
Privacy rights have become an expensive risk around the world. From Meta to H&M, numerous companies have faced fines from regulators worldwide. Often, these oversights stem from mishandling customer data in their ordinary course of business.
Yet, many companies utilize customer and customer-generated data to train AI models. With the hype around AI not ebbing off soon, we should expect the first AI-driven incidents and associated fines to appear quickly.
Consequently, data privacy and protection must be part of a working AI Strategy. The AI Strategy, in turn, must be part of a more comprehensive corporate strategy and considered in enterprise risk management.
Let us look at regulatory hurdles, customer sentiment, and evolving technologies and how to apply them to risk management and strategic initiatives.
My Data – Customer Sentiment in AI
Regarding customer sentiment about AI, nothing can be a better example than the recent discussion around Zoom’s Terms & Conditions. Zoom tried to change its Terms and the associated privacy policy to allow itself to train AI with customers’ video meetings. Initially, customers took very little notice. After all, we ignore the popups about changed terms all the time. However, some people discovered the broad implications, and social media helped broadcast the problem. Thus, Zoom had to back paddle.
Yet, it shows companies cannot ignore customer sentiment regarding privacy policies. The fact that AI and the data needed to train AI models are at the forefront of our collective minds worsens this factor. So do the lawsuits by famous authors.
Models and Regulations
Data protection regulations are another hurdle for AI. It is AI companies’ most significant financial risk, especially considering recent worldwide fines.
Europe’s GDPR, for example, allows the EU’s Data Privacy Agencies to level significant fines against companies that misappropriate their data. The same law enables consumers to request the deletion of all their data.
Yet, in many cases, removing data from an AI model isn’t as easy as it sounds. Often, it isn’t even possible to delete the data without retraining the complete model.
Consequently, AI companies have to carefully monitor the source of their data and the actual usage.
Evolving technology
Lastly, evolving technologies can represent a significant data privacy risk. For example, most current services don’t utilize AI with long-term conversational memory. However, as humans, we expect our conversation partners to have the ability to take a break and continue the conversation at another date. Thus, the evolving technologies might bring us to the point where we layer AI models on top of each other.
Yet a layered model and long-term memory bring their challenges. Deanonymization through the output of an AI or exposure of customers through cybersecurity incidents becomes significantly more likely if the training data size decreases or the number of identifiable objects increases. Thus, a child model trained on the history of a single customer needs significantly more care than a base Large Language model.
Risk Management: Technical Solutions
A technical solution might come to mind first because technical risks are prevalent in all risk categories. When analyzing these, boards should ensure that management explains them in an understandable way to the risk committee and the whole board.
Three technical solutions to consider are the following. Data anonymization, that is, the removal of identifiable attributes. Data abstraction replaces concrete data, such as an income, with more abstract representations, such as an income band. Reduction of collection deals with a better selection of the data collected. After all, you can’t lose data you don’t have.

Risk Management: Open about T&C
With customers’ awareness, open communication about the Terms and Conditions is critical. It doesn’t mean to say that a change has occurred, but to explain what it entails. As such, an FAQ or explanatory statement, besides the legally relevant T&C, can be an excellent strategy to alleviate customer fears.
Likewise, analyzing international compliance and customer sentiments should be the norm for globally acting companies. Given the current hype, it might be necessary even for companies unsure about their expansion plans.
Risk Management: Plan Communication Strategies
As with most emerging technologies, companies don’t face whether a problem will occur but rather when it will happen. Consequently, organizations should have their AI communication strategies in place. The preparedness avoids having to prepare ad hoc statements and communication paths. AI shouldn’t be different from any other corporate risk area.
Data Privacy – Strategic Opportunity
While Data Privacy represents a significant risk to companies, it likewise can be an opportunity to differentiate in a crowded field. Being open about it and ensuring people understand how companies utilize data is critical to making it a feature instead of a catastrophe. As with many cases, an ounce of preparation is worth a pound of cure.

