1. Data compliance
Data regulations are tricky, so how can we ensure compliance?
2. Neglecting compliance
We’ve gained an understanding of the laws, regulations, and responsible and ethical standards that govern data in AI. The next step is compliance. Without compliance, developers and organizations may suffer legal repercussions, substantial fines, and reputational damage. Individuals may also be subject to potential harm and abuse.
Some recent breaches involved global social media platforms fined for mishandling data for specific age groups or jurisdictions, leading to millions of dollars in fines.
3. Data owner
Once legal counsel determines relevant laws and regulations for our project, we need to consider our data acquisition methods and identify the data owner. The data owner, typically defined by project-related laws and regulations, is often an individual or entity.
Strict data protection laws require obtaining informed consent when the data owner is an individual.
4. Informed consent
Informed consent is when an individual grants permission for their data to be collected and used for specified purposes. As developers, we must transparently communicate the purpose of the data collection, how it is used, and obtain explicit consent. Even with informed consent, the individual retains ownership and rights over their data.
5. Obtaining informed consent
Informed consent can be obtained through various means such as consent forms, checkboxes, signatures, opt-in/opt-out options, and mechanisms for consent renewal. It must be obtained before collecting or using personal data and be voluntary and specific.
Developers must keep records of data use and processing, with legal confirmation of correct implementation provided by a lawyer.
In addition to obtaining informed consent, developers should practice data minimization, collecting only necessary data for the project to minimize risks.
6. Privacy and security
After data acquisition, our responsibility is to safeguard it, prioritizing privacy and security throughout the project's lifecycle, including design. Some measures include encryption and security measures to prevent unauthorized access, as well as applying data anonymization techniques to protect individual privacy.
Detailed documentation of data and algorithms throughout the lifecycle ensures transparency and accountability. It’s also a good idea to set up a process to monitor and update practices as the project evolves and laws change.
7. Organizational data
In the case of organizational data, a data owner is an entity.
A common way to respect an entity's data ownership is to use a Data Usage Agreement (DUA). It is a formal contract that outlines the terms and conditions for the transfer and use of data between two or more parties, such as one company that commissioning an AI project and a second company that is creating the AI project.
The terms outlined in DUAs may vary.
8. AI chatbot
Recall our AI chatbot for the dental clinic. We have two data owners here.
Our app uses patient records, individual data, and protected health information (PHI).
When a person appears in the chat, the chatbot initiates a consent protocol. It presents a clear, understandable consent form detailing how it will use its data, the purpose of access, and the security measures. The patients' rights are explained, and they can voluntarily agree by clicking a checkbox. The consent is recorded for compliance.
9. AI chatbot
The second data owner is the dental clinic, owning the patient records.
The clinic establishes a DUA with the developers. This agreement outlines the responsibilities of each party in handling patient data and ensuring compliance with HIPAA and other regulations. It specifies the scope of data use, security obligations, audit rights, and the conditions under which data can be accessed, used, or shared. The DUA also details the protocols for data breach notifications, ensuring rapid response and mitigation actions to protect patient information. A legal expert has verified all of this. We document the DUA and keep it for compliance.
10. Let's practice!
Great job! Now let's apply this knowledge in some exercises!