GDPR was brought in back in 2016 to cover the processing of data and data privacy issues within EU Member States and any company that deals with or sells to individuals and companies based in the EU. The UK then followed up with its own version of GDPR that covers similar ground once it had left the EU. Now that artificial intelligence is making huge strides in its evolution and is used within many data processing capacities, it is important to understand how GDPR and AI fit together. Can we have a world where the use of artificial intelligence within data processing is regulated effectively by GDPR and whatever future regulations are implemented as things evolve. A good way for any business to begin to unravel this idea is to hire outsourced data protection services to implement and audit your data protection policies.
GDPR has had the biggest impact on the regulation of data out of any policy globally. It has changed the way in which the conversation of data and its use has evolved since its introduction in the EU and UK in 2016. As we have witnessed a fast evolution of the use of artificial intelligence within many different factors of life in recent years too, it is only natural that GDPR and AI have merged together and there is a requirement for the regulatory framework to be re-evaluated at times to ensure that it is tight and secure as things change.
Article 22 and AI
Article 22 of GDPR restricts the use of automated decision making and profiling, but only where a decision that could have a significant legal or financial effect on the data subject has been processed via artificial intelligence. There is a high threshold for this, and then you must also consider Article 15 which is stricter and is linked to automated decision-making and profiling that falls within the scope of Article 22. This includes the existence of automated decision making and profiling, meaningful information about the reasons behind the automated processing, and the significance and the likely consequences of the processing on the individual data subject. If Article 22 does not apply, then these additional obligations listed in Article 15 do not either.
Explainability and the rights of the individual
One part of the debate on GDPR and AI is the stipulation that the data subject has the ‘right to explanation’. What this actually covers is ‘meaningful information about the logic involved’ in relation to Article 22.
In practice this means that there should be a transparent explanation of the algorithm that has been used to make the decision rather than the rationale behind the outcome itself. To give an example, if a credit check takes place using automated means for any form of credit application, if the application is unsuccessful, the data controller should have the ability to explain the parameters within the decision-making algorithm but does not have to explain how or why the algorithm came to that decision.
It is clear that as AI evolves and becomes a central part of more areas of our lives, that there will be a push to regulate further. This is only natural, and we can expect the EU and the UK to draft legislative proposals that attempt to restrict AI and machine learning in order to protect the rights of individual data subjects and to cover a whole host of data regulations that could be impacted as technology advances.
Creating trust in AI
Although at first it might seem that GDPR, as it relates to AI, might seem to complicate matters or restrict its use completely, it does put in place a framework that is understandable for both organisations that process data and the individual that the date relates to. Over time, this may be the key in unlocking public trust in the use of artificial intelligence within data processing. There is a balance to be found between the two extreme schools of thought that AI is great and should be unregulated and the tight restrictions laid out by regulation where there should always be a human element to any data processing. Over time there is bound to be crucial development in regulations relating to AI and data privacy and security, as the technology evolves and becomes more attainable and effective to users.
Outsourced DPO services are the best way to ensure your use of automated processes and GDPR work together in perfect harmony. An outsourced data protection officer has the knowledge and understanding of the detail of GDPR as it relates to the use of AI, helping businesses and organisations to review the systems they have in place, and to implement real change that makes a difference to how data is processed and stored. Every individual has a right to know how and why their personal data is being processed. Explainability is a key factor in all of this, and with the help of a specialist in data protection, a company can provide transparency of data and heighten the security levels of private data.