AI Risk Mitigation Starts with Privacy Compliance, Compliance Expert Says

“Ask a compliance officer to name their top worry about artificial intelligence, and odds are they will blurt out something to do with privacy,” Kelly wrote. “That doesn’t just tell us what the risks of AI are -- it also gives us hints about how companies should try to manage those risks.”

Data, Kelly said, is what fuels AI growth. “For example, AI models 'learn' by ingesting large amounts of data,” he said. “Some of the well-known AI tools out there (think ChatGPT and its other consumer-facing brethren) learn by scraping the internet for whatever data they can find. Other companies are building their own AI systems based on data they control themselves,” but it’s hard to know how many “home-grown generative AI solutions are being developed in-house” because this isn't being tracked.

Even if companies change their privacy policies or user agreements so that users consent to their data being fed into AI, the changes may be considered “deceptive practices” in the eyes of regulators like the FTC, Kelly said. But using “fake” data has its own problems, he said.

“A company can try to train its AI systems on 'synthetic data,' which isn’t real and therefore avoids the consent issue -- but AI trained on synthetic data might not perform as well,” Kelly said. “That simply exchanges compliance risks for operational risks, where the AI is making worse choices. That, in turn, could even lead to other compliance risks, such as a poorly trained AI discriminating against customers or showing inappropriate material to minors.”

Having a team-based approach, consulting with legal, privacy or regulatory experts and ensuring that training data comes from a reliable source are some ways companies can avoid compliance risks, said Kelly: Preparing for AI training and use now will help companies in the long run.