• More than half (57%) are using generative AI tools in their organisations, but only 16% rank their impact as high
• Majority of DPOs (61%) report to their Boards at least quarterly
• Cyber Security: respondents split on authorising payments in ransomware attacks

The survey was conducted amongst an audience of over 150 in-house lawyers, compliance officers and data protection officers at our recent Data and Digital Leadership Forum.

The survey results reveal insights on generative AI, ransomware and GDPR challenges for legal and compliance professionals across various sectors and industries, including technology, financial services, healthcare and utilities.

According to the survey, more than half of the respondents (57%) use generative AI tools in their organisation, but only 16% rated their impact as significant, selecting 4 or 5 on a scale of 1 to 5. Rob Corbet, Partner and Head of Technology and Innovation, Arthur Cox LLP, commented: “Generative AI tools have the potential to transform the way legal and compliance professionals work by automating tasks, enhancing creativity and generating new insights. However, our survey suggests that there is still room for improvement in terms of their adoption, integration and effectiveness.”

Olivia Mullooly, Partner, Technology and Innovation, Arthur Cox LLP, continued: “Any organisation using generative AI tools also needs to have due consideration to the IP and confidentiality aspects of such tools, focusing on both the inputs as well as the outputs. While the legal position on the ownership of AI-created works is the subject of significant debate internationally, it’s also worth keeping in mind that data that is fed into generative AI tools is protected by copyright carrying the risk of potential infringement in the absence of oversight and governance on the use of the AI tool.”

The survey also revealed that ransomware attacks are a serious concern for legal and compliance professionals, with 44% of the respondents saying they would authorise the payment of a ransom in a ransomware attack against their organisation, assuming it is legally and economically viable. Richard Willis, Partner, Litigation, Dispute Resolution and Investigations, Arthur Cox LLP, said: “Ransomware attacks are becoming more sophisticated and frequent, and pose a significant risk to the security and integrity of data and systems. Legal and compliance professionals need to be prepared for such scenarios and weigh the pros and cons of paying a ransom versus restoring from backups, reporting to authorities and dealing with potential litigation and reputational damage.”

The survey also highlighted the challenges that legal and compliance professionals face with data transfers, with data transfers to third countries rated as the most difficult exercise by 33% of the respondents. Colin Rooney, Partner, Technology and Innovation, Arthur Cox LLP, added: “The seemingly constant legal changes in the EU-US data transfer landscape, such as the invalidation of the Privacy Shield and the new EU-US Data Privacy Framework, have created uncertainty and complexity for legal and compliance professionals trying to ensure that their cross-border data flows are lawful and secure. We expect more litigation and enforcement activity in the coming months and years.”

Further challenges identified by respondents include new and evolving regulation (25%), advances in technology and technology adoption (23%) and effectively prioritising work and areas of focus (17%). Ian Duffy, Partner, Technology and Innovation, Arthur Cox LLP, commented: “Legal and compliance professionals are managing an ever-shifting and expanding regulatory landscape, whilst also dealing with emerging technologies such as AI. The results of our survey show the need for teams to be agile, strategic, and proactive in managing both the risks and the opportunities presented by new technologies and new regulation.”  

However, in terms of governance and ensuring that boards are kept up to date on data protection and cyber security issues, the survey stated that the majority of DPOs in organisations (61%) report to their Board of Directors on at least a quarterly basis, with only 9% of survey respondents reporting that the DPO in their organisation never reports to the board. Corbet concluded: “The survey results show that legal and compliance professionals are facing a diverse and dynamic range of challenges and opportunities in the data and digital space. As developments in this area tend to come thick and fast, it’s key that legal and compliance teams ensure that they have the appropriate policies and procedures in place, and that these are regularly reviewed for their effectiveness and relevance.”

For more on our our Technology and Innovation Group, click here.