Have you ever attended cross collaboration meetings to discuss what seems like a simple privacy issue but ended up going around in circles for the next several weeks, if not months? You are not alone if you think they are increasingly common. It is the reality in today’s operating environment, when legal, data, AI and information security professionals try to hash out a way to align goals.
This structural tension is the result of each area of expertise speaking different languages, being rewarded for different outcomes and having different risk tolerances – with privacy sitting right at the centre of it. Delving into it a bit more:
- Each area sees risk very differently – with legal professionals worried about compliance, while data professionals concerned about data quality. Gaps that seem trivial to one area are catastrophic to another.
- The goals often pull in opposite directions – with AI teams wanting rich, diverse, datasets, while security and legal teams wanting to limit exposure.
- Tolerance for ambiguity is particularly troubling when it comes to AI. The black box nature of many AI models does not sit comfortably with legislated justifications for decisions.
- Best practice means very different things to each area – often defaulting to industry specific benchmarks and standards. Compliance with ISO standards, for example, is not a substitute for legal compliance to a lawyer.
- Miscommunication is often inevitable – with each domain having their own set of jargon. This can create false assurances and friction.
- Expected timeframes also vary. While data and AI teams may be comfortable with a quick iterative approach, legal and security may prefer a more systematic approach that allows thorough analysis and longer-term controls to be put in place.
Throw third parties into the mix and you have a recipe for very long conversations.
Personal Information Flows (PIF)
That’s why we think it’s important for teams to kick conversations off on the right foot. This can be achieved by mapping out the Personal Information Flows (or as we like to call it, the PIF) involved in a project or issue. This allows all parties to understand:
- What personal information is involved
- How it is collected, used, stored and/or deleted
- Who key actors are, and
- What systems, data stores and data flows are relevant to the handling of personal information.
By mapping the above out, in line with applicable legislative definitions, everyone at the table can start having constructive conversations from Day 1.
Doing it through AI also provides a few advantages: cross domain knowledge, speed and practical outcomes. Cross domain knowledge is particularly useful in helping to connect the dots, so constructive solutions to satisfy everybody’s needs can be found. AI’s ability to churn through large amounts of complex, diverse information can help everybody quickly prioritise the key issues at hand – without getting caught up in translation loops. At a practical level, concepts that pull together these threads together (like Privacy by Design) can also be applied when it comes to recommendations. Privacy By Design can help to identify key gaps and provide practical guidance on potential workarounds. Without it, parties can quickly end up in a deadlock, where the only available options are 'Agree' or 'Disagree'.
Check out the demo below for how this works in practice.
As shown above, the tool is designed to generate a Personal Information Flow (PIF) analysis based on a use case description, technical information, and legal jurisdiction. The analysis includes a sequence diagram of personal information data flows and a detailed narrative description of the flow of personal information, including the types of personal information, key actors, systems, data stores and data flows, non-compliance risks and areas where privacy by design/default principles could be applied.
To get started with our PIF MCP tool, all you need is an AI chatbot (like Claude or ChatGPT). Further information is available at: https://www.complyme.ai/blog/mcp-tutorial-specifications