Rosie Nance

Senior Knowledge Lawyer, Norton Rose Fulbright

Rosie is a Senior Knowledge Lawyer at Norton Rose Fulbright London in the AI and data team. She advises clients across sectors on AI governance, the EU AI Act, data protection, data and digital laws, and contracting for AI. Alongside this, her Knowledge work is focussed on unpacking changes in the data, AI, and digital law space and strategising on how to comply with the latest requirements. Rosie’s previous experience includes advising in-house on data protection and the roll-out of new technologies. Prior to that, she advised clients across sectors on global privacy compliance projects, complex data protection queries, and IT contracts.

Contributed to

1

Safeguarding personal data when procuring generative AI products—checklist

Checklists

This Checklist deals with areas of diligence and contractual terms relevant to personal data sharing by a customer with a vendor that is using generative AI (artificial intelligence that can create outputs such as text, images, video, or sound, referred to as Gen AI below) to provide services to the customer. We will refer both to the underlying Gen AI model and the AI system in which it operates as applicable, and will refer simply to Gen AI where vendors may be utilising either a Gen AI model or an AI system incorporating it.This Checklist only covers data protection issues under UK law (in particular, the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR)). It focuses on the salient points for Gen AI purposes when contracting in a data processing relationship, and should be read in conjunction with: Audit of a new or existing personal data processor—checklist and Stand-alone data processing

Information Law