TheCorporateCounsel.net

Artificial intelligence tools are becoming a key part of growth strategies for companies across a wide range of industries. In turn, keeping pace with developments in AI and the issues they create has become a top priority for legislators and regulators, including the SEC.  The growing importance of AI and the risks associated with it means that it can be added to the list of critical data governance issues that corporate boards must effectively address. This Freshfields blog provides some thoughts on what boards need to know about AI and other data governance topics in order to satisfy their oversight responsibilities.

The blog reviews the rapidly evolving regulatory environment for AI, cybersecurity and data privacy, as well as the growing risks of privacy litigation. It advises boards to engage with management in order to understand how the company assesses and manages the risks associated with data collection, use and storage and to set expectations for levels of acceptable risk. The board should also be involved in budgeting for risk mitigation efforts and monitor the progress of those efforts. The blog says that the board should also set “red flag” rules ensuring that management informs it when certain risks are elevated. This excerpt highlights some of the key questions boards should ask concerning their oversight of data-related governance:

– Does the company have a framework for measuring risks related to data, understanding controls and mitigations for those risks, and accepting residual risks?

– Does management keep the board informed regarding critical risks, including risks related to its most important “crown jewel” data, ongoing regulatory risks, and potential reputation impact of its data practices?

– Does the board understand the company’s data strategy and how data is used in its key products?

– Is data central enough to the company’s mission and success that a board committee should be assigned oversight of data governance? Has a cadence of regular reporting to the committee and the board been established? Have committee charters been updated or revised to conform to this allocation of responsibilities?

The blog identifies several other areas of inquiry for the board, including the frequency with which the board discusses existing, new and emerging data-related risks and the level and amount of information required to permit the board to fulfill its oversight responsibilities.

– John Jenkins