We are all adjusting to AI becoming a normal part of our everyday browsing experience and it is becoming a tool more and more of us are starting to incorporate into our everyday lives, both personal and professional.
Along with welcoming this progressive technology, there is a wariness surrounding the potential impact of AI. This article looks at some of the data protection considerations businesses should have when using AI as part of their customer experience, with particular focus on consumer customers.
When we discuss AI, we are often using a generic term to encompass technology that seeks to mirror thought processes of humans to provide a solution or answer to a task. Clearly, not all AI will involve the use of personal data, for example software that analyses data from maintenance sensors, software that monitors stock levels or the weather.
However, the use of personal data within AI technology is key for many industries and businesses. In the retail sector, online retailers will often use a customer’s purchase history and browsing history, live chats with AI customer service “assistants” have become normal and social media behaviour is monitored for consumer interest and preferences. There is little doubt that such software is a profitable approach for businesses.
The actions outlined in the paragraph above often involve profiling a customer, this allows for a business to personalise and tailor advertising and responding to clients. This is something that must be considered in light of data protection obligations. Businesses must remember the data protection principles as set out in Article 5 of the UK GDPR[1] (1. Lawfulness, fairness and transparency, 2. Purpose limitation, 3. Data minimisation, 4. Accuracy, 5. Storage limitation, 6. Security, 7. Accountability) and ensure that they are taking steps to ensure their compliance with the data protection requirements.
Businesses must also remember that consumers have a right to object to being profiled for marketing purposes.
Practical things for you to think about if your business is exploring AI technologies:
- Do you need to carry out a Data Protection Impact Assessment (“DPIA”) before you embark upon using AI technology – this is a good way to allow businesses to consider data protection risks of using AI technology. It also allows a business to demonstrate its compliance, should it be required to, with data protection requirements.
- Does your privacy policy adequately explain your use of AI technologies? It is important that any such use is transparent for your customers.
- Is the AI technology you use producing accurate information? This is something that you will need to consider on an ongoing basis.
- Are your staff and you aware of how to approach AI technologies or do they need more training? For example, if a customer objects to profiling for direct marketing do staff know how to handle this and are policies up to date.
- If your profiling of customers involves no human involvement and could result in a significant effect on the customer, then there may be further considerations that you need to consider, as the profiling may be restricted.
This is a complex area that everyone is still trying to adjust to. If you are considering integrating AI technologies to your business, or have already done so and wish to obtain advice on how to approach this, please contact Beth de Cruz.
[1] The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019