digital economy | ai guide part 2 – investment 20 Nov 2020

Data

In relation to the data itself (including training data), investors should enquire into where the data came from and how it was cleaned. Specifically, the investor will want to understand:

whether the training data is sufficiently representative of the datasets that the AI system will process;
the types of data, including the categories of personal data, that the AI system processes;
where the data was sourced (third-party sites by way of scraping, data mining or own sources);
the quality of both the training data and the input data the AI system processes;
whether the data, including any training data, has been appropriately labelled and is therefore human-interpretable so as to be understood by the investor and/or its advisors;
whether the data has been pre-processed in any manner, including steps taken to mitigate data quality issues; and
where data is licensed, the investor should review the underlying documents to reaffirm the target’s rights to use the data align with the future plans of the investor.

It may be helpful to speak directly to the target’s tech/data science team to understand the process used in relation to data and training the AI.

Investors should also carry out thorough due diligence on AI solutions to familiarise themselves with the potential data protection risks and mitigating factors associated with the underlying technology. The size of potential regulatory fines available under the GDPR are significant – the higher end being the greater of 20 Million euro or 4% of global annual turnover – and brings GDPR compliance into sharp focus for investors.

Key issues which should be considered by any investor during the due diligence process include the following from a data perspective:

Regulatory diligence

Investor review should cover the target’s compliance with regulatory obligations (in all relevant jurisdictions), in particular, data protection legislation, discussed in Part 1. Due diligence should also include a review of the target’s privacy notice; as this will inform investors on use of data pre- and post-transaction.

Counterparty diligence

Investor review should cover an analysis of the supply and contractual counterparties and underlying contracts, including data brokers and AI analytics providers.

Cybersecurity diligence

Investors should consider whether risk classification and cybersecurity architecture are fit for purpose to avoid unsolicited third-party access and data theft.

In the UK and EU, organisations should be aware of specific cyber resilience and breach reporting laws, e.g. to the extent the target is an operator of essential services (EOS) or relevant digital services provider (RDSP) the impact of the UK’s Network and Information Systems Regulations 2018 (UK NIS Regulations 2018) will need to be considered.

Current at 20 November 2020

Key Contacts

We bring together lawyers of the highest calibre with the technical knowledge, industry experience and regional know-how to provide the incisive advice our clients need.

Rhiannon Webster

Partner

London

+44 20 7859 3070

Rhiannon.Webster@ashurst.com

VIEW PROFILE

Navigating the AI transformation - Investment - Intellectual Property

digital economy | ai guide part 2 – investment

Intellectual Property

Read Now

Keep up to date

Sign up to receive the latest legal developments, insights and news from Ashurst. By signing up, you agree to receive commercial messages from us. You may unsubscribe at any time.

People

People Search

Locations

Services

Legal

Ashurst Risk Advisory

Industries

Industries

Innovation from Ashurst Advance

News & Insights

LATEST INSIGHTS

About Us

LATEST NEWS

Insights ()

People ()

Other Results ()