AI and GDPR — key compliance considerations when buying and using AI tools

The EU Artificial Intelligence Act is here and brings a number of considerations as to how businesses manage personal data, GDPR compliance and privacy policies. 

Here, Sara Ludlam explains why GDPR compliance should be front and centre when it comes to AI and when you might need to gain consent from your data subjects or make updates to your policy documents.

Do we need to think about GDPR compliance when buying an AI tool?

When introducing AI, you’ll typically be looking to make greater and better use of the personal data that your business currently holds — whether that includes customers, suppliers or employees. 

The use of any AI product or system that’s designed to better process and interrogate the personal data you hold is highly likely to require additional thought and compliance. For example, ensuring that there’s a legal basis for holding and using any personal data and your data notices are updated accordingly.

This is especially the case if your use of AI will involve profiling or other decision-making that results in a legal consequence or significantly impacts an individual.

GDPR and automated processing

The introduction of AI systems means that we all need to better understand what’s meant by article 22 of the GDPR when it says: “The data subject [that is, you or I] shall have the right not to be subject to a decision based solely on automated processing [any use of personal data], including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her…”

A few years ago, I struggled to find an example of such a situation. However, AI is bringing with it a whole new world where decisions may be taken about us based on automatically generated data from a range of sources that can categorise and predict how we’ll respond (for example, to marketing).

If those decisions relate to ‘personal data’ — i.e., data on an identifiable (living) individual — the users of that AI system need to comply with the GDPR.

The party that’s carrying out the processing of personal data and/or taking decisions based on AI is responsible for GDPR compliance. Any ‘serious’ breaches can result in fines of up to £17.5m or 4% of your annual worldwide turnover (whichever is higher), but the regulator has a number of sanctions at its disposal and can restrict your business from processing data.

Lawful basis and gaining consent

Under the GDPR, you have an obligation to only use personal data for the purpose for which it was originally collected. 

If you want to process personal data through a new AI system, you’re required to identify the lawful basis on which this new processing activity is being carried out. This may involve gaining consent and will certainly involve letting your data subjects know that their data is being processed in a new way. 

This is likely to require you to update your privacy policy accordingly. 

Next steps

If you’re introducing a new AI system that involves the processing of personal data, consideration must be given to:

• The design of that system — including privacy considerations from the concept of the system.
• Communication and transparency of your new processing activities (potentially by updating your privacy policy).
• Opportunities for data subjects to opt-out of such processing activities.

The ICO has brought in helpful guidance “to clarify requirements for fairness in AI”. This covers PII (personally identifiable information) frameworks and risk assessment tools and includes content on how to ensure accountability and governance, transparency and lawfulness with AI.

Talk to us

If you have questions about how to adopt or integrate AI into your business in the most effective and compliant way, our data protection and technology law experts are here to help.

Talk to us by giving us a call, sending us an email or completing our contact form below.