The Information Commissioner's Office (ICO) has recently issued its final version of its guidance on artificial intelligence and data protection (Guidance). The Guidance is designed to assist organisations developing and delivering artificial intelligence (AI) projects in ensuring that they remain compliant with the GDPR and the Data Protection Act 2018 in regards to how such organisations manage data or how they offer their AI services to customers and clients.
Over the past decade, the implementation of AI projects and services has increased to the extent that it now effects the majority of businesses in their day-to-day operations and its benefits are clear. However, as the Guidance indicates, with this progression comes risks to the rights and freedoms of individuals. As such, the Guidance is required to be considered by those with a focus on the compliance requirements, for example, data protection officers and risk managers, and those with a focus on the technological developments of AI who will need to consider the impact it has on data protection.
The Guidance is split into four main parts, which provide helpful insight into what relevant organisations should be considering when dealing with AI. These parts are summarised below:
Part one: this part covers accountability, governance and how organisations will need to demonstrate that the AI systems in use process personal data in full compliance with data protection legislation. It outlines the importance of data protection impact assessments to ensure compliance with the relevant legislation and methodology to help organisations keep track of the data processing roles of parties in its supply chain in order to be fully aware of the risks.
Part two: this part covers the application of the lawfulness, fairness and transparency principles of AI systems, which focuses on providing insights on how organisations can identify the legal basis for any processing undertaken. The ICO recommendations in this section include ensuring organisations document and break down each processing operation in order to correctly identify the legal basis for processing data, and ensuring any AI system processes data in a fair manner.
Part three: this part explains how AI systems can exacerbate known security risks and make them more difficult to manage, with a focus on the challenges faced by organisations as well as the techniques to help reduce risk for AI development and deployment.
Part four: this part explains the difficulties in ensuring that individuals rights are protected alongside AI systems, explaining how individuals rights apply to different stages of the AI lifecycle and the importance of human oversight to manage risk.
The ICO will continue to develop the Guidance to ensure it remains current and within its foreword indicates a desire to receive feedback to help achieve this noting: 'the development and use of AI within our society is growing and evolving' and will clearly be of growing importance for the foreseeable future.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.