AI Governance Assessment

DPA in place with primary AI provider. Lawful basis documented for support chatbot. Gaps:

• No ROPA entry for AI use cases
• Privacy notice does not mention AI processing
• No process documented for subject access requests involving AI-held data

Recommendations

• Add AI use cases to Record of Processing Activities
• Update privacy notice; include AI in DPIAs for new use cases

No formal accountability for AI decisions. Support responses not tested for bias. Sales scoring tool uses historical data that may under-represent newer segments.

• Define AI decision owner (e.g. Head of Support, Head of Sales)
• Run bias check on support response samples before scaling
• Add ethics criteria to AI procurement checklist

Support tickets and CRM data are well-structured. Some duplicate accounts in CRM; recommend deduplication before feeding to sales AI. No major representativeness concerns for current use cases.

• Run deduplication on CRM before scaling sales AI
• Define quality metrics and baseline before next phase

Access control in place. Audit logs enabled. Provider has SOC 2. One gap: no prompt-injection testing documented.

• Run OWASP LLM Top 10 checklist; document prompt-injection mitigations

Provider offers EU region; currently using US default. UK/EU customer data may be processed in US.

• Switch to EU region for support and sales AI; document in data residency matrix
• Review contract for exit and data deletion clauses