As artificial intelligence (AI) capabilities rapidly advance, organizations are increasingly leveraging AI solutions from third-party vendors to drive innovation and operational efficiencies. However, the process of handing over proprietary data to these vendors can raise significant intellectual property (IP) and data privacy concerns – concerns that have been magnified by recent revelations about potential misuse of customer data by major technology companies.
Slack's controversial privacy policy change last year, which granted the company permission to use customer data to train its AI models without explicit consent, serves as a cautionary tale. This unilateral decision sparked widespread backlash and accusations of unauthorized exploitation of proprietary information, underscoring the risks organizations face when entrusting sensitive data to third parties.
It is crucial for procurement teams to diligently assess potential AI vendors, both during the initial procurement stage and throughout the service term, to ensure proper safeguards are in place to protect their organization's valuable data assets. The risks are substantial, as AI vendors are continuously updating their privacy policies, often prioritizing the development of new AI features and products at the expense of customer data protection.
This dynamic landscape necessitates a proactive approach from organizations to draft robust contract terms that explicitly address IP ownership, usage permissions, confidentiality obligations, dispute resolution processes, and provisions for attribution and recognition. Failure to address these critical issues can result in unintended data misuse, IP infringement, regulatory non-compliance, and a loss of competitive advantage. Consequently, it is imperative for procurement teams to ask the right questions and negotiate comprehensive agreements that safeguard their organization's interests while still enabling the benefits of AI-driven innovation.
This article outlines five key categories of questions that organizations should raise with prospective and current AI vendors to protect their IP, ensure compliance with data privacy laws, and maintain control over their proprietary data assets.
1. Investigate Data Access Protocols
Buyers should inquire with their AI vendor about data access to ensure the protection and integrity of their sensitive information. Understanding who within the vendor's organization will have access to their data, how access is monitored and controlled, and what measures are in place to detect and prevent unauthorized access is crucial for maintaining data security. Additionally, by clarifying procedures for addressing suspected unauthorized access and ensuring that access permissions are regularly reviewed and updated, buyers can mitigate risks and ensure compliance with regulatory requirements.
Here are some key questions:
- Who within your organization will have access to my data?
- Can you provide a list of roles including subcontractors who will have access to my data?
- How is access to my data monitored and logged?
- Do you maintain audit logs of who accesses my data and when?
- How often are these logs reviewed, and can I request access to these logs?
- What measures are in place to detect and prevent unauthorized access?
- Do you use intrusion detection systems, firewalls, or other security measures?
- What happens if there is a suspected unauthorized access?
- What steps will you take if there is suspected unauthorized access to my data?
- How will you notify me of such an incident?
- How do you ensure that access permissions are up-to-date?
- How often are access permissions reviewed and updated?
- What is the process for revoking access when an employee leaves or no longer needs access?
2. Scrutinize Data Sharing Practices
In addition to assessing how your data is accessed within your AI vendor's organization, it's important to consider who your vendor is sharing your data with externally. When your raw or enriched data is shared with third parties, there's a risk that the vendor or these parties could assert rights over your data. Moreover, there are heightened concerns about data breaches since the potential attack surface has expanded with data sharing.
Here are some key questions about data sharing that you should ask your AI vendor:
- Which external parties will have access to my data?
- Can you provide details about the entities that can access my data including the enriched data generated from my raw input?
- What safeguards are in place to protect my intellectual property during sharing?
- What mechanisms are implemented to ensure that the confidentiality and intellectual property are preserved?
- How are data ownership rights determined and managed during sharing?
- What agreements are in place to ensure that my company retains ownership of its data and any derived insights?
- What happens in the event of a data breach involving external parties?
- What steps will be taken if a third party experiences a data breach involving my data?
3. Clarify Data Use and Ownership Rights
While engaging with an AI vendor, there's a risk that the vendor could gain access to sensitive data that serves as your trade secret and exploit it for their competitive advantage or disclose it to unauthorized parties. Additionally, it is crucial to consider the ownership rights to new algorithms or models developed by the AI system using your provided data.
Here are some key questions that you must ask your AI vendors to safeguard your intellectual property:
- How will my data be used?
- Can you provide detailed use cases and examples of how my data will be processed and utilized?
- Will my data be used to improve your AI models or services?
- If so, how will my data contribute to model training, validation, or other enhancements?
- Is my data used exclusively for my purposes, or is it combined with data from other clients?
