This instalment of Jus Cogens is part of a series of conversations on the governance of data, Artificial Intelligence and the digital age.
In this episode, Omer Akif speaks with Maria Khan, a Data Privacy Legal Manager at Securiti.ai, a company that produces AI software to help companies comply with global data privacy laws. Maria’s work primarily focuses on consent management, cookie consent, data access governance and AI governance.
The discussion explores the importance of regulating AI models, the relationship between data protection & AI governance, the current approach of companies to AI governance and how existing and upcoming legal & policy frameworks apply to AI systems.
Hi welcome to you skogan the international law podcast uh in today’s episode I’m joined by Maria Khan uh who is a data privacy legal manager at security a us-based software company that produces AI software to help companies comply with global privacy data laws uh her work primarily revolves around consent management cookie consent
Data access governance and AI governance uh she has the IAP uh cipe and cipm uh certifications uh which are in European data protection and privacy management uh she also has an llm from the University of Michigan Law School uh we’ll talk in this episode about the regulatory landscape of AI governance
Around the world um including the Nexus between privacy data protection and AI governance uh and some discussion on enforcement as well uh so this discussion will sort of Set uh the stage for AI governance in our you know following episodes and I’m very happy to have Maria on the podcast uh she was
Also my batchmate in law school so uh this is uh an interesting uh podcast for me personally and without any further Ado we’ll get into it uh thank you so much Maria for taking out time and being on the podcast thank you thank you m it’s good to you know to have
Conversation with you again it’s good it’s been so long now yeah it’s been a while so yeah let’s uh dive straight into it uh so uh just in in terms of U your background in privacy and AI governance in particular so if you can just like briefly um summarize what you
Have been up to in the privacy and AI governance space and what’s been your journey so far yeah so as you have mentioned I work with security as a data privacy legal manager and uh our company we produce AI based software that help companies all around the world to comply
With data privacy laws and our clientele is global and so is the focus of our research when I started working with security three years ago um I was primarily um you know more focused on gdpr and EU data protection laws but then um with the passage of time I
Started learning about us and other data protection laws and um because now due to the crossb data transfers uh many companies they reach out to us and they require a common solution um to comply with multiple privacy laws at the same time and that is because they are
Subject to multiple privacy laws at the same time uh due to the fact that they have offices in multiple locations or they have employees uh that belong to different residencies um so slowly the focus has become Global and um my focus is also now becoming Global that I’m starting
Learning shifting from EU and gdpr to also start learning about other laws and thinking about from a Global Perspective that how we can you know ensure uh how we can help companies to come up with global oriented solutions for compliance with data privacy laws um so I’ve been
Focusing a lot on consent management cookie consent management data transparency um and AI governance uh very recently it’s a it’s a new uh field for us to explore because this has come into play very re recently but now many companies are um you know they are
Coming to us and they are considering AI governance um and it’s a very wide field uh it has data privacy implications um it has uh Provisions within data privacy laws as well as there are specific AI governance laws that are uh some laws are in effect and some laws are upcoming
So this is an emerging field and I’m very very excited um you know to to to keep learning about it uh sure yeah thanks for that uh overview so just in terms of your understanding of what AI governance is and why do AI systems need to be regulated and governed in this in
The first place and if they’re not uh governed what sort of uh policy and legislative uh risks uh do they present to policy makers around the world so yes um AI governance um can be Loosely understood as a term to you know to govern the AI systems and um it’s a very
Wide terminology in my opinion uh it does not limit that uh uh we’re not only talking about data governance within AI systems we’re talking generally about AI governance which can include the outputs as well which are generated by AI which is the output which is generated by data
Um and with the rise of of artificial technology uh in today’s Times um there are now many risks and uh perhaps we can divide the AI risk into uh two areas one can be data privacy related risk and uh the other risk are are other human rights risk for example um
Discrimination against individuals or societal biases um or any violation to the fundamental rights of individuals um and in my opinion even data privacy violations are also considered human rights violation because I I I truly believe that data privacy is a fundamental human right it should be
Considered as a human right so but um we can you know talk about how these are two uh separate risk um so in data privacy risks um if you go into detail of what data privacy risk AI systems can cause um so any risk that is associated with uh the collection of individuals
Data and the subsequent processing of individuals data um for example there are data security risk uh that is uh uh you’re collecting data and processing it but then that data uh may be exposed to data breaches or security incidents um then there are uh storage limitation and purpose limitation risks
