In relation to the data itself (including training data), investors should enquire into where the data came from and how it was cleaned. Specifically, the investor will want to understand:
- whether the training data is sufficiently representative of the datasets that the AI system will process;
- the types of data, including the categories of personal data, that the AI system processes;
- where the data was sourced (third-party sites by way of scraping, data mining or own sources);
- the quality of both the training data and the input data the AI system processes;
- whether the data, including any training data, has been appropriately labelled and is therefore human-interpretable so as to be understood by the investor and/or its advisors;
- whether the data has been pre-processed in any manner, including steps taken to mitigate data quality issues; and
- where data is licensed, the investor should review the underlying documents to reaffirm the target’s rights to use the data align with the future plans of the investor.
It may be helpful to speak directly to the target’s tech/data science team to understand the process used in relation to data and training the AI.
Investors should also carry out thorough due diligence on AI solutions to familiarise themselves with the potential data protection risks and mitigating factors associated with the underlying technology. The size of potential regulatory fines available under the GDPR are significant – the higher end being the greater of 20 Million euro or 4% of global annual turnover – and brings GDPR compliance into sharp focus for investors.
Key issues which should be considered by any investor during the due diligence process include the following from a data perspective:
Regulatory diligence
Investor review should cover the target’s compliance with regulatory obligations (in all relevant jurisdictions), in particular, data protection legislation, discussed in Part 1. Due diligence should also include a review of the target’s privacy notice; as this will inform investors on use of data pre- and post-transaction.
Counterparty diligence
Investor review should cover an analysis of the supply and contractual counterparties and underlying contracts, including data brokers and AI analytics providers.
Cybersecurity diligence
Investors should consider whether risk classification and cybersecurity architecture are fit for purpose to avoid unsolicited third-party access and data theft.
In the UK and EU, organisations should be aware of specific cyber resilience and breach reporting laws, e.g. to the extent the target is an operator of essential services (EOS) or relevant digital services provider (RDSP) the impact of the UK’s Network and Information Systems Regulations 2018 (UK NIS Regulations 2018) will need to be considered.
Current at 20 November 2020