Meet the expert: Kristen Pennington to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Kristen Pennington is Partner in Privacy & Data Protection at McMillan LLP, where she maintains a dynamic practice in privacy, data protection and employment law. In her role, Kristen assists emerging and established companies across a range of industries, and provides insights into Canada’s distinct laws to support businesses entering or investing in the Canadian market.

Kristen appears exclusively at PrivSec Global to discuss AI and how workplace policies can adapt to meet the emerging technology’s compliance and responsibility demands.

Below, Kirsten answers questions on the topic and sheds light on her professional pathway so far.

Could you outline your career pathway to date?

I am a lawyer and partner in the Privacy and Data Protection Group at McMillan LLP, a full-service Canadian law firm that assists businesses of all sizes and types. I am fortunate to be a member of McMillan’s Technology Team, where I have the opportunity to collaborate with colleagues working in the intellectual property, data management, technology contracting and technology transaction spaces.  

My legal practice has changed significantly over my five years at the firm, in particular as we help clients tackle changing regulatory and risk landscapes related to emerging technologies like AI.

What are the big compliance challenges facing organisations who want to embrace AI technology?

Organisations that want to embrace AI technology are struggling with the lack of specific laws or regulations tailored to AI. Trying to shoe-horn AI into existing privacy and data protection legislation can be really difficult, and regulators and legislators are having trouble keeping up with the rapid pace at which this technology is being developed and made available to the public.

Organisations want to jump in and be able to leverage efficiencies and opportunities created by AI technology, but may be reluctant to do so absent more concrete legal and regulatory guidance. Multinational organisations are in for a particular challenge as they navigate requirements across various jurisdictions.

What strategies should companies be implementing in order to mitigate risk and work towards responsible use of AI?

From a privacy perspective, two key points to keep in mind regarding the use of AI technologies are 1) what goes in, and 2) what comes out.

In terms of what goes in, how are you ensuring that your employees are not feeding confidential or proprietary business or customer information, or personal information, into AI technologies without providing required notices or obtaining required consents? 

In terms of what comes out, how are you monitoring how and when your employees can rely on AI-generated content or tools at work? How are you mitigating the risks that AI outputs may be incomplete, inaccurate, biased or discriminatory? When do AI outputs require human oversight, like fact-checking and editing, in your workplace? When and how do your employees need to be transparent about, or document how they use, AI tools in their work?

A lot of this will come down to implementing proper policies and procedures, training and oversight of employees who use AI tools in the workplace.

Organisations will also need to be flexible and nimble to adapt not only to new technological developments, but also new laws and regulatory guidance that apply to AI technologies.  Policies, procedures and training will need to adapt over time to take into account these developments.