Technological developments have changed the face of commerce. Businesses large and small are quick to harness new software and other technology as it evolves. There’s a natural desire to use technology to streamline operations, use personnel more efficiently and target customers more profitably. But there’s also a need for caution – particularly when technology like this is used to harvest personal information relating to employees, existing customers or potential clients.
Wherever you’re located it’s likely that some form of data protection legislation will apply to how you run your business. In the Bahamas there’s the 2003 Data Protection Act. In the US a raft of data protection laws at the state and federal level similarly confers strict rights on individuals and imposes significant obligations on businesses to comply with data protection law. In Europe the General Data Protection Regulation (GDPR) significantly strengthens the rights of individuals to oversee how companies use their personal information. The UK post-Brexit has adopted most of the provisions of GDPR but Britain’s data protection laws are expected to diverge from the EU with the passage of time.
At ParrisWhittaker in the Bahamas our award-winning lawyers advise on data protection law and assist businesses of all sizes with all related compliance issues.
Here we look at how you may be subject to international data protection laws, and we look at some ways the technology you use in the course of your business may present data protection risks
How Global Data Protection Policies may affect your business
Why should these US and European laws concern businesses in the Bahamas? There are three reasons:
Here in the Bahamas the Data Protection Act, 2003 (the ‘DPA’) gives individuals the right to access data, the right to delete data and the right to correct or rectify inaccurate records. Strictly speaking the DPA is not as comprehensive as GDPR but increasingly GDPR is seen as the benchmark for good practice on the Bahamas and elsewhere.
Businesses in the Bahamas and elsewhere may be caught by GDPR, UK data protection law or US law if that business is processing or controlling personal data of European, US or British citizens.
If you are found to have breached data protection law your business is likely to suffer severe reputational damage. Customers will find it hard to trust an organisation that doesn’t respect personal information.
Your business could also face heavy financial penalties imposed by data commissioners. Under GDPR for example a business can be fined up to $20 million or 4% of global turnover (whichever is greater).
Artificial Intelligence and Data Protection
Some of the most commercially beneficial tech advantages in recent years could also be the riskiest in terms of the potential data breaches. You may not know it, but if you’re engaged in any kind of customer facing business it’s highly likely that you’re using some form of Artificial Intelligence (AI).
So what do we mean when we talk about AI? AI applications include:
Spam filters
Electronic assistants like Alexa and Siri
Chatbots and online customer support
Sales forecasting tools
Automated email responses
Facial and voice recognition technology
Online purchasing tools, including fraud prevention tools
Online targeted advertising
Machine Learning (ML) that enables software apps to predict customer responses is also becoming more pervasive and sophisticated.
All of these tools present enormous opportunities to run your business more effectively. But at the same time you need to be aware of the threats posed by AI to data security.
AI and Data Protection Law
THE EU has made clear that AI should only be used in a way that’s consistent with GDPR. Businesses using AI must put the interests of individuals before any benefits potentially derived from AI. For business outside Europe, including those based in the Bahamas, this is important. Increasingly GPDR is seen as important, if non-binding guidance and it’s possible that other jurisdictions will follow the EIU’s lead when it comes to regulating the use of AI in a data protection context.
From our perspective this means businesses should be aware of key data protection principles. When introducing any new kind of software or technology you should consider whether information gleaned by the software will be obtained in a manner consistent with recognized data protection principles. Two issues that spring to mind immediately are:
Are you using personal data for a specified purpose? (Data minimisation and purpose limitation). AI can gather data in a wholesale way meaning that it may be difficult to demonstrate to a regulator that you have acquired personal data for a specified reason
How long will you hold onto AI-harvested data? To increase its predictive qualities, AI will seek to retain data for long periods of tine. We think this could conflict with the data protection principle of strict data retention periods after which the data must be removed from your systems
So it’s important to implement effective data protection procedures in your business. These should include comprehensive data protection policies and staff training to minimise the possibility that new or unfamiliar technology will lead to what could be a commercially catastrophic data breach.
Contact Us
For advice on risks posed to the personal that you hold data from your use of technology and AI please schedule a meeting with a lawyer at ParrisWhittaker today.
