Technological developments have changed the face of commerce. Businesses large and small are rapidly taking advantage of new software and other technologies as they evolve. There is a natural desire to use technology to streamline operations, use staff more efficiently, and target customers more cost-effectively. But caution should also be exercised, especially when technology like this is used to collect personal information relating to employees, existing customers or potential customers.
Wherever you are, it is likely that some form of data protection legislation will apply to the way you run your business. In the Bahamas there is the Data Protection Act of 2003. In the United States, a series of state and federal data protection laws also confer strict rights on individuals and impose important obligations on businesses to comply with data protection law. In Europe, the General Data Protection Regulation (GDPR) significantly strengthens the rights of individuals to control how companies use their personal information. The post-Brexit UK has adopted most of the provisions of the GDPR, but UK data protection laws are expected to diverge from those of the EU over time.
At ParrisWhittaker in the Bahamas, our award-winning lawyers advise on data protection law and assist businesses of all sizes with all related compliance issues.
Here we look at how you may be subject to international data protection laws, and we look at some ways the technology you use in your business may pose data protection risks.
How Global Data Protection Policies Can Affect Your Business
Why should these US and EU laws affect businesses in the Bahamas? There are three reasons:
- Here in the Bahamas, the Data Protection Act of 2003 (the “DPA”) gives individuals the right to access data, the right to delete data, and the right to correct or rectify inaccurate records. Strictly speaking, the DPA is not as comprehensive as the GDPR, but the GDPR is increasingly seen as the benchmark for best practice in the Bahamas and elsewhere.
- Businesses in the Bahamas and elsewhere may be subject to GDPR, UK data protection law, or US law if that business processes or controls the personal data of EU, US or UK citizens.
- If you are found to have breached data protection law, your business could suffer serious reputational damage. Customers will find it difficult to trust an organization that does not respect personal information.
Your business could also face heavy financial penalties from data commissioners. Under the GDPR, for example, a company can be fined up to $20 million or 4% of global revenue (whichever is greater).
Artificial intelligence and data protection
Some of the most commercially beneficial technology benefits of recent years could also be the riskiest in terms of potential data breaches. You may not know this, but if you’re engaged in any type of customer-facing business, chances are you’re using some form of artificial intelligence (AI).
So what are we talking about when we talk about AI? AI applications include:
- Spam filters
- Electronic assistants like Alexa and Siri
- Chatbots and online customer support
- Sales forecasting tools
- Automated email responses
- Facial and voice recognition technology
- Online shopping tools, including fraud prevention tools
- Online targeted advertising
Machine learning (ML) that allows software applications to predict customer responses is also becoming more widespread and sophisticated.
All of these tools present huge opportunities to run your business more efficiently. But at the same time, you should be aware of the threats posed by AI to data security.
AI and Data Protection Act
The EU has made it clear that AI should only be used in a GDPR-compliant manner. Businesses using AI must put the interests of individuals ahead of any benefits potentially derived from AI. For companies outside of Europe, including those based in the Bahamas, this is important. The GDPR is increasingly seen as important, even if not binding, and it is possible that other jurisdictions will follow the lead of the EIU when it comes to regulating the use of AI in a data protection context.
From our perspective, this means that companies need to be aware of key data protection principles. When introducing any new type of software or technology, you should consider whether the information collected by the software will be obtained in a manner that complies with accepted data protection principles. Two issues that immediately come to mind are:
Do you use personal data for a specific purpose? (Data minimization and purpose limitation). AI can collect data in aggregate, which means it can be difficult to demonstrate to a regulator that you acquired personal data for a specific reason.
How long will you keep the data collected by the AI? To increase its predictive qualities, the AI will seek to retain data for long periods of time. We believe this could conflict with the data protection principle of strict data retention periods after which data must be deleted from your systems.
It is therefore important to implement effective data protection procedures in your company. These should include comprehensive data protection policies and staff training to minimize the possibility of new or unfamiliar technology leading to what could be a commercially catastrophic data breach.