Um for example you’re collecting individuals data uh for one purpose but now you’re processing it for your AI system and that wasn’t the primary purpose of the data collection or or you have changed the uh the purpose of the data um along the way of your AI life
Cycle so that is a violation to the purpose limitation principle and uh if you are storing the data for an unlimited time period uh that is a violation of uh storage limitation data principle um so now we we have seen that with the rise especially of generative
AI uh generative AI which um is largely based on human generated content for example Char GPD everybody knows about it and uh so what it is doing that it is generating output based on uh human generated content uh and it is generating uh subjective uh content and replacing the human uh minds and
Replacing the human discretion AR Powers um so and as a result it needs to collect a lot of data and that is why there are associated data privacy risks uh and significant risk attached with uh generative AI so um and um yes then obviously there is also a risk of
Discrimination against individuals um when we are uh in this world right now if we take an example of of uh when we are filling an employment application an AI system can filter the job applications and it can eliminate uh certain uh race uh people belonging to certain race or people belong to certain
Geography to apply to a particular job and as a result it results in unfavorable treatment to certain individuals and that’s discrimination that is caused by Ai and that is why AI governance come into play that now these are all the risk it AI governance will
Come into play and it will um allow how we can you know handle these risk and how we can mitigate these risk sure yeah that’s I think that’s a very good um introduction into what uh AI governance is and what risks it presents and I like the fact how you
Divided it into Data privacy risks and human right risks so just um uh a national segue is drawing the connection between uh data privacy data protection and AI governance because um data protection has been around for some time now and with regulations like the gdpr uh you know
Being around for like five years and and more uh a lot of the practitioners and policy makers have been trained and familiar with uh the different uh fundamentals and principles of data privacy and now we see increasingly those are being uh translated into AI governance as well uh with the with
Organizations like the International Association of privacy professional uh working on a new certification on um you know training AI governance professionals so just in terms of the connection and the Nexus between privacy data protection and AI governance uh you’ve already uh hinted upon some of
Those uh you know aspects so I just want to have a general idea of how are all these uh different areas linked with each other yes um the reason uh AI governance and data and privacy can be linked to each other is due to the fact of the
Processing of personal data so there are AI systems that collect and process personal data and wherever there is an involvement of personal data all the data privacy laws come into play um so if you are an AI system and you are using personal data um you will be
Subject to gdpr and other data privacy obligations depending on the company Where You Are based and depending on the jurisdiction um and if the AI system does not involve personal data um that can also be the situation then data privacy laws will not be relevant and
There would be other laws that may be applicable to your company to your AI system when we talk about what data protection obligations uh AI systems can have uh it can have um all those um you know the main uh common data privacy protection principles for example the
Principle of data security the data needs to be secure it needs to be protected against any unauthorized breaches or unauthorized exess um the second thing is user transparency um the individuals they need to be informed if they are interacting with an AI system unless it is evident clearly evident from the
Context and circumstances of the use um the transparency principes um for users must be informed that they are interacting with an AI system plus the logic that is being used for any decision making by the AI system and as well as the data subject rights that are
Available with the AI system uh for example the right to object to automated decision making this is the right uh granted under the gdpr so there are already Provisions within the gdpr and within the existing data privacy laws that can be applicable to AI systems um there is a principle of
Lawful basis of processing that can also be similarly applicable to AI systems that if you’re collecting data what is the basis of your processing on uh what grounds you are collecting data and uh similarly there are principles such as data minimization storage limitation data accur accuracy in addition to that AI systems
Uh may have some increased obligation um because of the depending on the level of risk they are causing to individuals uh for example if there is a high risk to individuals um then they will have a different set of obligations under the gdpr uh there is an obligation to conduct a data
Protection impact assessment uh if the data processing is resulting in high risk to individuals um and um that that obligation can also be applied to AI systems that are causing high risk to individuals and we have seen this in many proposed and upcoming laws uh for example in EU proposed AI regulation we
Have seen that highrisk AI systems have uh higher uh uh uh obligations they have an increased transparency requirements they have increased documentation requirements and they have requirements depending on different St stages in the pre-employment stages and in the post- deployment stage so uh this is how uh the data privacy obligations they uh
