy implications. At this point in the project, an Info-Tech analyst will assist the team in streamlining the key data privacy drivers and concerns that the business and IT face. To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

Get Started With Artificial Intelligence Build a Data Privacy Program Establish Data Governance Related Info-Tech Research Understand what AI really means in practice. Learn what others are doing in your industry to leverage AI technologies for a competitive advantage. Determine the use cases that best apply to your situation for maximum value from AI in your environment. Define your first AI proof-of-concept (PoC) project to start exploring what AI can do for you. Integrate privacy into the organization to ensure that personal data is only being collected for legitimate reasons and to minimize the impact of a potential breach. Further, it will push the organization forward in terms of efficiency and customer trust, as there is growing privacy demand from all types of customers. Use Info-Tech’s privacy framework to understand your current state of privacy and to define what the target state looks like for the organization. Gather requirements for your data governance program by interviewing key stakeholders and identifying prevalent, data-related pains. Understand how data is created, used, and curated throughout the enterprise to gain a high-level perspective of data requirements. Identify the organization’s current state of data governance capability along with the target state; identify the gaps, and then define solutions across a balance of planning and control activities to fill those gaps. Ensure business initiatives are woven into the mix. Create a comprehensive roadmap to prioritize initiatives and delineate responsibilities among data stewards, data owners, and members of the data governance steering committee.

Constantine Karbaliotis Counsel nNovation LLP “ Part of the problem is that [AI] is a moving target, but we can be creative in terms of how we approach it. We can’t shy away from the use of AI but leverage the best tools we have, to understand what the consequences are.” Carlos Chalico Partner – Privacy & Data Trust EY Canada “Ethical use of personal information is imperative. It is a challenge that deserves attention. Companies that are moving aggressively on AI should pay attention to this matter.” Amalia Barthel Lecturer and Advisor University of Toronto “Keep in mind that bespoke AI solutions may have obtained data through scraping (which is unlawful) and it is a black box to you, the Organization. The same may apply to generative AI but it depends on the use.”

Erard, Michael. “How a Doctor and Linguist Are Using AI TO Improve Palliative Care.” Quartz, 3 Sept. 2019. Accessed Oct. 2023. Erickson, Sally, and Tapan Maniar. “FAQ for Copilot Data Security and Privacy in Microsoft Power Platform.” Microsoft Learn, 11 Jan. 2024. Faggella, Daniel. "AI in Banking – An Analysis of America’s 7 Top Banks." Emerj, 14 March 2020. Accessed Sept. 2023. Faggella, Daniel. “Artificial Intelligence in Retail – 10 Present and Future Use Cases.” Emerj, 4 March 2020. Accessed Oct. 2023. Georgiou, Michael. "AI in Banking: A JP Morgan Case Study and How Your Business Can Benefit." Imaginovation Insider, 4 Dec. 2019. Accessed September 2023. Gluck, Daniel, et al. “Governance, Risk, and Compliance Overview - Microsoft Service Assurance.” Microsoft Learn, 3 April 2023. Accessed Oct. 2023. Harris, Rebecca. "The North Face brings AI to ecommerce." Marketing Magazine, 12 Jan. 2016. Accessed Oct. 2023. Hodson, Hal. “Revealed: Google AI Has Access to Huge Haul of NHS Patient Data.” NewScientist, 6 May 2016. Joshi, Naveen. "7 Types Of Artificial Intelligence." Forbes, 19 June 2019. Accessed Oct. 2023. Kent, Chloe. "Google takes control of DeepMind Health amid data privacy concerns." Medical Device Network, 19 Sept. 2019. Accessed Sept. 2023. Kerravala, Zeus. "NVIDIA Brings AI To Health Care While Protecting Patient Data." eWeek, 12 Dec. 2019. Accessed Oct. 2023. Bibliography "2022 AI Business Survey." PwC, 2022. Accessed Oct. 2023. "The 2022 State Of Cloud Data Governance." Zaloni and DATAVERSITY, 2021. Accessed Oct. 2023. “7 Foundational Principles.” Information and Privacy Commissioner of Ontario (IPC), n.d. “AI Systems Compliance: Other Guides, Tools and Best Practices.” CNIL, 21 Sept 2022. Accessed Oct. 2023. "Algorithmic Impact Assessment Tool." Government of Canada, 25 April 2023. Accessed Sept. 2023. “Artificial Intelligence Risk Management Framework (AI RMF 1.0)." NIST, Jan. 2023. Accessed Oct. 2023. "Audit Requirements for Personal Data Processing Activities Involving AI." AEPD, Jan. 2021. Accessed Oct. 2023. Bernhardt, Judith, et al. “Office 365 Data Subject Requests under the GDPR and CCPA - Microsoft GDPR.” Microsoft Learn, 2 Feb 2024. Brown, Dan, and Daniel Simpson. “Data, Privacy, and Security for Microsoft Copilot for Microsoft 365.” Microsoft Learn, 22 Feb. 2024. Cavoukian, Ann. "Privacy by Design The 7 Foundational Principles." Toronto Metropolitan University, n.d. Accessed Sept. 2023. "Computer Vision Market Research, 2023." Allied Market Research, Sept. 2023. Accessed Oct. 2023. "A C-suite united on cyber-ready futures: Findings from the 2023 Global Digital Trust Insights." PWC, 2023. Accessed Oct. 2023. Drenik, Gary. "Data Security & Privacy Trends For 2023." Forbes, 2 Feb. 2023. Accessed Oct. 2023. El Emam, Khaled. "Accelerating AI with synthetic data." IAPP. 26 February 2020. Accessed Oct. 2023.

