Wielding the power of AI responsibility: How to protect data while creating a competitive edge

The potential for AI to give automotive businesses a competitive edge is very real, from more targeted sales and marketing to better customer relationships, even quicker repairs and inspections. But there are risks too, especially for personal data. Luke Dixon, head of data and information, shares 10 tips to help you avoid the pitfalls and make the most of AI for your business. 

1. Involve relevant stakeholders

Before you roll out an AI opportunity to your business, you need to get a number of people on board including legal counsel and compliance, so you can take advantage of the benefits and put in place appropriate protections. 

2. Know your responsibilities

An AI system is likely to include a lot of personal data and will be regulated by the UK general data protection regulation (UK GDPR). Whether you're a controller or a processor of the data will determine your responsibilities under UK GDPR. If you’re not sure, get advice. 

3. Be clear about lawful basis

If you’re a controller, you need to know your lawful basis for processing the data. UK GDPR sets out six options including performance of a contract, consent and legitimate interest. Knowing where you sit within the AI process (development or deployment or user) matters – the selection of the lawful basis depends on it. 

4. Minimise data processed

UK GDPR requires you to only process the data that you need for your purposes. When you’re feeding in training data sets, think about how much data you really need. The more data you've got in the system, the more is susceptible to a data breach of some kind. 

5. Consider a Data Protection Impact Assessment (DPIA)

A DPIA brings stakeholders together to identify the risks in processing data and to work out ways of mitigating that risk. If your AI system is high risk – it’s likely to have very significant impact on people or it's very novel technology for example – carrying out a DPIA is a must. A DPIA will help you to get the benefits out of a system without incurring too much risk, so is good practice in all cases. 

6. Tell your customers

Where you're going to be using AI systems, you need to provide your customers (or the subjects whose data you're using in the system) with privacy notice information that gives them an understanding about how the system works: how you’ll be using their data, including whether you'll be sharing it or processing it for a given purpose, and that you'll be doing it on a given lawful basis. If a system is going to make significant decisions about people – perhaps an automated decision about whether to give someone a financial services product –  you need to be transparent about that and the legal basis for it.  

7. Think about data rights

UK GDPR gives people access and rectification rights in relation to their personal data. You'll need to work out how you can respond to data subject access requests and requests for correction, and what impact an erasure request might have on your system. 

8. Keep systems secure

For each AI system you have, think about the data that's gone into it, the level of risk if that data is no longer secure and how secure you can make it with available technology. An AI system might be higher risk than other software because there might be more third party code in the system or longer software supply chains. There are also new types of attack that AI possibly exposes the data to. 

9. Be clear about chatbots

Make sure that users understand that they are talking to a chatbot. Have appropriate legal disclaimers about the output of the chatbot. Think about where the liability lies for a chatbot that says something that it shouldn't.

10. Understand the limitations

AI systems are only as good as the training data they’re based on. If that data is biased or inaccurate, the outputs might be biased, unfair or inaccurate.