- How do you ensure my data remains distinct and confidential if combined?
- How can I monitor or audit the use of my data?
- Are there tools or reports available to track how my data is being used?
- What mechanisms are in place to inform me about changes in data usage policies?
- What is the data ownership criteria for the AI system?
- How can I obtain and maintain control over the processed and enriched data produced by your AI models using my raw input data?
4. Assess Data Sensitivity and Compliance
If the raw input data that you are providing to the AI vendor contains any any biographical or sensitive information? (e.g., license number, social security number, financial data, health data, etc.), you must inquire about the vendor's compliance with data protection laws. Additionally, you must also review the safeguards built by your AI vendor against misuse of your sensitive data.
Here are some key questions:
- How do you protect the sensitive data?
- If the data used or generated by the AI system contains sensitive information, what measures does the vendor take to ensure that sensitive data is adequately protected?
- How do you ensure that my data is segregated and isolated from other customers' data?
- What specific measures and controls are implemented to prevent data commingling?
- Are you compliant with the data protection laws or industry-specific regulations relevant to my company's operations?
- Can you provide documentation or certifications demonstrating compliance with applicable laws?
- Can you demonstrate adherence to industry best practices, trade organization consensus guidelines and other forms of norm-setting mechanisms of soft law?
- Have you established the governing law of data in cases of cross-border data flows?
- If my company operates internationally, how do you ensure compliance with data transfer regulations when processing or storing data in different jurisdictions?
- How do you handle a data breach?
- What is your protocol for detecting, reporting, and responding to data breaches involving my company's data?
5. Evaluate Data Storage, Deletion, and Transfer Measures
Understanding where and how your data is stored, the security measures in place, and the protocols for data transfer and deletion helps ensure that your proprietary data is safeguarded against unauthorized access and breaches. Additionally, you should check if the vendor is compliant with relevant data laws.
To review the AI vendor's data management practices for these concerns, you may ask following key questions:
- How is my data stored and protected?
- Where will my data be stored (e.g., specific data centers, geographic locations)?
- What security measures are in place to protect my data at rest (e.g., encryption, access controls)?
- How do you handle data transfers?
- How is my data secured during transfer (e.g., encryption in transit, secure transfer protocols)?
- Are there any third parties involved in the data transfer process, and how are they vetted?
- What are your data retention policies?
- How long do you retain my data?
- How to specify different retention periods for different types of data or use cases?
- What procedures do you have for data deletion?
- When is the data deleted? Is it deleted after a set date or at the end of our service agreement?
- Can you provide certification or proof of data deletion, and what methods are used (e.g., data wiping, physical destruction)?
- How do you ensure compliance with data storage and deletion regulations?
- What measures do you take to comply with data storage and deletion regulations (e.g., GDPR, CCPA)?
- Do you have policies in place to ensure data is deleted in compliance with legal and regulatory requirements?
Recommendations
Organizations must exercise utmost diligence when entrusting their proprietary information to AI vendors. Failing to do so can expose them to risks such as data misuse, IP infringement, regulatory non-compliance, and loss of competitive advantage. By following the recommendations outlined below, organizations can protect themselves from such risks:
- Establish a Rigorous AI Vendor Vetting Process
- Create a comprehensive, detailed questionnaire to evaluate vendors' data management practices, including access controls, third-party sharing practices, usage rights, regulatory compliance, and storage procedures.
- Inquire for Proof During Procurement
- Request access to evidence and documentation, such as policy language, independent audit reports, certifications, and attestations, to substantiate the vendor's claims about data handling practices.
- Demand Periodic Audits
- Negotiate contractual provisions that grant your organization the right to conduct regular audits or assessments of the vendor's data handling practices to ensure ongoing compliance and accountability.
Need help?
- Are you an AI buyer seeking assistance in developing a rigorous AI Vendor Vetting Framework or evaluating potential vendors? Our team of experts can guide you through the process, helping you craft detailed questionnaires, conduct due diligence, and negotiate robust data governance agreements. Protect your organization's valuable data assets by reaching out to us.
- AI vendors, demonstrate your commitment to data privacy and earn the trust of your customers by undergoing independent audits of your data handling practices. Our team of certified auditors can assess your policies, procedures, and controls, providing you with a comprehensive report and recommendations for improvement. Differentiate yourself from the competition by reaching out to us for AI audit services.