They come into play at every single stage of the AI life cycle uh in the pre-employment stage and then in the deployment stage and then after the post- deployment stage as well um uh so any uh I’ve mentioned about highrisk AI systems I think any AI risk system
System that creates high risk to individuals and particularly to the health and safety or fundamental rights of individuals those AI systems have a um increased set of obligations uh for example AI systems that are associated with health uh or employment matters or human education or human accommodation and then um other AI risk
Systems AI systems that are causing a comparatively low risk will have lower set of obligations but the common data privacy obligation would still apply to all kinds of AI systems due to the fact that they are involved in personal data processing uh sure uh yeah thanks a lot
For that I think that’s that makes it quite clear in terms of how fundamental The Collection storage processing and use of data is common to U the work of uh data privacy professionals and also people who are working on AI government and uh thank you for explaining the
Details in which different stages of uh deployment of AI systems affect uh how data is used and and manipulated uh and you previously also talked about how in generative AI models uh the large language models data is being you know scraped and mined around the world and
That’s causing a lot of concerns to policy makers around the world uh so just in terms of uh the current uh AI systems and models that are being used and how are uh governments and companies around the world sort of regulating that because you mentioned about upcoming regulations
Such as the EU EU AI act and their similar counterparts uh which might be coming soon in the US uh and even in um you know places like Canada where you’re based so so I just uh want to have an idea of what is the existing system of
Uh regulating AI systems um around the world uh in major jurisdictions uh and what are the sort of the Frameworks or guidelines or standards uh that are generally being used uh in this regard yes um so as I mentioned earlier that uh lawmakers they can take two approaches
Uh one of the two approaches to regulate ai go uh systems the first approach is that um you know they can find uh Provisions within the existing data privac laws that can be applicable to AI systems and the second approach is to come up with specific laws that are
Specific to AI systems and due to the fact that there is an an emerging rise and increase in artificial technology and especially the generative AI we have seen uh a significant rise this year uh in in generative AI related systems now lawmakers have started coming with specific regulations or specific
Guidelines for AI systems uh due to the specific risk AI systems are causing to individuals so there there there are laws in place uh there are laws in place and then there are upcoming laws other than laws there are guidelines and uh standards and also there are some
Enforcement actions taken by uh various regulatory authorities if we talk about laws uh we we know that EU AI Act is proposed and it is expected uh to come into effect uh um and then we have uh Canada bill c27 and we have uh other AI regulations
That are expected to come into effect uh for example the UK uh data protection and digital information Bill uh is expected to come into effect in March 2024 um and in addition to these laws there are guidelines in place that are issued by various regulatory authorities uh the UK uh data protection authority
Ico has issued a specific guid guidelines on the use of AI uh there are guidelines issued by Singapore by China and India and there are uh voluntary standards as well uh for example nist AI risk management framework is uh is an industrywide acceptable standard now and many companies are relying on this
Standard for the risk management uh practice for AI systems um and there there have been several actions taken by uh data protection authorities in relation to AI uh we have seen in the last two years data protection authorities all around the world have been very active and they have uh taken
Actions against AI companies there there have been actions against for example uh Clear View AI or Char GPT how Italian company uh data protection authority responded and how French DPA responded or Finland DPA they they they are taking enforcement actions just the same way they they take regular data privacy
Enforcement actions and they impose uh fines or they impose uh injunctions or uh instructions for those companies that are causing AI related risk so there are a number of ways through which data prot authorities can react to AI systems uh sure um yeah that that makes
A lot of sense uh thank you um so just in terms of uh the different assessment tools uh and uh controls uh that are being used in this regard so I’m I’m guessing that in your role at security as the data privacy manager you must be dealing with organizations and
Companies which are trying to ensure compliance with exist existing U AI standards and guidelines that you have already mentioned about um so just in terms of uh AI assessments uh and controls and toolkits or anything of of that nature how important is their role in ensuring uh compliance uh with such
Standards yes um I think it is important now and companies started realizing that it is very important for them to conduct risk management uh assessments uh risk assessments for AI related systems um and uh depending on where the company is based or which jurisdiction the company
Is operating in uh it wants to comply with those standards and guidelines for example if there is a company that uh uh is subject to UK data protection laws uh it will um you know follow the Ico risk assessment toolkit that has been issued by the Ico the Uki data protection
