top of page
  • Deborah

On July 30, the Information Commissioner’s Office (ICO) published its Guidance on Artificial Intelligence (AI) and data protection to help entities using or developing in AI technologies comply with data protection law.

The Guidance provides advice and recommendations on best practice in applying core General Data Protection Regulation (GDPR) principles to AI, and outlines key issues for organisations to consider relating to:

1/Accountability and Governance Implications

Targeted specifically to senior management and those in compliance-focused roles, this section outlines, among others, the importance of

  • Undertaking a data protection impact assessment (DPIA) to demonstrate compliance where necessary.

  • Identifying and understanding controller/ processor relationships.

  • Managing trade-offs efficiently

The ICO’s recommendations include (among others): (i) understanding and addressing appropriately and promptly the technical complexities of AI systems by mapping clearly the roles of the different parties involves, and (ii) identifying and assessing any existing or potential trade-offs, when designing or procuring an AI system, and assessing the impact it may have on individuals.

2/Lawfulness, Fairness and Transparency

Targeted to those in compliance-focused roles, this section emphasizes the necessity of separating each distinct processing operation, and identifying the purpose and an appropriate lawful basis for each one, in order to comply with the principle of lawfulness.

It also mentioned that entities that uses an AI system to infer data about people, must, to ensure fairness, ensure that the system is sufficiently statistically accurate and avoids discrimination.

The ICO’s recommendations include (among others): (i) determining and documenting an approach to bias and discrimination mitigation from the very beginning of any AI application lifecycle, and (ii) establishing clear policies and good practices for the procurement and lawful processing of high-quality training and test data.

3/Assessing Security and Data Minimisation

Aimed at technical specialists, this section provides explanations on how AI systems can exacerbate common security risks and presents the challenges related to compliance with data minimisation.

The ICO’s recommendations include (among others): (i) applying privacy-enhancing techniques (perturbation or adding ‘noise’; synthetic data; and federated learning), and (ii) implement risk management techniques to minimise personal data, or mitigate risks posed to that data, at the inference stage including converting personal data into less ‘human readable’ formats.

4/ Ensuring Data Subject Rights

Addressed to compliance professionals who are responsible for responding to individual rights requests, this section explains the challenges to ensure individual rights in AI systems, including rights relating to solely automated decision-making.

The ICO’s recommendations include (among others): (i) to regularly and proactively evaluate the possibility of personal data being inferred, and(ii) to design and deliver appropriate training and support for human reviewers.

More details can be found here

Recent Posts

See All

Information, Communication Technology (ICT) systems, generally includes all hardware, software, applications and systems that combined enable people and organizations to communicate digitally. ICT enc

25 January 2023 - Comments requested on Financial Conduct Authority (FCA) proposed Sustainability Disclosure Requirements (SDR) and investment labels. 6 February 2023 - Comment period closes for the u

Last November, 2022 the Bank for International Settlements (BIS) and the International Organization of Securities Commissions (IOSCO) published their Level 3 assessment of cyber resilience on 37 Finan

bottom of page