Over the last few years of presenting, workshopping and consulting on AI, we have frequently been asked the same questions. We thought we’d help you find answers by publishing trustworthy FAQs and answers to make them accessible. We’ve categorised them to make them easier to find. If you don’t find answers to your questions, please join our trustworthy AI programme or seek our legal advice.
These are some of the things to keep in mind when deciding which AI system is best suited to you. You should;
- choose AI that aligns with your strategic objectives,
- determine your risk appetite (what are the risks involved and how are those risks mitigated);
- consider whether it would be worth getting some kind of cyber insurance that would cover some of the financial harms that could arise from the use of AI systems; and
- look at whether there are any humans in the loop.
AI processes large volumes of data which can include personal data. Because your AI systems processes personal data, data privacy laws will apply. Our Trustworthy AI Programme includes a step-by-step guide to ensure your business manages the data protection and privacy risks of implementing AI systems. These steps include working out if your automated decision involves special personal data and whether it is utilised lawfully, adapting your incident response procedures to deal with AI risks and negotiating data processing agreements for AI projects.
Your most important aspect of ensuring ethical and non-discriminatory outputs is to raise awareness about the potential of discriminatory outputs generated by AI. One way to achieve this is to have a human in the loop who is able to check the outputs generated by the AI system.You should also foster a culture of transparency and accountability to build stakeholder trust in AI implementations.
Where do I start when implementing good corporate governance for developing and using AI internally?
Organisations must establish a comprehensive plan, clearly defining roles, responsibilities and actions. The first step would be to complete an AI impact assessment. Once you have a good understanding of how AI impacts your organisation, you can put policies and measures in place to mitigate against any risk identified in your impact assessment.
This planning process will also include tasks such as discovery (including research and asking questions), workshops, documentation, and establishing proper governance frameworks by identifying key role players. Our Trustworthy AI Programme provides a blueprint for your AI journey, guiding you through the intricacies of AI to empower you to make informed decisions.
You can start by completing an AI readiness assessment, identifying areas where you may want to use AI and what you want it to do.
AI comes in many forms and can perform many functions from automation to data analytics. Implementing AI into your workflow processes can enhance efficiency, provide better insights into how your organisation works and improve decision-making offering a range of ways to contribute to the effective operation of your business.
South Africa doesn’t have any AI-specific laws in place. We recommend relying on existing legislation such as POPIA and the principles of the Constitution in the development and deployment of AI. South Africa is not unique in not having AI-specific legislation.
We anticipate that there will be significant regulatory developments once the EU AI Act is passed and comes into effect. The EU AI Act will automatically apply to all member states. This will see member states take action to enforce the EU AI Act over the next two years as the Act comes into full effect.
This will impact how organisations in different regions operate and engage with one another. The common threads in global AI regulation are ethical usage and bias mitigation, privacy and data protection, and safety and reliability.
To guarantee the ethical and responsible utilisation of AI throughout its lifecycle, your organisation must establish a lawful basis for each stage of the project. Involve legal and risk teams in the project from its outset. Active monitoring is also vital after deploying the system. The organisation must consistently ensure that the model complies with applicable law and continues to address the original problem it was designed for.
We’ve considered hundreds of versions of the AI lifecycle and captured seven essential stages that ring consistently across those versions. Our version of the AI lifecycle includes:
- Identifying the problem
- Planning and development
- Managing data
- Building and interpretation
- Deployment
- Operation and monitoring
- Retirement
The AI lifecycle describes the journey of an AI system from conception to deployment and beyond. There are various versions of the AI lifecycle available. Ultimately, the version you choose for your organisation will depend on factors such as organisation goals and objectives, resource availability and the complexity of the AI project. Understanding the lifecycle of an AI project is important for gaining invaluable insights into how to ensure your use of AI systems is effective, trustworthy, ethical and compliant with prevailing standards and regulations.
While the Information Regulator (IR)’s plan is to keep an eye on international developments regarding AI regulation, AI is not an immediate priority for the Information Regulator right now. Their current focus lies on amending existing legislation like POPI and PAIA. Cybersecurity takes the top spot on their priority list due to the surge in data breaches and its significant impact on various industries. The IR is actively developing guidance for organisations on data breach notification procedures and available remedies. Additionally, they are exploring the practicalities of penalising cybercrimes and foresee upcoming legislative updates in this area. In essence, the IR prioritises adapting existing laws and addressing pressing concerns like cybersecurity before delving into complex issues like AI regulation.
There are several issues that the information regulator is aiming to address this year. Still, the two key priorities are addressing concerns around AI and automated decisions and regulating cross-border transfers of personal information.
- AI and automated decision-making: international data protection agencies are worried about large language models used in AI that process vast amounts of personal and general data. South Africa’s current legislation lacks provisions for situations where automated decisions are made without human oversight. The information regulator monitors proposed international legislation on AI regulation but hasn’t formed its own opinion yet.
- Regulating cross-border transfers of personal information: The information regulator prefers a model similar to the EU’s GDPR, which uses adequacy determinations to assess data protection levels in other countries. The GDPR framework doesn’t offer the information regulator enough power to make these adequacy findings. The information regulator is developing a guidance note for entities doing cross-border transfers, including recommending appropriate measures based on existing laws.