What rights are you giving AI suppliers to use your data?

Your data and your AI supplier 🔍
 
When selecting an AI supplier, you must understand what rights they will have over your data and your clients’ data. Ensure that data is used appropriately and that supplier use aligns with both your firm's policies and clients’ expectations. 
 
Here are key points to consider:
 
1. Vendor's Data Usage Policy: Ask for and review the supplier's data usage policy. Check that the policy is transparent and aligns with your own data governance standards.
 
2. Scope of Data Use: Determine the scope of data use granted to the supplier. Some suppliers may use your data to improve their AI models, develop new features, or for other business purposes. Ensure that the scope is limited to what is acceptable for you and aligns with the express permissions you have from clients or other third party owners of data. 
 
3. Data Anonymisation: Assess whether the supplier anonymises or normalises your data before using it for any purpose. Anonymisation helps protect client confidentiality and reduces the risk of data breaches, but is not always failsafe.  Look at the combination of protections in the AI solution.
 
4. Third-Party Sharing: Check whether the supplier is asking for the right to share your data with third parties. If so, evaluate the conditions under which data sharing occurs and the safeguards in place to protect your data.  Bear in mind you may not have permission to allow them to share client data – including data that is derived from the original client data.
 
5. Consent and Control: retain control over how your data is used. Provide for the supplier having to obtain explicit consent for any use beyond the primary purpose of the service.  Make sure you have the ability to revoke consent.
 
6. Audit and Monitoring: check whether the supplier allows for regular audits and monitoring of their data use practices. Look for practices that comply with regulations and agreed-upon terms.  
 
7. Data Retention and Deletion: Review the supplier's data retention and deletion policies. Ensure that they have a clear process for securely transferring and deleting your data when it is no longer needed or upon termination of the contract.  Make sure this matches regulatory requirements.
 
8. Compliance with Data Protection Laws: Ensure that the supplier's data use practices comply with relevant data protection laws.
 
Understanding supplier use rights over your data is vital for protecting your firm's and clients’ interests and ensuring that your data is used responsibly and ethically.