The UK’s data protection watchdog the ICO has unveiled a new AI auditing framework designed to help ensure data protection compliance — warning that running personal data through such “opaque systems” comes with inherent risks. Marcus Grazette, Policy Lead at data privacy management firm Privitar looks at how the ICO’s guidance translates into practical action for companies?
The guidance is broad and focuses on the interaction between AI and the data protection legislation, stating that “in the majority of cases” companies are legally required to fill in a DPIA form.
It acknowledges the fact that AI often involves the personal data being “managed and processed in unusual ways” , making it difficult to apply data protection principles.
However, while ICO highlights that organisations will likely have to “consider a range of competing considerations and interests” when designing AI systems, when it comes to systems processing personal data, organisations must comply with data protection principles and cannot ‘trade’ this requirement away.
The ICO has said that it will continue to adapt the guidelines to keep pace with the “fast moving innovation and evolution” of AI.
Marcus Grazette, Europe Policy Lead at Privitar, said: “I welcome the ICO’s new guidance on AI and data protection. It brings together a broad range of issues including lawfulness, accountability and privacy risk, and offers practical guidance for AI projects.
“Data protection principles apply to all uses of personal data. But AI can pose specific challenges. For example, the classic ‘big data’ paradigm assumes that collecting and using as much data as possible can improve an AI model’s performance. On the surface, this seems at odds with the data minimisation principle.
“However, the reality is different. Organisations can achieve performance and data minimisation by carefully curating training data and by using de-identification techniques to retain only the precision and values they need. Approaching all data driven projects in this way can also help with the GDPR requirement for data protection by design.
“We can all agree that data-driven innovation is essential. But innovation will only happen if organisations are able to use data. A 2019 survey asked 1,500 data leaders about their data management challenges. 25% said that they could not confidently meet regulatory requirements. Clear guidance will help to increase confidence and boost innovation.”