Authority um but at the same time companies also look for industry best practices and the uh standards that can be voluntarily uh applied um when we talk about the risk management framework in relation to AI um we can we can also take it in two ways the the
AI risk can be part of any privacy assessment the normal privacy assessments that we conduct or specific AI risk assessments can also be conducted um if we can go into uh how the risk assessment uh should be conducted or what should be the steps um so in my understanding the first step of
Any AI risk assessment uh is the identification step you need to as a company or as an AI system you need to identify firstly which privacy laws apply to your AI system and uh once you have identified which privacy laws apply to the AI system you will be able to identify the
Obligations and take further steps and and identify the purpose of the AI system identify what and how personal data is uh flowing through the AI system and how it is processed by the AI system as well as identify AI actors or entities that are responsible in respective stages of the AI system so
This is the first step uh of any AI risk assessment the identification step the Second Step would be the identification of threats and vulnerabilities so once you have determined uh the purpose of your AI system now you are in a position to determine what threats and what risk
It can cause to individuals and what are the uh potential vulnerabilities that are caused by the AI system and the third step would be to uh determine the level of the risk and here uh this step is very important here you need to determine whether the risk the AI system
Is causing is high or low uh and you need to identify any privacy obligations or any legal obligations depending on the level of the risk uh as I mentioned earlier that privacy obligations vary depending on the level of the risk um high risk AI systems have a different
Set of obligations uh lower risk AI systems have different set of obligations um any AI risk system for example if it’s an AI enabled video game it may not be imposed to many uh transparency obligations or very uh strict uh legal obligations but if that video game is collecting um children’s
Data and children data is sensitive personal data then it may be subject to some increased obligations so depending on the level of the risk depending on the type of personal data you’re collecting and the depending on the threats and one abilities that is causing to individuals you need to
Determine what obligations you uh uh the AI system is subject to so once this is done now you have identified the Privacy obligations you have identified uh the purpose how the personal data is Flowing you have identified the threats and you have now identified the level of the
Risk The Next Step would be your response to the risk and that is how you control to a risk if there is low risk perhaps you would uh want to uh accept the risk if there are other entities that are involved uh in the control of
The risk then you will transfer the risk to other entities and will make sure that those entities can help you mitigate the risk so the next this step would your response to the risk would be basically to mitigate the risk and this is happening all before the deployment
Stage you are trying to mitigate and control the risk before an AI system is deployed and uh you’re Play You’re Now placing controls to do that uh and there can be various controls uh uh put in place to mitigate the risk once that is done the AI system is deployed in
Accordance with controls uh the last step would always be monitoring and uh reviewing the uh AI system uh because uh the data keeps flowing and uh the you need to keep monitoring that is the data uh processing being taking place with the same purpose for which
You collected the data or has there been a violation to the purpose limitation principle uh and um AI systems are uh Information Systems so they evolve over time and so do the risk to personal data May evolve over time and that is why uh monitor and reviewing the AI system
Would always be an essential component of an AI risk assessment so these are the common steps uh uh that are part of any AI risk assessment and if you want to go into specificity and uh let’s say if you want to say that you uh you want to accept nist AI risk management
Framework as an industry best practice then the nist AI risk management framework they have it has a different uh uh set of obligations for an AI risk assessment okay um yeah that’s that that’s really insightful uh thank you for that so just in terms of uh identifying the level of risk which uh
For me it seems like a challenging task for any organization given that the tools the AI systems and models that are being deployed are uh improving and changing day by day so the technology itself is evolving at a very rapid rate and even uh you you talk about the N
Framework and other uh you know voluntary standards that companies are using but just in terms of existing regulations which uh do not exist uh in a way which are like specifically targeted to AI systems I mean the EU a Act is being negotiated and it’s uh is facing some roadblocks as it’s being
Finalized um so that also takes a risk based approach um that the act itself and and that’s what you’re also alluding towards how companies and organizations are going about deploying and developing uh AI systems so just in terms of assessing the level of risk and then identifying what what are the key
Privacy uh data protection obligations that companies have to abide by so how do companies navigate through those uh challenges and actually uh make an adequate assessment of what the level of risk should be I’m just this is just a I’m just wondering how how how that would how that would happen yeah um
