Meet the expert: Lars Kramm to speak at #RISK London

Taking place on October 18 and 19 at EcXel London, #RISK London addresses the issues impacting organisational risk today, from Governance, Risk and Compliance (GRC), to Environmental, Social and Governance (ESG), organisational culture, and much more.

The event builds on the success of #RISK 2022, allowing organisations to examine the cumulative nature of risk, unite GRC specialities and share views with subject-matter experts.

Lars Kramm is Head of Privacy and Data Protection Officer at Pharmacy2U, the UK’s largest online pharmacy. He will be at #RISK London to discuss the EU’s AI Act and what it means for the future of privacy.

We caught up with Lars to hear more about his professional journey to date and for insight into the issues on the table at his forthcoming #RISK London session.

Could you outline your career so far?

My journey in the legal profession began in Germany where I completed my law studies. My work at the time was primarily academic, as I took up roles in legal research and teaching in various universities, with my focus being on public, European, and international law.

During this period, the study of data protection and privacy regulations was not a specific focus for me but part of the wider curriculum. In German law, these principles have a long-standing history, and it’s fascinating to see how those concepts I studied years ago echo in today’s GDPR frameworks across Europe.

Around a decade ago, my career took me to Yorkshire in the UK, where I served as the Group Data Protection Officer for the country’s largest online retailer of musical instruments and equipment. This role allowed me to apply my international legal knowledge and language skills to navigate the complexities of GDPR implementation when it came into effect.

Since 2021, I’ve held the position of Head of Privacy and Data Protection Officer at Pharmacy2U, the UK’s leading online pharmacy. The rapid expansion of digital healthcare solutions in the UK presents a unique and complex set of privacy challenges, and it’s an exciting arena to apply my expertise in. So, that’s the journey I’ve taken so far, and I look forward to the continued evolution of privacy in the digital landscape.

How will the EU’s AI Act protect us as individual data subjects?

The EU AI Act is fundamentally geared towards safeguarding individual data subjects like you and I. It achieves this by adopting a risk-based approach; it categorises AI systems based on the potential risk they present. Any system that poses an unacceptable risk – think of those systems exploiting people’s personal data or promoting bias – are outright banned.

Additionally, the Act puts obligations on both providers and users based on the level of risk an AI system represents. For instance, high-risk AI systems, like a voting influence system in a political campaign or social media’s recommendation algorithms – these systems must undergo a thorough evaluation before they hit the market and continuous evaluation during their lifecycle.

The Act doesn’t stop there; it explicitly bans systems of biometric surveillance, emotion recognition, and predictive policing, except in very specific, controlled circumstances. This should assure us that our data isn’t misused without proper authorisation or oversight.

Transparency is also a key feature of the Act. It mandates systems like ChatGPT, which generate content, to make clear that such content is AI-generated. This allows us as users to differentiate between human and AI interactions.

Finally, the Act strengthens our right to lodge complaints and receive explanations about decisions made by high-risk AI systems. This means you and I, as a data subject, have a say and can hold accountable parties responsible when AI impacts our rights.

How will the new regulation help organisations to bolster their compliance programmes, as businesses embrace AI?

The EU AI Act provides an indispensable legal roadmap for businesses who are navigating the world of AI. It provides clear rules which can help organisations comprehend their responsibilities when using and managing AI.

By distinguishing AI systems based on risk levels, organisations can prioritise their compliance initiatives more effectively. Let’s say a business uses a high-risk AI system; this Act ensures they know such a system requires an assessment before its deployment and regularly throughout its life.

Importantly, the Act also recognises that AI systems should not operate autonomously but should be overseen by human judgement. This helps businesses to establish oversight mechanisms and foster compliance cultures that incorporate human accountability.

Innovation is another cornerstone of the Act. It promotes regulatory sandboxes, essentially controlled environments established by authorities to trial AI before its rollout. This approach allows organisations to safely and legally test their AI systems, which is crucial for businesses in the AI industry.

The Act also imposes obligations on providers of foundational models, requiring them to ensure the protection of fundamental rights, health and safety, democracy, and the rule of law. Businesses are tasked to assess and mitigate risks, comply with design and environmental requirements, and register in the EU database. This not only strengthens compliance but also promotes trust between businesses, their customers, and society.

Last but not least, the Act promotes open-source AI components, supporting the ethos of transparency, collaboration, and community that’s so essential to AI innovation today.