How do you balance AI compliance with prioritising business growth?

Corinne Hedlund NyténCorinne Hedlund Nytén
Written by
Corinne Hedlund Nytén
and
-
October 13, 2024

Loved this article? Share it with your network:

AI is transforming industries - offering companies new avenues for growth, efficiency, and innovation. However, the opportunities also come with a complex regulatory landscape that can, at times, feel at odds with each other. For companies wanting to integrate AI into their business models and offerings, it is essential to take legal requirements stemming from e.g. the GDPR and the EU AI Act into account, while still driving business growth. For us legal professionals, balancing compliance with achieving strategic objectives is crucial.

So how do you, as a lawyer, balance your organisation’s wants for AI with compliance?  

This article draws from my experience within tech compliance. It is therefore especially relevant for those working in-house at a tech company striving to be competitive with AI. If anything, I wish to inspire you to leverage AI compliance as a competitive advantage.

What is the issue?

I would be surprised to hear of a company not discussing how to integrate AI into their business processes and offerings. But then we have the newly adopted EU AI Act which, although it is not formally in force yet, will become so in 2 years’ time. Adjustment to legal requirements isn’t always a quick and easy process.

Often, the law and we lawyers are seen as roadblocks - enemies of tech innovation and business growth. But does compliance have to be on the opposite side of business success? Integrating regulatory requirements into the company strategy can ensure that AI is implemented ethically, responsibly, and sustainably. Which, I have seen, and firmly believe, will benefit the business. 

Factors tipping the scale when balancing compliance and business growth

Risk appetite

The first factor affecting the balancing act is the company’s risk appetite, as it sets the framework for your compliance work. If you work in a smaller organisation where it might not be clearly outlined, then you will need to drive that discussion with management.

Maturity level

Where does the organisation currently stand in its overall compliance work? Realistically, that will affect the speed. An organisation without an established compliance framework or governance structure cannot be expected to reach the goal as quickly as those with a well-established one. 

Resources

The resources you have at your disposal will undeniably set the bar. The resources you have at your disposal will undeniably set the bar. Whether you are the sole lawyer, have a team or can bring in others from the organisations into the project will of course have an impact. A tip here is to work in cross-functional teams, as it gives the lawyer a better understanding of the business needs and the technology and should make it easier to roll anything out in the organisation. Whether you are allowed by top management to prioritise AI compliance or not and if you have any budget to e.g. bring in external counsel, if necessary, will also affect where you can set your bar, which makes management's support and strategic direction of utmost importance. 

Customer base

Lastly, I would say the customer base is a highly relevant factor in the balance between compliance and business growth. It is the customers, after all, that drive demand. Very generally speaking, compliance might be less important to smaller, non-regulated organisations, but extremely important in the sourcing process for larger or already regulated companies. When you have a customer base of enterprise corporations, the requirements for compliance is greater in the sourcing process and therefore, your work can easily be connected to the profit.

Taking a business-minded approach to compliance

Understanding the overarching business objectives, the offering, and the technology

As lawyers today, we need to understand the technology to be able to assess how to meet legal requirements. Additionally, understanding the offering and the bigger strategic goals of your organisation will help you be a more business-minded lawyer, as it allows you to adjust your focus and prioritise. Thus, if you work for a SaaS-provider, make sure you have received a demo of your service, and then if the team wants to integrate AI in for example a new feature - get a clear run-through of how it will work.

To understand the technology, I highly recommend Helsinki University’s free online course on AI, Elements of AI. It can feel heavy at first, and of course, you don’t need to understand everything, but it gives you a broader picture of what “AI” even means. 

Risk management and compliance as a USP

Encourage your organisation to view risk management not as a barrier but as a strategic tool. For example, taking a responsible approach to AI and taking risks into account at an early stage can become a competitive advantage, especially if you are supplying an online service. Whether you are working B2B or B2C, customers are increasingly wary of how companies use their data, so ensuring AI compliance can boost trust in sales. 

What we have seen from working with large enterprises is that security and compliance are matters of great importance in the sourcing process. If you can be transparent and show that you have done the proper groundwork, it can really be a unique selling point (USP). All companies must ensure compliance, but what we have seen is that not all companies are good at transforming that work into sales collateral.

C-suite support

I have to say, management support matters. If you can get C-suite support for driving business hand-in-hand with compliance - and preferably seeing ways to incorporate compliance as a competitive advantage - it will make a huge difference for your work.

Embedding compliance into the development- and decision-making phase

Taking an example from the SaaS-space, it is far easier to build a feature with compliance in mind from the beginning rather than trying to bend an already built one to fit the legal requirements at a later stage. You can play a crucial role in embedding compliance into the AI development process by working with the engineers to make sure they follow a privacy- as well as an ethics-by-design approach. This ensures that compliance and ethical considerations are taken into account from the very start. If your engineering- and product teams have shaping checklists or similar, make sure to get compliance/risk in there.

This proactive approach saves both time and resources, preventing potential regulatory issues down the line and allowing the company to focus on innovation and growth without distractions from compliance risks.

Your communication and approach internally

Within the organisation, I believe you have a very good starting point if you can come from a place of “how can I help you achieve what you want, hand in hand with the law”. Make it a point of not just being the yea- or naysayer. To get the right prerequisites to do so, it’s crucial to get involved in the process early on. If the business comes to you when the decision is already made and the feature is already built “just to check with legal”, it is hard to do anything else but give them a “go” or “no-go” response. 

When it comes to communicating about compliance, take it down a notch. What I mean by that is that scare tactics, in my experience, never work for making employees do what you need them to. It is when your colleagues feel safe to come to you with their issues that you can get the full picture of what is going on, helping you manage whatever comes up. I’d rather have too many reports and questions than too few, with an organisation deliberately keeping me in the dark just because it’s easier and to avoid delays.

To Conclude

Rather than viewing compliance as a hurdle, the legal team together with the business can and should work together to see how to leverage it as a strategic advantage, fostering trust and transparency, for long-term success.