top of page
  • Writer's pictureDeborah

On July 30, the Information Commissioner’s Office (ICO) published its Guidance on Artificial Intelligence (AI) and data protection to help entities using or developing in AI technologies comply with data protection law.

The Guidance provides advice and recommendations on best practice in applying core General Data Protection Regulation (GDPR) principles to AI, and outlines key issues for organisations to consider relating to:

1/Accountability and Governance Implications

Targeted specifically to senior management and those in compliance-focused roles, this section outlines, among others, the importance of

  • Undertaking a data protection impact assessment (DPIA) to demonstrate compliance where necessary.

  • Identifying and understanding controller/ processor relationships.

  • Managing trade-offs efficiently

The ICO’s recommendations include (among others): (i) understanding and addressing appropriately and promptly the technical complexities of AI systems by mapping clearly the roles of the different parties involves, and (ii) identifying and assessing any existing or potential trade-offs, when designing or procuring an AI system, and assessing the impact it may have on individuals.

2/Lawfulness, Fairness and Transparency

Targeted to those in compliance-focused roles, this section emphasizes the necessity of separating each distinct processing operation, and identifying the purpose and an appropriate lawful basis for each one, in order to comply with the principle of lawfulness.

It also mentioned that entities that uses an AI system to infer data about people, must, to ensure fairness, ensure that the system is sufficiently statistically accurate and avoids discrimination.

The ICO’s recommendations include (among others): (i) determining and documenting an approach to bias and discrimination mitigation from the very beginning of any AI application lifecycle, and (ii) establishing clear policies and good practices for the procurement and lawful processing of high-quality training and test data.

3/Assessing Security and Data Minimisation

Aimed at technical specialists, this section provides explanations on how AI systems can exacerbate common security risks and presents the challenges related to compliance with data minimisation.

The ICO’s recommendations include (among others): (i) applying privacy-enhancing techniques (perturbation or adding ‘noise’; synthetic data; and federated learning), and (ii) implement risk management techniques to minimise personal data, or mitigate risks posed to that data, at the inference stage including converting personal data into less ‘human readable’ formats.

4/ Ensuring Data Subject Rights

Addressed to compliance professionals who are responsible for responding to individual rights requests, this section explains the challenges to ensure individual rights in AI systems, including rights relating to solely automated decision-making.

The ICO’s recommendations include (among others): (i) to regularly and proactively evaluate the possibility of personal data being inferred, and(ii) to design and deliver appropriate training and support for human reviewers.

More details can be found here

Recent Posts

See All

The Secured Overnight Financing Rate (SOFR) is a broad measure of the cost of borrowing cash overnight collateralized by Treasury securities. SOFR is the overnight interest rate for US dollar-denomina

13/06/2023 - Canadian Securities Administrators (CSA) SEDAR+ go-live date. All issuer filings, cease trade orders and disciplined list entries will be filed in SEDAR+ 16/06/2023 - OSFI consultation pe

On May 11, the Bank for International Settlements (BIS) published a Handbook on how central bank digital currencies (CBDCs) could work for offline payments, defined as a “transfer of value between dev

bottom of page