Faster AI, tighter data, and the CIO in the middle
“Giving bad data to an AI system is like teaching a five-year-old bad words,” says Ale Brown, founder and CEO of Kirke Consulting. “They’re going to learn them, they’re not going to forget them, and you’re gonna regret that you did it.”
It’s an apt metaphor, and both situations are probably going to leave someone red-faced (although one is, admittedly, pretty funny).
A child will grow out of it, learn some manners, or at least (hopefully) develop some kind of filter. An AI system keeps the habit for good. Once it has trained on the wrong data, you can’t clean it up after the fact the way you would a CRM.
“You need to destroy your system and start all over the deck again, and that’s a lot of time, resources, and money,” she added.
This is where a lot of Canadian AI projects are exposed, because the rush to build and incorporate AI keeps outrunning the less exciting job of figuring out what data they have to begin with.
On June 4, Ottawa launched “AI for All,” a national strategy to get Canadian companies adopting AI faster.
Nearly one in five (19.2%) now use AI to produce goods or deliver services, up from 6% two years ago, according to Statistics Canada. The new strategy wants that at 60% by 2034.
Eleven days after announcing “AI for All”, the federal government introduced Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA).
The proposed legislation would replace the private-sector privacy rules in the current Personal Information Protection and Electronic Documents Act (PIPEDA), and put strict new limits on the personal data those AI systems run on.
The government has a foot on the gas and a foot on the brake at the same time.

“What is the fuel of an AI system?” asks Brown. “Data.”
For the CIO who has to make AI pay off and keep it compliant, they need to know exactly what data the company has, how good it is, and which version is the right one, before building anything on top of it.
The case for made-up data
Through Kirke Consulting, Brown advises organizations on data privacy, AI governance and data management. She’s seen what happens when companies skip a compliance review.
Bad data quality is a failure most companies can fix on their own. Organizations also need to know whether they can legally use that data to test and train AI in the first place.
Asked what limits their use of AI, 13.4% of businesses named cybersecurity or privacy concerns. Brown explained that teams routinely test and train AI on scrubbed customer records, expecting such a step would put the data out of harm’s way.
Brown’s answer is to stop testing on real people.
“You don’t have to use your customers’ data to test, just use synthetic data or use fully anonymized,” she says.
Let’s start with a word teams lean on: de-identified. Obvious identifiers have been stripped out, so the data looks anonymous.
Not to go all Admiral Ackbar, but it’s a trap.
Combine enough of those scrubbed fields and you can trace your way back to a real person, which is why Bill C-36 treats de-identified data as personal information, with all the legal exposure that carries.
Fully anonymized data, on the other hand, severs the link to the individual for good, so no one can trace it back.
Switching now, to either model while it’s still a design decision, beats being forced into it later.
What moves a board
Bill C-36 carries fines that can reach 5% of global revenue for the most serious cases.
That is a number that would probably take over a board conversation pretty quickly.
The body handing out those penalties would be the new Digital Safety and Data Protection Commission of Canada, a dual-mandate regulator responsible for both privacy and online safety.
Brown thinks that’s the wrong thing for tech leaders to fixate on, and it’s certainly not keeping them up at night.
In her experience, the threat of a fine is just a cost of doing business. Leadership will sit up a little straighter at the mere notion of a deal, though. Mergers, acquisitions, partnerships, and major contracts all depend on proving the company handles data properly.
“What is keeping them up at night is business opportunities,” says Brown.
She points to Europe, where regulators have struggled to keep pace with enforcement, as the reason the business case carries more weight than the penalty.
“Unless they tell them your budget depends on the number of fines that you impose, or they give them something to really motivate them to look into companies, I don’t think a lot is going to happen, and again, leaders are going to account for that,” she continues.
Brown, who led IT for Johnson & Johnson’s diabetes division before starting Kirke Consulting, knows her way around the resulting org chart.
“This is not a tech issue, this is a business issue,” she says.
When a board hands privacy to the CIO alone, it has picked the wrong owner. The work is shared across operations, legal, privacy, and the business, because everyone in the company touches the data at some point.
As many organizations are now finding, after going all-in on AI, you need to keep a person on the final call.
“The AI system makes a recommendation, but ultimately it’s a human that makes the decision,” says Brown, comparing the tech to a company intern.
“They’re going to do the work, they’re going to provide their insights and their recommendations, and ultimately the manager needs to make the decision.”
That human check also gives the company someone who can explain how an important decision was made. Brown says leaders should keep AI projects moving while Bill C-36 works its way through Parliament, a process that could take 12 to 24 months.
“You don’t have to freeze anything, you have to continue moving again,” she explains. “Laws are already here… so start implementing a strong operationalized privacy program.”
The companies she sees handle this well have made privacy a standing board topic, and built risk assessments into the front of every project, where the privacy team helps design the solution.
“AI for All” rests on the idea that Canadians will adopt AI they trust, and that trust runs through how companies treat the data underneath. Companies that sort out privacy early are less likely to spend months undoing AI work later.
Final shots
- Map your data before you build anything, so you know what the organization holds and where it lives, because most companies have never really written that down.
- Delete what you no longer use, since a dataset nobody has touched in five years is a liability sitting around waiting to leak.
- Bring the privacy and legal team into an AI project at the design stage, while there’s still a design to shape, rather than after it ships and they can only say no.
Faster AI, tighter data, and the CIO in the middle
#Faster #tighter #data #CIO #middle