I wrote previously about how privacy doesn’t really care about AI in particular, but that the use of personal information overall is the concern. However, I did not go into detail about what the process for assessing such processing would look like. I want to take some time to give some guidance on how you can assess any process that uses personal information, even those that include the use of artificial intelligence.
Cross the Threshold
The first step of an assessment process should be to determining whether a full assessment is needed. Many activities are either so mundane, routine, or consistent that there is no need to do any further review. Marketing emails that follow set templates, basic customer interactions, or monthly reports or system audits all do not require more in depth reviews. If you need to determine where more is needed, a privacy threshold assessment (PTA) should be done.
A PTA should be incredibly high-level and ask very simple questions. Think along the lines of the following:
- Does this project, process, or product involve the use of personal information?
- Does this project, process, or product involve a third party or vendor we have not previously used?
- Is a new technology, such as AI, involved?
- Would a reasonable person possibly object to this project, process, or product?
These questions can be integrated easily with any project management process or existing workflow with minimal interruption. Just be sure to explain what you mean when you say “personal information” to non-privacy personnel.
A real PIA
Despite the coincidence that the acronym PIA can have multiple different, and some unfortunate, meanings, a privacy impact assessment is a crucial part of any privacy program. Having determined that the threshold to perform a PIA has been reached, your organization will need to begin assessing the project itself.
The PIA is a survey or questionnaire meant to gather information about the purpose and means of processing. The systems, security, and personnel involved with this process are also considered. Everything is reviewed to insure it complies not only with regulations, but also internal procedures and policy. While some tools will provide automation to this process, a human being should always be involved to guarantee accuracy.
Having multiple question templates for different uses is also optimal. Artificial intelligence in particular could have questions added about the algorithm, training data, and outputs to comply with the EU AI Act and the requirements put forth for a conformity assessment. Artificial intelligence is one of the best examples of why you have such a process in the first place. When someone at your company wants to use artificial intelligence for any reason, you should be asking why they would use AI, what alternatives there are, what information would be involved, or how that processing would take place. All of this to assess risk and take measures if necessary to prevent harms.
Continuous Updates
Updates to this process must also be conducted. There is a constant need to audit and assess the privacy program itself to ensure optimal performance and continued efficacy. Generally speaking, an assessment or audit of the program will focus on compliance with the program and identify needs to update based on emerging laws or regulations as well as short falls of the program. It may even be necessary to bring a third party in to assist.
To this point, assessing the assessment process will also need to happen. Again, as we move closer to a future where AI is ubiquitous, we need to know that our processes account for these aspects. Are we asking questions about the algorithm? The training data? The outputs? If your process never changes, and you simply ask the same questions, you will miss nuanced criteria and eventually suffer a failure of some kind.
Privacy Ref does this for organizations on a regular basis. We take an approach of developing a framework based on laws or use an existing framework to then assess your program. Interviews with personnel and review of policies and procedures are done to find gaps and provide a list of recommendations that you can use to further develop your program. We also integrate specific criteria for each organization’s focus. Whether it is managing a non-profit, selling goods, or developing an AI driven product, we always consider those goals as part of the process.
No matter the outcome, it is important to follow a process for regular reassessments. Continuous monitoring enables a stronger privacy program. Skipping this important process will eventually result in issues or follies that could otherwise be avoided. Simply put, it will save you time and money.
Reach out to Privacy Ref with all your organizational privacy concerns, email us at info@privacyref.com or call us 1-888-470-1528. If you are looking to master your privacy skills, check out our training schedule, register today and get trained by the top attended IAPP Official Training Partner.