Definitely it’s a it’s a challenging task um and it will be challenging it will be more challenging for companies that are subject to multiple privacy laws or multi at the same time um and before assessing the level of risk in my understanding and in my opinion I would
Say the first step should always be to identify which laws apply to you because the level of the risk May differ depending in on applicable laws um in gdpr there’s a different definition of sensitive personal data um and there are different obligations that are associated with the data that is uh used
For um criminal convictions or for children’s data um but that may not be the case in any other law so you need to identify first of all which privacy laws apply to you and then depending on what data you are collecting uh you will have to determine what can be the risk
Associated with it uh if it is sensitive personal data the risk will obviously be higher uh if it is children’s data the risk will obviously be higher or anything uh the EU uh AI regulation uh talks about high-risk AI systems um in that definition they are saying that any
AI risk system that is causing um violation to the fundamental rights of individuals is considered a highrisk AI system um or causing a violation to the health and safety of individuals that is a highrisk AI system um so and they have given a long list of um examples that uh
Uh that you can have a look at that these are the highrisk AI systems um they have given examples but then the limited or minimal AI risk systems uh are also present that do not cause any fundamental rights to individuals that do not have um um any concerns for the
Health and safety of individuals um any air system which is also capable of um creating biases against specific groups of individuals that can also be considered a high risk AI system um that um uh because it can result in discrimination or societal biases and that goes against the uh
General uh fundamental rights of individuals so um in order to identify the level of the risk you need to identify the privacy laws that are applicable to the AI system and then the type of data that you’re collecting and the type of output that you will be generating from that data these factors
Will help you determine the level of the risk okay so it seems like from what what you have uh you know explained in detail and and what we have been talking that the key uh data privacy obligations which have existed for some time now uh with the emergence of gdpr and even uh
You know the Privacy regulation and other regulations before that so those fundamental principles whether it be data minimization purpose limitation uh they are Central to AI governance and will remain Central to AI governance in the future as well um I’m also like wondering uh you talked about how companies and organizations would have
To be wary of uh making assessments at different stages of uh you know their AI system processes whether it’s at the initial uh you know design phase and then deployment phase um which U sort of draws a parallel with Concepts like those of privacy by Design which which
Which are in gdpr where while companies uh are at as a stage of you know the entire stage of U their their systems where they have whether they’re veloping certain product or certain service they have to keep in mind what sort of privacy or data uh protection um
Implications uh any sort of U changes or decisions might have in the future um which which I’m guessing might be more challenging with AI systems because the technology is uh evolving at a very rapid pace so they might not be able to preempt uh all those challenges while designing and deploying those systems
How do you feel about that yes definitely uh and the technology is increasing with the uh passage of uh time it’s increasing very rapidly and so do the challenges um and the fact that now uh there are specific guidelines and um governments all around the world they
Are coming up with specific laws on AI that are not just focusing on the personal data processing but also uh other forms of violations that AI systems can res for example discrimination and other societal biases um so and they are going into specific regulations yes I mentioned that uh the
The there there are existing data privacy laws that have Provisions that can be applied to AI systems but now governments are also coming up with specific laws that companies should be mindful of so and companies uh will have to the AI systems uh they will have have
To uh take care of both they will have to take care of data privacy obligations that are existing that are present in the existing data privacy laws as well as any new obligation that are coming in AI specific laws and most AI specific laws would um refer to privacy laws of
Their jurisdiction that for personal data processing uh you you will have to follow those Provisions but it’s definitely a challenge for AI systems um especially uh the technology keeps changing and especially due to the fact that there are so many guidelines and standards in place now um and all of the
Regulatory bodies are suddenly into action uh the UK data production Authority is releasing its own uh UK AI risk assessment toolkit then then we have nist ai risk management framework that has different steps and it talks about mayor manage map and govern steps for AI risk assessment then we have
Singapore AI risk assessment framework Finland has issued a separate AI risk assessment framework so all of these Frameworks and standards are in place and then companies uh yes they can choose depending on which region they operate in um and depending on which privacy laws apply to them but they
Would also need to uh select from industry best practices as to which of these standards should be an industry best practice suited for their business and if that the business is global and they have offices in multiple locations uh then the challenging task would be uh