"Responsible Use of Technology: The Microsoft Case Study." World Economic Forum, Feb. 2021. Accessed Oct. 2023. Schwartz, Samantha. "JPMorgan Chase splits tech spend between maintenance, innovation." CIO Dive, 23 April 2019. Accessed 29 Feb. 2024. Singh, Kajal. "Synthetic Data — key benefits, types, generation methods, and challenges!" Towards Data Science, 13 May 2021. Accessed Oct. 2023. Tractica. “Healthcare Artificial Intelligence Software, Hardware, and Services Market to Surpass $34 Billion Worldwide by 2025, According to Tractica.” Business Wire, 27 Aug. 2018. Press release. Wakefield, Jeffrey. “Gramling Study Finds Machine Learning Illuminates End-of-Life Conversations.” The University of Vermont, 9 Dec. 2019. Accessed Oct. 2023. West, Darrell M., and John R. Allen. "How artificial intelligence is transforming the world." Brookings, 24 April 2018. Accessed Oct. 2023. Wolford, Ben. "What Is GDPR, the EU’s New Data Protection law?" European Union, 2018. Accessed Sept. 2023. Wood, Alexandra, et al. "Differential Privacy: A Primer for a Non-Technical Audience." Vanderbilt Journal of Entertainment & Technology Law, vol. 21, no. 17, 2018. Accessed Sept. 2023. Wright, David, et al. “Automation With Intelligence.” Deloitte Insights, 21 June 2023. Zhu, Tianqing. "Explainer: what is differential privacy and how can it protect your data?" The Conversation, 18 March 2018. Accessed Oct. 2023. Kerry, Cameron F. "Protecting Privacy in an AI-driven World." Brookings, 10 Feb. 2020. Accessed Sept. 2023. Marr, Bernard. “27 Incredible Examples of AI And Machine Learning In Practice.” Forbes, 30 April 2018. Accessed Oct. 2023. McMahan, Brendan, and Daniel Ramage. "Federated Learning: Collaborative Machine Learning without Centralized Training Data." Google Research, 6 April 2017. Accessed Sept. 2023. "Microsoft Responsible AI Standard, v2 GENERAL REQUIREMENTS.” Microsoft, June 2022. Accessed Oct. 2023. "Minister Champagne marks the launch of the Canadian Data Governance Standardization Collaborative Roadmap." Government of Canada, 28 June 2021. Accessed Oct. 2023. News release. “NIST AIRC – Playbook.” NIST, n.d. Accessed Oct. 2023. “NVIDIA AI and HPC Solutions for Healthcare and Life Sciences.” NVIDIA, n.d. Pack, Camille, et al. “Microsoft 365 Copilot Overview.” Microsoft Learn, 2 Feb 2024. Polner, Anastasiia, et al. “Automation with intelligence: Intelligent Automation 2022 Survey Results.” Deloitte Insights, 30 June 2022. "Privacy and AI Governance Report.“ International Association of Privacy Professionals (IAPP), Jan. 2023. Accessed Oct. 2023. “Privacy’s Growing Importance and Impact Cisco 2023 Data Privacy Benchmark Study.” CISCO, 2023. Accessed Sept. 2023. Research and Markets. "Digital Transformation and Fintech Strategies of JPMorgan Chase 2018." PR Newswire, 2 Oct 2018. News release. Bibliography

it-Condust-an-AI-Privacy-Risk-Assessment-Phases-1-3.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

it-Condust-an-AI-Privacy-Risk-Assessment-Phases-1-3.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx