Ensuring Compliance in Technology Training Programs

Future of Privacy Forum enters the Chat(GPT) and publishes helpful checklist for the development of organizational generative AI policies. Key points (broken down into simple action items): 1) Use in Compliance with Existing Laws and Policies for Data Protection and Security TO DO: - Assess whether your internal policies account for planned and permitted use of AI; regularly update - Subject sharing data with vendors to requirements that ensure compliance with relevant US state laws (including the "sale/share" issue). - Ensure (through diligence, contractual provisions, and audit) that vendors support any required access and deletion requests - Designate personnel responsible for staying abreast of regulatory and technical developments. WHY: US regulators said they are already enforcing existing legal violations when AI is used to carry them out 2) Employee Training TO DO: - Remind employees that all existing legal obligations remain; especially in regulated industries - Provider training re: the implications and consequences of using generative AI tools in the workplace and specifically re: responsible use, risk, ethics, bias - Advise employees to avoid inputting sensitive or confidential information into a generative AI prompt unless data is processed locally and/or subject to appropriate controls - Establish a system (pop ups?) to regularly remind individuals of legal restrictions on profiling and automated decision-making, as well as key data protection principles - Provide employee with the contact information for personnel that are responsible for AI and data protection 3) Disclosure TO DO: - Provide employees with clear guidance on (a) when and whether to use organizational accounts for generative AI tools, (b) permitted and prohibited uses of those tools in the workplace - Provide employees with an easy to use system to document their use of these tools for business purposes. Such tools should enable employees to add context around any use, and provide a method to indicate how that use fits into the organizations’ policies - Address whether you require or prohibit the use of organizational email accounts for particular AI services or uses. - Communicate when and how the organization will require employees to disclose whether use of AI tools for internal and/or external work product - Update internal documentation, including employee handbooks and policies, to reflect policies regarding Generative AI use 4) Outputs of Generative AI TO DO: - Implement systems to remind employees of issues with generative AI and remind them to verify outputs of generative AI, including for issues regarding accuracy, timeliness, bias, or possible infringement of intellectual property rights - Check and validate coding outputs by generative AI should for security vulnerabilities. #dataprivacy #dataprotection #AIregulation #AIgovernance #AIPrivacy #privacyFOMO https://lnkd.in/dYwgZ33i

👏 AI friends - a great model AI use policy came from an unlikely place: my physical mailbox! See photo and text below. Principles include informed consent, transparency, accountability, and training. Importantly -- the regulator here explains that AI is "here to stay" and an important tool in serving others. Kudos to Santa Cruz County Supervisor Zach Friend for this well-written, clear, non-scary constituent communication on how the county is working with AI. Also tagging my friend Chris Kraft, who writes on AI in the public sector. #AI #LegalAI • Data Privacy and Security: Comply with all data privacy and security standards to protect Personally Identifiable Information (PIl), Protected Health Information (PHI), or any sensitive data in generative Al prompts. • Informed Consent: Members of the public should be informed when they are interacting with an Al tool and have an "opt out" alternative to using Al tools available. • Responsible Use: Al tools and systems shall only be used in an ethical manner. • Continuous Learning: When County provided Al training becomes available, employees should participate to ensure appropriate use of Al, data handling, and adherence to County policies on a continuing basis. • Avoiding Bias: Al tools can create biased outputs. When using Al tools, develop Al usage practices that minimize bias and regularly review outputs to ensure fairness and accuracy, as you do for all content. • Decision Making: Do not use Al tools to make impactful decisions. Be conscientious about how Al tools are used to inform decision-making processes. • Accuracy: Al tools can generate inaccurate and false information. Take time to review and verify Al-generated content to ensure quality, accuracy, and compliance with County guidelines and policies. • Transparency: The use of Al systems should be explainable to those who use and are affected by their use. • Accountability: Employees are solely responsible for ensuring the quality, accuracy, and regulatory compliance of all Al-generated content utilized in the scope of employment.

⏰ AI Governance – A Time for Change⏰ Implementing and maintaining compliance with an Artificial Intelligence Management System (#AIMS) is transformative. It reshapes workflows, accountability, and decision-making, but challenges can extend beyond deployment. Sustaining compliance requires consistent employee engagement, skill development, and adaptation to evolving standards. The #ADKAR model (Awareness, Desire, Knowledge, Ability, Reinforcement) is a proven framework for managing individual transitions. Combined with #ISO10020, which provides structured change management practices, these tools guide organizations through both building and sustaining adherence to an AIMS. ➡️ Challenges in AIMS Implementation and Compliance 🧱 Employee Resistance: Teams may distrust AI systems or resist workflow changes required for compliance. 🛑 Skill Gaps: Maintaining compliance demands ongoing proficiency in monitoring and improving AIMS operations. ⚙️ Process Overhaul: Adherence often requires rethinking workflows and embedding accountability structures. ⚖️ Accountability and Ethics: Sustained compliance requires transparency and alignment with organizational values. These issues necessitate strategies addressing both human and operational challenges. ➡️ How ADKAR and ISO10020 Facilitate Compliance 1️⃣ Awareness: Establishing the Why ISO10020 highlights the importance of clear communication, while ADKAR ensures individuals understand the need for change. ⚠️ Challenge: Employees may question the effort required for AIMS compliance. 🏆 Solution: Communicate how compliance is both a safeguard and a foundation for ethical AI. 2️⃣ Desire: Encouraging Engagement Long-term compliance requires sustained commitment. ⚠️Challenge: Employees may disengage if they see compliance as burdensome. 🏆 Solution: Highlight how compliance simplifies workflows, builds trust, and safeguards integrity. Share success stories to inspire buy-in. 3️⃣ Knowledge: Building Competency ISO10020 emphasizes training plans, while ADKAR focuses on equipping individuals with role-specific skills. ⚠️Challenge: Teams may lack expertise to manage compliance or respond to audits. 🏆 Solution: Offer ongoing training tailored to roles, covering regulatory updates and compliance practices. 4️⃣ Ability: Supporting Skill Application ADKAR emphasizes practice, and ISO10020 focuses on interventions to remove barriers. ⚠️Challenge: Teams may struggle with consistent application of compliance requirements. 🏆 Solution: Establish actionable workflows and assign compliance champions to provide guidance. 5️⃣ Reinforcement: Sustaining Compliance Both frameworks stress the importance of monitoring and iterative improvement. ⚠️Challenge: Without follow-up, teams may lapse in compliance adherence. 🏆 Solution: Use tools like dashboards and change matrices to track progress. Celebrate successes and refine processes based on feedback. A-LIGN Prosci Tim Creasey #TheBusinessofCompliance Harm Ellens