Why do they have to conduct uh multiple AI risk assessments or is there a way that they can conduct one single risk assessment that can cater to all the guidelines and all the regulations at the same time uh they they will they would want to uh look for common
Denominators uh from all these standards and guidelines and come up with a common solution solution uh for AI risk assessments so it’s it’s it’s a challenge definitely it’s a challenge for AI systems and companies yeah for sure um this is just in terms of uh you know going forward with these um new
Specific uh AI regulations that you uh mentioned as well like the EU AI act so how do you see the obligations and practices and compliance related uh obligations of organizations changing uh if at all uh with the emergence and Advent of uh these uh new regulations
Because uh it seems like that um so far uh data protection and privacy uh laws have been doing the heavy lifting in terms of trying to uh regulate um AI systems as they’re being you know deployed and you know coming you know out every day it seems um so so how
Would that um change the regulatory landscape uh and and the practices of organiz ation when we actually have uh these uh regulations in place I I know it’s it’s a bit of bit of a future prediction sort of a scenario uh but yeah how how do you see that so one
Thing is um it’s very noticeable that AI risk assessment will definitely be part of um the overall PRI assessment um the the the regular privacy assessments that companies uh perform for uh before the any process or for General data processing activity it will include the AI uh risk assessment
In itself if it involves an AI system so it will become part of the Privacy assessment um and as I mentioned earlier that at the same time there will be specific AI risk assessments as well uh because of the specific obligations that we are um you know we are we’re we’re
Imagining that AI regulations will impose there will be an increased obligation of transparency um in my understanding there will be an increased obligation uh of documentation uh under the AI regulations that uh that will come into place and um there will be an obligation of conducting the risk assessment it
Will be made part of the uh the laws uh the AI regulations and uh how uh that risk assessment should lead you to mitigate the risk um so like in addition to the basic data protection principles that are that would be applicable to AI systems I also
Think there will be an increased focus on transparency by the regulatory authorities and increased focus on documentation uh by regulatory authorities yeah for sure uh no yeah I completely agree uh so before I let you go uh um so just in terms of the people who are uh who will be and are
Responsible for uh you know you know governing AI systems and working in this area so it seems like privacy professionals have become the natural successors to uh you know people working in AI governance as it seems that a lot of existing uh you know dpos and privacy professionals and privacy solicitors and
Lawyers are sort of taking up on the challenge of U you know legal uh implications of U AI systems uh as they’re being deployed and as as they’re being used around the world so how do you see the role of professionals especially uh data privacy professionals
Uh going forward um to deal with the challenge of uh AI governance yes uh for sure um data privacy professionals they need to um they need to start learning about what is happening in AI side of the law um and um um as AI laws are coming into place because privacy professionals they
Are also uh reading through the laws and understanding laws um and uh so and AI laws um can cannot be made separate they have to be read together with data privacy laws uh so that is something data privacy professionals especially lawyers uh privacy professionals who come from a legal background for them
For sure AI governance is going to be a a very uh central point of for of learning for them uh but in addition to the Privacy professionals uh that come from a legal background we we see that there are privacy professionals uh involved in different stages for example
There are um uh developers who are involved in develop you know in a software uh that relates to data privacy and they also have to comply with data privacy laws uh I I think um now we need to uh expand uh understand the the AI life cycle over here and the different
Actors that are involved in the AI stage uh there are AI design actors uh who are responsible uh in the input phase or the design phase of the AI life cycle then there are AI Development actors uh where there there can be software developers or engineers and uh and then there are
AI deployment actors um and every single stage of the AI have different actors and different professionals and these are the same professionals that were previously involved with any uh with you know their role can also be um what we say it can be uh matched to the role of privacy professionals because these
Actors when they are in every separate stage of of the AI life cycle they have to be mindful of data privacy obligations now they will also have to be mindful of what obligations specifically do they have in relation to the AI so it is therefore important uh
To identify the actors at every stage and understand their responsibilities and uh uh I think um none of us uh you know uh uh none of us can go away without without understanding the responsibilities and relation to AI it’s very important for us for all the Professionals in every
Different stage of the software development life cycle to understand what specific responsibilities uh uh they have in relation to the AI yeah for sure no I think I couldn’t have said it better myself just in terms of the interdisciplinary nature of AI governance it requires collaboration from know legal it product design teams
