Using AI in your Business
What to consider?
Artificial intelligence (AI) has developed from a futuristic concept to a mainstream tool used by many businesses on a daily basis. The exponential growth of AI in recent months/years is hard to miss, with various industries adopting the technology to streamline operations and boost productivity.
For business owners, the prevalence of AI presents both opportunities and challenges. AI can improve efficiency, generate new ideas and identify opportunities but, like many emerging technologies, it also comes with risks that should be carefully managed.
The Ministry of Business, Innovation and Employment recently released AI guidance entitled Responsible AI Guidance for Business to assist with the use and development of AI systems ethically, responsibly and effectively across all types of businesses. We outline some of the key risks and practical strategies discussed in the Guidance to proactively mitigate challenges before they arise.
Key risks
Bias: If an AI tool has been trained on biased data, it may produce biased results. When collecting data, AI systems may reflect patterns of your historical decision-making which can lead to inaccurate results.
If this data is then used to make business decisions, it may output biased outcomes. An example of this is biases in personnel data. If an AI tool is trained on existing data held by your business to review job applications, it may produce results that reflect historical inequitable hiring trends, for example, gender, race or age. This could create bias or, at worse, discrimination and human rights challenges.
Errors: Generative AI is also susceptible to inaccuracies and errors in results. In some cases, AI systems can generate what are often referred to as ‘hallucinations.’ These are outputs that appear credible but are in fact fabricated or entirely false. This happens when the system fills gaps in knowledge with plausible sounding information, presenting it as fact. Such inaccuracies can create operational, reputational and legal risk.
The prevalence of these false or misleading outputs underlines the importance of maintaining human oversight over AI-based activities to ensure outputs are accurate. A business may be liable for the inaccurate output of AI tools. This could also include a situation where the output infringes third party intellectual property rights.
Using datasets that are accurate, compliant with regulations and transparent can help to reduce risks of inaccurate output. Accuracy is likely to improve over time as AI technology improves, and layers of audit/checks/balances are built into AI tools.
Privacy and cybersecurity: Many generative AI systems collect, store and use data inputs to train themselves and to generate future responses. This creates risks of privacy, confidentiality and cybersecurity breaches if data is input into systems that allow this. A breach of this nature is likely to have serious implications. Even in closed systems, data processing usually occurs on third-party platforms which could have vulnerabilities to data leaks or cyber-attacks.
Comprehensive reviews of AI tools, how they work practically, and their terms and conditions, should be undertaken. This will allow your business to have a clear understanding of the risks and make an informed decision as to whether use of the AI tool is compliant. Specific privacy impact assessments should also be undertaken.
AI tools, by their very nature, are very powerful at processing large volumes of data. This means they can often find data on systems which is otherwise inaccessible to a lay user. Role-based permissions should be set up, prior to AI tool implementation, to ensure that AI tools can only access data that is appropriate for that role. The Guidance recommends adopting data anonymisation, encryption and secure storage to help protect confidential and personal information.
In terms of business implementation, the Guidance suggests beginning AI rollout in low risk areas and maintaining human oversight in relation to AI-related activities and output. When AI is involved with providing data to guide major decisions that may have significant or widespread impact on your business, having a human review aspect can avoid mistakes or unintended consequences.
Getting the foundations right
Purpose: The Guidance encourages businesses to start by considering its purpose for adopting AI. It is important to be clear from the outset about what you want to achieve with AI; this will help direct your integration strategy, and ensure that it aligns with your commercial goals, business values and legal responsibilities.
Establishing AI usage policies early on can help guide responsible AI use and prepare your business for the inevitable challenges that will arise. Policies will need to be regularly reviewed to deal with the fast pace of change in this area.
Legal compliance: When adopting or developing AI systems, your business must ensure compliance with all relevant statutory, regulatory and contractual obligations. Obligations will vary widely based on the industry and sector in which you operate, but will generally always include privacy, intellectual property, consumer protection, confidentiality and contract law.
This means understanding how AI interacts with existing legislation and ensuring that AI use does not inadvertently breach obligations. You should proactively assess legal risks and ensure the roll-out of the AI tool complies. Policies can be implemented within your business to address any risk areas with staff and operations.
In some cases, changes to business practice may be required. For example, changes to terms of trade and privacy policies to seek permissions and/or to be clear where AI is to be used so customers or contracting parties are not inadvertently misled. In some cases, contractual variations may need to be sought for existing relationships. Documenting decisions is also helpful should there be any compliance challenges in the future.
Governance: Regardless of the size of your business, the Guidance recommends establishing a team with a diverse skill set in security, technology, privacy, legal compliance, AI education and stakeholder communications. This will help identify, manage and mitigate unintended risks associated with AI usage, as well as ensuring decisions about AI use are aligned with your organisation’s values and broader legal obligations. Such a team could create, implement and update any AI usage policies.
Risk management: AI can expose and amplify existing risks, so it is important that risk management practices are adopted early. It is vital to develop policies and protocols which provide for a structured approach to identify, assess, manage, record and review risk. These plans help ensure your business can respond quickly, minimise harm, and meet legal or contractual obligations if something goes wrong.
As part of this process, your business should also consider the potential impact on stakeholders such as staff, clients and shareholders. Meaningful engagement and stakeholder impact assessments can help inform the development of AI policies and reduce reputational and operational risks.
Conclusion
AI offers businesses significant opportunities to improve efficiency, generate insights and drive innovation. However, as highlighted in the Guidance, realising these benefits responsibly requires more than simply adopting the technology.
Engaging with the Guidance will assist you to reduce risk and align AI use in your business with ethical and legal expectations.
DISCLAIMER: All the information published is true and accurate to the best of the authors’ knowledge. It should not be a substitute for legal advice. No liability is assumed by the authors or publisher for losses suffered by any person or organisation relying directly or indirectly on this article. Views expressed are those of individual authors, and do not necessarily reflect the view of this firm. Articles appearing in this newsletter may be reproduced with prior approval from the editor and credit given to the source. Copyright, NZ LAW Limited, 2019. Editor: Adrienne Olsen. E-mail: adrienne@adroite.co.nz. Ph: 029 286 3650 or 04 496 5513.