Developing or implementing any new technology carries risk, and AI brings its own set of distinct risks. These risks often depend on how AI systems are designed and used in practice, including what data is processed, how that data is input, processed and relied on, what data is created, and what governance structures are in place.
We advise both organisations procuring AI systems and also AI developers bringing AI products to market, across the full lifecycle from procurement to deployment and commercialisation, including early-stage product structuring and ongoing use of AI in live environments.
Our services include advising on:
- The legal implications of AI, including how these interact with the GDPR.
- Appropriate AI implementation frameworks, AI risk assessments and governance measures.
- Managing data used in training, testing and operation of AI systems, including provenance, licensing and reuse risks.
- Completion of data protection impact assessments (DPIAs) and consultation with regulators. This may include advising on DPIAs and wider AI risk assessments for the use of tools such as:
- Microsoft 365 Copilot and Copilot Chat
- Anthropic’s Claude models
- Other AI SaaS products, including workplace AI assistants, collaboration tools, customer support chatbots, document automation tools and AI-enabled analytics platforms, depending on how they are configured and used in your organisation.
Many of these tools will include personal data being input into, processed by or generated by those systems, or outputs being used to inform decisions or actions. These risks will need careful consideration, and it is important to consider if a DPIA will be mandated under the GDPR, with resulting fines and sanctions where this is not carried out.
By way of example, we may support organisations in assessing the use of AI tools embedded within productivity suites, HR and recruitment platforms, customer service systems, software development workflows, or internal knowledge management systems.
- How to ensure transparency and explainability. This includes producing privacy notices that cover how personal data is collected and used as part of creating and training an AI model, or in relation to personal data that is uploaded to – or generated by – the AI system.
- Security and supplier due diligence processes.
- Compliant international data transfer mechanisms and transfer risk assessments.
- The use of AI to make solely automated decisions (ADM) about individuals.
- Identification of the appropriate legal basis for different elements of AI processing, and of special category data processing.
- Drafting legitimate interests assessments (LIAs).
- Undertaking controller, processor and joint controller assessments within the specific AI ecosystem.
- Data-sharing and data processor agreements.
- Data minimisation.
- Ensuring individual rights and handling rights requests.
- GDPR accountability and wider AI governance policies and procedures, including the design and implementation of governance frameworks, such as the development of AI ethics frameworks, internal governance structures and policies for the use of generative AI in the workplace.
- Deep-dive data protection audits.
- Specific AI risks such as personal data leakage, model inversion, membership inference and data poisoning.
We can also assist with robust AI due diligence and establishing strong breach-handling processes, as well as supporting you in responding to incidents and regulatory scrutiny in the event that issues arise.
We work with data ethics professionals and data scientists, where needed, to provide expert input.
We regularly work alongside legal, compliance and technical teams to ensure that AI risk is managed in a practical and proportionate way.
Contact our experienced AI lawyers to find out more.
One of our clients has designed an app to demystify career growth in companies and empower everyone to own their own career, using AI systems to present relevant career content.
Compliant terms and conditions and privacy notices are key to customer sales and to ensure the trust and confidence of individuals and organisations that use the app.
Our published article explains how organisations can help to protect themselves and ensure GDPR compliance when developing, implementing or trialling AI systems in their organisations.