In recent months, the pressure to implement generative AI technologies into their operations while complying with changing privacy regulations in the United States and the European Union has heightened concerns for corporate boards and executives. Corporate Directors Columnist Matthew Scott recently spoke with Amy Rozik, Director of the BDO Corporate Governance Center and Director of the Association of Audit Committee Members (AACMI), to find out more about these issues that many companies are likely to address. It gave me some insight on the topic. Below are some edited excerpts from that conversation.
Is navigating changing data privacy regulations more important for most companies than incorporating generative AI into their operations?
It depends on the nature of the organization. Fines for violating privacy regulations are very high. And there are a lot of laws and regulations at the state level, federal level, and global level that companies and their boards of directors really need to understand. It is critical for businesses to be aware of where their data may be relevant. For example, a company that does not operate in a particular jurisdiction may still serve customers located in and subject to privacy laws in that jurisdiction. Therefore, it is important to understand where your company is most susceptible to laws and regulations. And that’s kind of all-encompassing for many companies.
Companies must be transparent about how they collect and use consumer data. That means providing clear privacy policies, obtaining consent for data collection, and giving consumers control over their personal information. Businesses need to raise their data privacy standards, along with ethical AI-integrated policies, controls, and systems to monitor compliance, as it is more than just a legal requirement. Privacy and data protection programs need to be strategic, not only to provide stakeholder protection, but also to strengthen your brand. Consumers want confidence that the companies they do business with will use technology appropriately, protect them and keep their information safe. Protecting privacy becomes a real issue for reputation and brand loyalty. If a company proves to be vulnerable, consumers may choose not to do business with that company anymore. This is another reason for boards to prioritize data security mechanisms that actually protect company data from leaks. This starts with understanding what your company’s data assets are and how that information is being used.
How should companies address data privacy issues when their third-party suppliers are involved?
Companies have focused on privacy issues with an emphasis on preventing employee errors and internal data leaks. But that turns out to be only part of the problem as businesses become more interconnected through different supply chains. During the COVID-19 outbreak, supply chains were disrupted and organizations had to pivot and find other suppliers to work with. In their haste, companies may not have imposed the appropriate rigor on new suppliers that they would have been subject to under normal circumstances. This can create significant vulnerabilities in the supply chain.
Companies need to think about this from a shareholder perspective. Boards should ask management: Who is in our pipeline? Who is in our supply chain? Where are our weaknesses? ” Whether it involves procurement or IT, organizations need to work together to ensure privacy controls are working properly.
Boards should also ask management, “What are our policies and procedures for vetting suppliers within our supply chain?” Currently, if there are private or foreign companies in the supply chain, they may not have the same regulatory requirements as public companies and therefore may not have the same standards for privacy and data governance. There may also be organizations in your supply chain outside the United States that have different regulatory requirements. Also, not all of the same privacy laws as the U.S. Board require attention to monitoring compliance with laws and regulations. Managing compliance with laws and regulations in various jurisdictions can be extremely difficult. If management does not have the reassurance that it has the resources to do what is needed to be compliant, it is time for the board to act.
What are the most important considerations for boards and management teams when incorporating AI into their business structure?
How to approach AI as an organization: Take a multidisciplinary approach from the board of directors, including executive management, IT, and internal audit, to establish policy. Ask, “What are we doing now?” Why consider AI? Is there a competitive reason to deploy AI? Can AI contribute to revenue generation? And, importantly, “What if we don’t deploy AI?” Please ask.
Consider how AI fits into your business strategy. This essentially requires considering AI through an ERM framework. If you decide to move forward, you will need to determine the appropriate guardrails, including policies, procedures, monitoring systems and communications to ensure proper compliance integration and risk mitigation. Second, the board and management are on the same page when determining priorities, as there may be multiple opportunities to use AI, and AI implementation can be very expensive. is needed. Acceptable uses of AI by an organization must be taught to everyone within the organization.
When it comes to AI innovation, there are ways to do this in a protected environment. For example, when using generative AI, there are guardrails that can be established to ensure the appropriate use of the data used to train the AI. Ensure transparency and ethical guidelines are followed and monitor for misuse, human error, or unintended consequences. Build in accountability and consent policies and continually educate employees and stakeholders about the evolving risks and opportunities of AI. Although no method is completely foolproof, here are some protections and precautions you can take to use this technology safely. Boards should further ensure that management is making a concerted effort to reduce bias in datasets and algorithms used to strengthen data integrity. The monitoring process should further ensure that clear goals and objectives are established to enable necessary improvements to be measured and identified.
While boards expect executives to enhance their businesses through AI, it is their priority and responsibility to ensure proper oversight. AI offers strategic opportunities, but it also poses significant risks to organizations if not used properly.
Have you seen how companies are implementing AI in their business strategies and operations?
We will focus on generative AI because it creates new content from existing information. Companies are working hard on how to leverage this technology. I see companies mainly using this for marketing and documentation, and it’s much easier to convert to another format. They take all internal data and put it in a secure environment available to their employees. They can then take in information from the outside world and build guardrails to prevent what they create from returning to the wider universe.
There are many applications that allow businesses to do this. And it doesn’t have to cost much, especially as more organizations enter the world of AI. However, we see many companies purchasing AI applications regardless of whether they have been safely tested or not. Companies need to be wary, as some of them have come to light before they have been subjected to obvious scrutiny. You need to be clear about whether technology aligns with your company’s strategy and core values, and understand how you’re leveraging technology as an organization. Does it match what they are trying to do?
Is there anything else boards should understand about data privacy and generative AI?
Executives and boards need to truly understand how their workforce is leveraging generative AI. Where is it integrated into day-to-day operations, and do employees have a good understanding of how easily customer information and other sensitive documents can be leaked to the marketplace?
Companies should take important precautions, including policies and procedures, but also emphasize ongoing communication and education about the risks associated with the use of AI. Above all, the board must ensure that management is taking all appropriate steps before giving the signal to move forward full speed ahead.