AI Automation for Privacy Compliance Tasks Brings Set of Risks

Increased regulatory risks from a widening web of privacy obligations and tightening budgets have made using AI to automate compliance an attractive solution for both big and small companies.

When companies lack resources, they end up taking on legal risk said Daniel Barber, co-founder and CEO at DataGrail, a data privacy management platform whose clients include DexCom Inc. and FanDuel Inc. “AI provides the capability for a business to have people that could do ten times the work of what they could do before.”

Vendors offering AI compliance tools said their products aren’t intended to take human judgment completely out of the process, but provide a way to automate simple tasks, be more efficient, and give compliance professionals resources needed to juggle a patchwork of state, federal, and international privacy regulations.

Transcend, a privacy management system whose customers include Patreon and Robinhood Markets Inc., offers tools that allow companies to automate the “more tedious tasks” of understanding the regulatory context of a product—such as researching applicable statutes and comparing them against a company’s own privacy requirements, said Ben Brook, CEO and co-founder.

Enthusiasm from companies including Meta Platforms Inc. and Amazon Inc. for supplanting or supplementing human privacy professionals with AI is part of a longstanding trend: do more with less.

“The resource allocation to privacy has not come close to matching the demands of business increasing in terms of both volume and velocity,” said Keith Enright, a partner at Gibson, Dunn & Crutcher LLP and former chief privacy officer at Google. “The key there has long been believed to be technology.”

Using AI to Scale

Brook said AI advancements, such as large language models that understand and generate human-like text, can help companies “put scale behind the human reviewer to reach further and gather more context.” Instead of a privacy professional having to be an expert on every rule and regulation, they can turn to AI to quickly fill in the blanks.

Traditional privacy automation tools require humans to manually configure and create rules to guide a system that triggers a human action, such as complying with data subject requests under the EU’s General Data Protection Regulation, which has rules for how companies collect, process, and store personal data. AI-based approaches use models that are already trained to check for compliance based on an initial prompt.

For instance, a traditional automated compliance tool can also help map an organization’s data to understand where sensitive data lies in its systems. These systems provide humans with information to understand where risk exists and if, for instance, a privacy impact assessment is required.

AI-powered solutions like DataGrail identify the highest priority risks, and automatically generate a privacy impact assessment based on the organization’s compliance obligations that a human then approves. The benefit to businesses is a much-faster turnaround on getting to market products that comply with regulations.

Barber said DataGrail hopes to release a new agentic tool this year that will go a step further by detecting risks and generating solutions without a prompt. But even that tool won’t completely eliminate the work of compliance professionals, he said.

“You still need a human to have oversight into how decisions are made, especially when they relate to legal decisions,” said Barber.

Managing Risks

Without human oversight, companies subject themselves to additional legal risk, said Stacey Brandenburg, shareholder at ZwillGen PLLC.
“Having a human in the loop to filter and understand what the AI is identifying is really important,” she said. “Otherwise, there is a risk of incorrect or incomplete conclusions.”

That includes hallucinations, a phenomenon in which an LLM generates false information, said Enright.

“You need to be sure you have controls in place to mitigate the risks that the tools are creating,” he said.

Those risks can become even more significant when a company is under legal and regulatory scrutiny.

Meta cited a shift to AI last month when it cut members of a compliance team developed to uphold a $5 billion settlement with the Federal Trade Commission in 2019. In that settlement, Meta submitted to new restrictions, including restructuring its privacy program, after the agency alleged it misled users about how it handled personal data and allowed third-party apps to also misuse user data.

Meta declined to specify how many employees were laid off or how many people remain dedicated to privacy compliance.

“We routinely make organizational changes and are restructuring our team to reflect the maturity of our program and innovate faster while maintaining high compliance standards,” Dina El-Kassaby Luce, a spokesperson for Meta, said in an email.

There’s not much precedent for how regulators view the use of automated tools by companies who are subject to a consent decree. But “the compliance obligations are likely going to fall on the companies,” not on vendors selling compliance tools, said Brandenburg.

Brook, Transcend’s co-founder, said his company works with several clients who are subject to a consent decree. In those cases, Transcend programs its tools based on their clients’ internal compliance guidelines.

The level of AI available to companies like Meta may not be attainable to companies with smaller budgets. Still, Brook said, no AI is better than bad AI.

“A well-built AI system can match or even outperform humans in privacy reviews,” said Brook. “But a poorly built AI system will just produce garbage.”