AI or GDPR?

AI or GDPR?
Author: Andrea Tang, FIP, CIPP/E, CIPM, ISO27001LA
Date Published: 4 November 2019

Consider an organization adopting artificial intelligence (AI) as being represented by a self-driving car. Data serve as gasoline, which provides the driving force to the car; machine learning (ML) is the engine, which determines the performance of the car; and AI operates as the role of the sensor in the car, contributing to the process of automatic decision-making. A self-driving car with good performance requires more data input to obtain continuous driving force to become more competitive and make more accurate analysis and predictions. However, especially for an Internet finance organization, multiple relational datasets can easily result in “isolated islands of information,” which make it difficult to connect the datasets where they can talk to each other.

How to implement data sharing effectively without violating EU General Data Protection Regulation (GDPR) provisions becomes one of the biggest concerns of AI GDPR compliance. The following are questions answered in my recent Journal article:

  • Will GDPR result in the prohibition of AI for use with EU individuals’ data?
  • How does one obtain informed consent for an AI algorithm that cannot explain its decision-making criteria?
  • If a user opts out, is an alternative human-based decision system available?

In my recent article, I explain the main conflicts between AI and GDPR (figure 1).

AI vs. GDPR

Proposed Suggestions

Reference GDPR Provisions

Accuracy of automated decision-making

  • Obtain human intervention and do not rely solely on a machine

  • Use data accuracy analysis technology—monitor the AI agent performance and use ML to increase the accuracy

  • Conduct a data protection impact assessment (DPIA) and trustworthy AI assessment

  • Conduct rigorous testing, e.g., penetration tests and cybersecurity control assessments

  • Ensure traceability, auditability and transparent communication on system capabilities

Article 4(4), Article 9, Article 12, Article 13, Article 14, Article 15, Article 21, Article 22, Article 35(1) (3)

The Right to Erasure

  • Use something like Google’s option of automatic deletion of a user's search and location history

Article 6, Article 9, Article 12, Article 17, Recital 65, Recital 66

Data minimization

  • Pseudonymize data

  • Use data distortion processing technology; keep the property of data for statistics use in AI

  • Apply federated ML and transfer learning when there is a need to collect personal data

Article 5(1)(c), Recital 39,  Article 16, Article 17

Transparency principle

  • Use metadata management tools: data governance to authorize specific person accessing the specified data link terminal (DLT)

  • Have a specific privacy notice and explicit consent

  • Use a differential privacy model; delete personally identifiable information (PII) without modifying the meaning of datasets

Article 5, Article 12, Article 13, Article 14

Read Andrea Tang's recent Journal article:

"Making AI GDPR Compliant," ISACA Journal, volume 6, 2019.