On July 30, the Information Commissioner’s Office (ICO) published its Guidance on Artificial Intelligence (AI) and data protection to help entities using or developing in AI technologies comply with data protection law.
The Guidance provides advice and recommendations on best practice in applying core General Data Protection Regulation (GDPR) principles to AI, and outlines key issues for organisations to consider relating to:
1/Accountability and Governance Implications
Targeted specifically to senior management and those in compliance-focused roles, this section outlines, among others, the importance of
Undertaking a data protection impact assessment (DPIA) to demonstrate compliance where necessary.
Identifying and understanding controller/ processor relationships.
Managing trade-offs efficiently
The ICO’s recommendations include (among others): (i) understanding and addressing appropriately and promptly the technical complexities of AI systems by mapping clearly the roles of the different parties involves, and (ii) identifying and assessing any existing or potential trade-offs, when designing or procuring an AI system, and assessing the impact it may have on individuals.
2/Lawfulness, Fairness and Transparency
Targeted to those in compliance-focused roles, this section emphasizes the necessity of separating each distinct processing operation, and identifying the purpose and an appropriate lawful basis for each one, in order to comply with the principle of lawfulness.
It also mentioned that entities that uses an AI system to infer data about people, must, to ensure fairness, ensure that the system is sufficiently statistically accurate and avoids discrimination.
The ICO’s recommendations include (among others): (i) determining and documenting an approach to bias and discrimination mitigation from the very beginning of any AI application lifecycle, and (ii) establishing clear policies and good practices for the procurement and lawful processing of high-quality training and test data.
3/Assessing Security and Data Minimisation
Aimed at technical specialists, this section provides explanations on how AI systems can exacerbate common security risks and presents the challenges related to compliance with data minimisation.
The ICO’s recommendations include (among others): (i) applying privacy-enhancing techniques (perturbation or adding ‘noise’; synthetic data; and federated learning), and (ii) implement risk management techniques to minimise personal data, or mitigate risks posed to that data, at the inference stage including converting personal data into less ‘human readable’ formats.
4/ Ensuring Data Subject Rights
Addressed to compliance professionals who are responsible for responding to individual rights requests, this section explains the challenges to ensure individual rights in AI systems, including rights relating to solely automated decision-making.
The ICO’s recommendations include (among others): (i) to regularly and proactively evaluate the possibility of personal data being inferred, and(ii) to design and deliver appropriate training and support for human reviewers.
More details can be found here