search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
SECURITY


DATA PROTECTION: COMPLIANCE FRAMEWORKS AND AI


Ensuring robust data protection is integral when it comes to the use of artificial intelligence, says Guy Cartwright, Managing Associate at Stevens & Bolton LLP.


The facilities management sector can benefit from artificial intelligence (AI). For example, AI systems may be able to quickly and more cost effectively identify and prioritise maintenance needs with little or no human involvement. Further, systems commonly used in the facilities management sector, like CCTV, may be enhanced with advanced technologies, including biometric identification and AI.


However, using AI involves significant data protection considerations when processing personal data, and facilities management businesses must ensure they follow robust compliance frameworks.


Data protection laws and the risks of


failing to comply There can be significant consequences for failure to comply with data protection laws and these can include large fines for noncompliance (up to £17.5m or 4% of annual global turnover, whichever is higher), damage to reputation, and regulatory action.


These risks may be increased with the use of new and evolving technologies processing personal data.


Personal data breaches All personal data is at risk of a breach, and failing to implement proper compliance measures heightens these risks and the potential consequences of a breach.


Facilities management businesses may increasingly handle sensitive personal data, which the UK GDPR classifies as ‘special category data’ or ‘sensitive data.’ This includes information such individual’s race, ethnic origin, or religious beliefs, only to name a few. The use of new technologies such as AI may mean that personal data is processed in new ways and it is important that facilities management businesses are aware of this and take appropriate steps to ensure compliance to prevent personal data breaches and the risk of regulatory action.


There are several potential causes for data breaches in the facilities management sector. Human error is a leading cause, closely followed by cyber-attacks (which are becoming increasingly common). Other lesser common causes are malware and theft.


Compliance frameworks are key Data protection laws impose stringent requirements on businesses to ensure compliance. Key steps include:


Automated processing and profiling: AI systems are likely to constitute automated processing under data


46 | TOMORROW’S FM


protection laws. Specific rules apply in this area including in the case of profiling (automated processing of personal data to evaluate certain things about an individual). Data protection laws impose additional rules in this area.


Clear and transparent privacy notices: Article 13 of the UK GDPR mandates that businesses provide detailed information when collecting personal data, including its use and retention period. Special transparency and other requirements apply to automated processing of personal data such as AI systems.


Data Protection Impact Assessments (DPIAs): A DPIA is a procedure designed to identify and mitigate the data protection risks associated with a project. It is mandatory to conduct a DPIA for processing activities that are likely to pose a high risk to individuals, including certain specified types of processing. It should outline the scope and purpose of the processing, evaluate its necessity, identify risks to individuals, and propose any mitigation measures.


Record of data breaches: Maintaining a log of data breaches and remediation steps, which can be requested by the Information Commissioner’s Office (ICO) during an audit.


Record of Processing Activity (ROPA): This mandatory record details all processing activities and can be audited by the ICO.


Appointing key officers: Designating a data protection officer (if required) and/or a chief information security officer (CISO) to oversee compliance and manage data breaches.


Robust contracts: Ensuring contracts, such as Article 28 data processing agreements, comply with data protection laws when third-party processors handle personal data for the business.


Policies and procedures: Implementing comprehensive policies and procedures outlining compliance approaches and staff protocols, especially for data breaches.


Artificial intelligence Data protection has become even more crucial with the rapid development of AI. As AI becomes more integrated, reliance on digital systems increases, bringing a level of complexity that traditional IT systems may not have.


While there is currently no specific UK legislation regulating AI, the UK recently signed the Council of Europe treaty, committing to collective action to safeguard the public from AI-related threats to human rights, democracy, and the rule of law.


www.stevens-bolton.com twitter.com/TomorrowsFM


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64