And and all teams that work in organiz ization so just in uh you know just before we end this discussion so in terms of uh you know young students or you know law students it doesn’t have to be law students want to enter the field um of either data privacy or
Increasingly of AI governance which is which is an upcoming field based on your experience so far and how your journey has been U what advice if any would you have for anybody who wants to enter this field because people are inre increasingly developing an interest uh
In in this area uh and it seems like it might be one of those Industries which might not be affected by uh the jobs that are being lost due to AI you know emergence so people are you know saying I might as well regulate this uh uh this
Phenomena if uh if it’s going to affect our jobs so yeah so what is your you know do you have any well um there there can be an AI system you know that can answer questions uh from a lawyer uh um just like we have char GPD so there can
Be AI systems that may affect our jobs as well uh but right now it’s it’s giving away fake cases I mean the chat GPD gave fake cases to to a associate that didn’t end up well but yeah yeah but positive thing is that we lawyers we
Just do not read the laws uh or we just do not read the guidelines we have to interpret the guidelines and we have to read multiple documents together laws along with the guidelines along with the Court decisions and we take we have to interpret together so yes that’s a
Positive thing probably lawyers will always retain their they will have their jobs they’ll find a way yes they will find a way um one advice that I would like to uh give to people who are new to this field um is we need to stay updated on what’s Happening um regulatory bodies
They’re always in action and they are taking enforcement actions um very rapidly so we need to stay updated on what’s Happening is if there is a new law what uh Provisions have changed what action the regulatory bodies are taking um uh all around the world and uh on
What basis they are taking those actions uh because AI systems are changing and as we will notice as we will go along that AI systems are changing the technology is changing but at the same time the laws will also keep evolving uh so we need to stay updated on what’s
Happening in the Le side and uh um you you you need to stay uh updated on the new legal developments um uh on on in relation to Ai and data privacy that is um I what about certifications are they important uh what what role do they play
Yes um well I think the certifications definitely are important and it also depends on which career pathway uh you want to move for example Le if you have a legal background and uh uh you are interested in data privacy and you want uh what career pathway you are imagining
For yourself do you want to work as a council who will um you know help your own company in data privacy uh related matters then in uh or do you want to work in a product related company where you are producing products that help other companies comply with data privacy
Laws so there are two directions in this the in the path uh in data privacy field you can work as a as a counil of a company uh in the compliance department where you can help the company itself to comply with data privacy laws but then
The other pathway is where you can be associated with a company that is producing AI related software like security and there are other companies as well which produce AI related software to help other companies comply with data privacy laws um that that is uh uh not related to internal compliance
Uh but it’s uh it’s it’s like how you are facilitating your customers and your uh the uh clients comply with data privacy laws um and certifications are definitely important uh because the certifications they build your foundation on data privacy and depending on what career path you want to take uh
Uh uh you you would understand which certification would ideal for you for example if you want to uh become a privacy manager then the certification of cipm will be very important for you it sets the ground what are the stages of the Privacy uh management and uh how
You can ensure that data privacy is being managed in all throughout your company and uh uh if you want uh if you do not want to come into privacy Management Area perhaps then cipm would not be relevant for you but some other certification would be relevant for you um so certifications are important
Definitely uh uh but depending on what career pathway you want to take because even data privacy field is wide and you can have different roles in the company so depending on your role with the company the certification uh which certification will be better for you that would depend on the on your role
Within the company yeah for sure and and you don’t even have to be a lawyer if you want to enter this a lot of people who don’t work as a council uh they always don’t have a legal background I mean you can get these certifications
Even if you haven’t been to law school I I know a lot of people who work in the Privacy space uh who come from different backgrounds uh and and not a legal one so yeah so that that’s something that uh you know one should keep in mind as well
But yeah I I I I I you know completely agree with uh your you know suggestions and your advice to upcoming uh privacy and AI governance professionals um great thank you so much Mario for taking our time and you know giving us this primer on what’s happening in the AI governance
World and what’s it all about so yeah uh thanks so much for your time it was a pleasure speaking with you and that’s all for for sure and that’s all we have for this episode and yeah I’ll see you in the next one thank you