Franchise

AI Governance Building Blocks

Organisations recognise the need to put in place effective AI governance, but this is often easier said than done. The task often falls to legal and privacy teams to implement but data science, product and engineering teams will also have their own processes and procedures that need to be taken into account. The simple building blocks below should help you to create a practical AI governance programme that works for your organisation.

Step 1 – AI inventory

This involves mapping all of the AI that is currently being used by your organisation or which is in the pipeline. Create an inventory of all AI systems that are deployed, ensure you understand the purposes for which the AI is being used and assign an owner for each system. It is also important to identify whether systems are supplied by third parties (and, if so, by whom) or whether they are proprietary in-house systems.

Map the jurisdictions in which each AI systems is deployed. This is important to help you identify applicable legal regimes in Step 2.

Step 2 – Identify applicable laws and map legal requirements

Once you have identified all relevant AI systems and where they are deployed, you can identify all applicable legal regimes. In the UK, there are no AI specific laws, but existing laws will be applied to any AI systems. For example, if any of your systems involve personal data, UK GDPR will apply. For EU jurisdictions the EU AI Act will apply, as well as EU GDPR. And you will need to check local laws in any other affected jurisdictions as well.

Once you have identified all applicable laws, map out the corresponding legal obligations. There is no easy way to do this – a simple spreadsheet seems basic but is often the easiest option.

Step 3 – Identify Required Processes

Consider what processes you will need to implement to ensure compliance with legal requirements. You may have existing processes that can be leveraged, or you may need to build an entirely new process. For example:

• Do you have an existing DPIA procedure that can be adapted to also capture AI issues?
• Are there procurement gateways in place that can be used to put in place AI checks?
• What processes do your product / engineering teams follow to initiate new projects and how can you use these to embed AI assessments?

Step 4 – Governance Structure

When you have mapped out all applicable legal requirements and identified the processes that you will require to ensure compliance, this should give you a good starting point to consider who is best placed to manage and have oversight of AI systems and processes. Often this will involve the following:

• AI Oversight Committee – made up of senior management who have overall responsibility for approving AI strategy and signing off on high-risk AI systems.
• AI Operational Ownership – these are the teams who take ownership of the deployment of AI systems and are ultimately responsible for ensuring compliance with all legal requirements and internal policy requirements.
• AI Advisory teams – these are the teams who will provide advice on technical and regulatory aspects of AI deployment. This will include subject matter experts, your legal and compliance advisers and may include both internal and external resources.

Step 5 – Documentation

Document your approach to AI governance so that everybody has clear guidance on their roles, what is permitted and the procedures that must be followed. This is likely to include:

• Organogram showing key roles and responsibilities.
• Terms of Reference for your AI oversight committee.
• Detailed role descriptions for AI owners mapping out their responsibilities.
• AI Policy, which may include AI ethics / values, as well as procedural requirements.
• AI assessment documents to enable you to risk assess AI systems and mitigate risks appropriately.
• AI monitoring procedures.
• AI reporting procedures to ensure that relevant projects get escalated to the AI oversight committee for approval.

Step 6 – Guidance and Training

Once your procedures and documentation are finalised you will need to socialise them within your organisation to ensure that everybody understands the requirements and their responsibilities. Regular training should be scheduled for all relevant teams.

Step 7 – Monitoring and Evaluation

An AI system that works perfectly on day 1 will not remain perfect forever. Systems improve, training data needs to be refreshed and business requirements change. Your AI governance programme should therefore include ongoing monitoring and evaluation of your AI systems to ensure they remain compliant and fit for purpose.

You should also evaluate your AI governance programme at least annually to ensure that it is working as intended and to consider tweaks and improvements.

Need help?

If you need help with getting to grips with AI, please get in touch with the HelloDPO team. We can assist with preparing AI governance programmes, drafting policies and procedures and delivering training. Contact us here.

 

 

Share:

Facebook
Twitter
Pinterest
LinkedIn

Related Posts

Don't just take our word for it
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time."
Craig SaundersHead of International Privacy, Aetna Global Benefits (UK) Ltd
Craig Saunders
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth HidalgoDirector, Chartered Accountants Worldwide
Ruth Hidalgo
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay PatelFinance Director, Cadogan Group Limited
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica CozzaniSenior Legal Counsel, Compre Group
Federica Cozzani
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma WithamDirector of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Gemma Witham
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua AntonCEO, Outlogic
Joshua Anton
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!"
Clare RussellInterim Head of Legal, Vue UK & Ireland
Clare Russell
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team."
Josh TowbHead of Business Transformation, Jigsaw
Josh Towb
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them."
Rebecca MillerChannel 4
Previous
Next

Subscribe to our privacy news and legislation updates

Subscribe now

HelloDPO

We are here to make our data-driven world a more equitable and ethical place to live, work, and thrive by pragmatically balancing our clients’ commercial ambitions with every individual’s right to privacy.

Linkedin
Navigation
Legal & compliance
HelloDPO Law Logo
© 2024 HelloDPO. All rights reserved. The use of any material on the website without our prior written consent is strictly prohibited.

Website developed by Bowler Hat

Data Protection; Demystified