By
Manuel Martinez
July 15, 2022
The use of AI systems has seen both large-scale industry transformations and the smaller day-to-day changes that shape our lives. The benefits cannot be denied but there are also risks associated with their usage and a thorough risk assessment should be conducted by your organisation, both in relation to data privacy and other fundamental aspects before you jump on the AI wagon ✋.
Governance and Accountability
Your organisation must ensure that there are sufficient data security protocols in place when using machine learning and other AI systems to ensure good governance. This is because large quantities of data are continuously being transferred, stored and shared with third parties in order to train the machine learning algorithm. AI systems can also be built by third party providers which would require inter-organisational transfers of data. In the context of data governance, this would require documenting the flow of data between different organisations.
Action points
Data minimisation
It is also a requirement under the UK GDPR that only the minimum amount of data should be stored and used in order for you to fulfil your data processing needs (Article 5(1)(c)). At first glance, this appears contradictory to the use of AI systems as they usually require vast amounts of training data in order to improve their accuracy. However, the ICO recommends various techniques that you can deploy to help you stick to the data minimisation principle.
Actions points
Lack of transparency
Data processing by AI systems still requires a lawful basis and purpose for processing personal data. If the algorithm is processing data for various applications, your team must ensure that each reason is being recorded separately as individual use cases. It is your responsibility that you can identify the lawful basis of processing that is most accurate to your use of personal data and that this is documented - it is not possible to change the legal basis in the future so you should do this before going live.
Action points
Whatever legal basis you decide to choose, it is important that you document it to show your justifications for processing under each. This is why Privasee can help. Our platform documents and tracks the data within your organisation for you by mapping it in a visual and easily understandable format. It will help you identify each relevant legal basis for processing multiple data sets, keep track of how long each data set has been stored for and help you manage individual data subject access requests to their data. By helping you coordinate where consent is given and retracted by individual's surrounding their data can also prevent data breaches and costly fines in the future for your organisation.
Disclaimer
This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by the ICO.
Sources and further resources
For more information, please visit the ICO website for their guidelines on the implementation of AI systems found here.
Did you know the average cost of fine for a SME failing GDPR compliance is €30,000? Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.