Generative AI and the need for data privacy

Generative AI provides so many benefits to lawyers. But it comes with some risks. We explore how to mitigate risk by practicing effective data governance.

woman in red blazer holding white paper

Generative artificial intelligence (AI) is a tech revolution. Its impact is most acutely felt in the workplace: all tasks, all comms, and all platforms are subject to change from generative AI. The tech is enhancing and streamlining so many elements of legal work, from research to drafting, from project management to negotiation, from marketing to due diligence.

But opaque AI systems pose risks, not least when it comes to data privacy. A core risk is that inputs will include personal information, which means outputs will inevitably reveal personal information. On top of that core risk are many others: generative AI systems may use data without consent, fail to de-identify, fail to anonymise sensitive data, fail to safeguard, and fail to comply with the relevant data privacy regulations.

In short, it is crucial that lawyers using generative AI systems practice robust data governance to avoid ethical, reputational, and legal risk. In this article, we explore how systems, law firms, and lawyers themselves can protect themselves with robust data governance.

Generative AI systems and the practice of data governance

Generative AI systems need to practice effective data governance by ensuring the appropriate collection, usage, and protection of data. Owners of generative AI systems should commit to handling data in accordance with all applicable privacy regulations, and follow internal principles of ethical use. They should take steps to continually refine data protection processes, ensuring the confidentiality, integrity, and quality of all the data that they use.

AI systems should maximise security at every stage. Encryption is particularly important when building AI models. It secures sensitive data at the initial stage, immediately protecting the data from unauthorised access. The encrypted data builds a secure foundation: it is easier to ensure security at the beginning than imparting security at a later stage. Indeed, in early stages, AI models are experimental and more vulnerable, so encryption from the earliest possible stage will help to prevent data leaks and exposures at the moment of highest risk.

Data minimisation and purpose limitation are important in the early stages, too. AI systems should only collect the data that is necessary for their purpose and should avoid using data for the sake of its use. Overuse of data not only presents security risk, but also opens companies up to regulatory risk: the principle of data minimisation features in General Data Protection Regulation, the Data Protection Act 2018, and a host of other regulations from across the world. Companies should collect only relevant data that conforms to their purpose.

There are plenty of other simpler steps that companies can take to ensure AI models practice effective data governance. They can, among other things, enact internal firewalls and enforce detailed logging and detection systems. Organisations can also conduct vulnerability testing with third parties, monitor outputs to track potential hazards, afford all staff ample data governance training, and practice incident response drills to react promptly to threats.

Lawyers and data governance

Lawyers and law firms can stay ahead of the competition by using generative AI. The benefits are substantial: streamlined processes, greater decision-making abilities, improved legal research, more time spent with clients, better client engagement and interaction, improved organisation and management, and so on. In short, all lawyers should look to generative AI.

But the tech poses risks, too, as we’ve mentioned above. These are risks that lawyers and law firms can mitigate with simple steps. The first – and most important – step in terms of risk management is using generative AI systems that boast effective data governance. It’s important, too, that lawyers and law firms practice effective data governance themselves. They can start by regularly testing and auditing the AI systems that they use to ensure they comply with the expected standards of data protection – as well as standards for accuracy and mitigating bias.

Keeping AI systems updated will also prevent vulnerabilities, as new iterations may take into consideration changes in laws and legal precedents. Firms can create and share AI policies at an organisational level, ensuring everyone practices human oversight, considers real-world impact of AI usage, and always employs a healthy degree of scrutiny towards the outputs.

Law firms should also train lawyers on the best ways to use generative AI, particularly looking at the way individual AI systems work and how to use each system effectively.

And, finally, much like AI systems themselves, lawyers should develop an incident response plan. No matter how secure the AI system might prove, no matter how cautious firms and lawyers might be, you will never entirely eliminate the risk of data breaches. So it’s best to have a plan in place for any leaks, including immediate steps for containment and mitigation, as well as client notification protocols and steps to contact the correct authorities.