Where do businesses stand on data privacy and AI?

ChatGPT has been a headline driver, helping to spread popular recognition of the technology, at once providing an indicator of the substantial advantages in productivity and efficiency that businesses and workforces worldwide stand to realise.

But dangers are present. Below, we examine due diligence factors that organisations should be observing in order to mitigate risk and optimise data privacy when embracing AI.

Data Protection by design and default baked in

Compliance must be a priority when harnessing AI. One of the pathways to compliance is implementing data protection through design and default set-ups. 

We saw it as a founding tenet of the GDPR, expressed in Article 25, stipulating that organisations must consider data security from the beginnings of any new project.

Data Protection Impact Assessments (DPIAs) play a fundamental role here, helping companies to evaluate hazards and pinpoint ways in which to minimise risk. In some cases, projects may have to change shape dramatically and less intrusive methods may be necessary to realise similar goals.

AI’s specific data threats

AI brings specific problem areas because of its nature; the intricacies of processing make it trickier to achieve transparent data handling.

DPIAs (Data Protection Impact Assessments) are an important weapon in any company’s armoury in this area. Examining and planning out data flows and the algorithms that support them are essential in order to understand how data is harvested, processed and stored. This information should then be relayed to stakeholders in clear, understandable language.

Transparency is crucial, especially when it comes to demonstrating how organisations reach certain decisions and conclusions.

Legal implications of AI-driven decisions

Just as important as transparency is the need to keep consumers, clients and customers fully informed on the legal ramifications of AI-driven data processing. In the GDPR, Article 22 informs of a data subject’s right not be impacted by a decision that is made off the back of this kind of processing. Such an action might be the automatic refusal for a web-based credit application without human intervention in that decision.

In these cases, an individual is entitled to have human interaction involved in that decision-making process.

Data minimisation

Another keystone of data privacy and compliance, companies should endeavour to draw in the least amount of data possible to enable processing activities. Bring AI into the equation and this principle only grows in importance.

Clear data retention policies also need to be established, giving messages on how long information will be stored.

Continuous training and learning

Up to nine-in-ten data breaches are down to human mistakes, studies show. Organisational compliance, therefore, hinges on the proficiency of the least-trained staffer.

Through the coming year, firms should ensure that GDPR education strategies are current, being actioned thoroughly, and fully aligned to risks associated with AI.

Intricate governance networks

GDPR has inspired similar regulatory frameworks across the world, adding complexity to the international data privacy spectrum.

Companies should stay on top of these developments, staying attentive to legal suites such as the EU’s AI Act and how they stand to influence the application of AI across borders. After expressing that it will not embrace a statutory framework, as per the EU AI Act, the UK government plans to adopt a pro-innovation stance in regulation, empowering relevant regulators to shape and advise on the use and integration of AI, guided by five principles focused on values across different sectors.

Know the risks

Learn more about the obligations, risks and opportunities associated with AI, exclusively at Global Privacy Day this January.