Data

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Data Protection Principles

The six data protection principles that underpin UK data protection legislation should form an integral part of the processing of personal data in the context of implementing AI solutions.

FAIRNESS, LAWFULNESS AND TRANSPARENCY (ARTICLE 5(1)(A)) GDPR
The processing of personal data must be fair, lawful and transparent. In practice, an organisation should understand the datasets being processed, the protocols related to the algorithm and the weighting of factors on which the outcome/decision is based in order to explain clearly to data subjects how their data is processed, and to satisfy the fair processing notice and transparency obligations. An organisation is also required to identify which lawful basis of processing under article 6 of the GDPR is satisfied by the processing. The most likely lawful basis applicable to the processing of personal data by an AI solution are consent or legitimate interest.
PURPOSE LIMITATION (ARTICLE 5 (1)(B))
Personal data is only used for the purpose as notified to the individual when the data is initially collected (with certain exceptions) In practice, a company should regularly review the potential outputs and use cases for derived and inferred data, ensuring that the way the data is used is consistent with the original purpose. It should also carry out further analysis to determine related use cases, their related lawful basis and consider whether additional notifications (and related consents) are required.
DATA MINIMISATION (ARTICLE 5(1)(C))
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed’ and ‘personal data should not be kept for longer than is necessary for that purpose’. In practice, a company should implement appropriate controls to ensure that data used to teach AI models is up-to-date and accurate as well as reviewing processes for deletion (where technically possible) as appropriate.
ACCURACY (ARTICLE 5(1)(D))
Controllers must ensure that data is accurate and up to date. In practice, a company should predefine a process for how inputs can be corrected.
SECURITY (ARTICLE 5(1)(E))
Security measures applied to processing should be assessed given the nature of personal data, risk of processing and security measures available at the time to ensure that the personal data is protected from data security breaches. In practice, a company should assess security measures applied to an AI platform or system (including any related databases) and record assessment of risk versus security measures chosen.
RETENTION (ARTICLE 5(1)(F))
Personal data should not be kept for longer than necessary for the purpose it was collected. In practice, a company should consider its retention policy for datasets and review processes for deletion (where technically possible) as appropriate.

Key compliance elements

Transparency

Personal data must be processed in a transparent manner in relation to the data subject – effectively, this means informing individuals why their data will be processed and any impact which the processing will have on them. In particular, AI solutions organisations are also required to provide the logic behind the solution’s algorithm.

From a commercial perspective, two issues arise:

• organisations may not wish to divulge information as to how its algorithms work from a trade secret perspective; and
• it may be difficult to explain how a prediction is made by an AI system due to the black box nature in which it operates.

In order to effectively discharge the transparency obligation and address these issues, organisations will need to have fully considered the privacy impact of employing the AI solution – Data Protection Impact Assessments are a useful way of carrying out such diligence and ensuring that the relevant issues are considered.

Automated decision-making and profiling

AI solutions can be used for automated decision-making purposes, which may also use profiling techniques, to discover an individual’s preferences, predict their behaviour and make decisions relating to that individual.

Data protection laws in the UK put restrictions in place in respect of such processing; in particular, individuals have the right not to be subject to decisions made about them, where solely made on an automated basis (with some exceptions). When setting its objectives for the use of an AI solution, organisations must, as a minimum, ensure that they build into the process appropriate human intervention checkpoints to safeguard against automated processing solely resulting in decisions which have a legal effect on individuals.

See the Ethics section for further information on explaining AI based decisions to individuals.

Privacy by design and privacy by default

The GDPR codifies the concept of privacy by design and privacy by default (Article 25).

When implementing an AI solution, privacy by design and default concepts should be considered at the project outset to ensure appropriate privacy safeguards are built in to processes. At its heart, this means that data protection controls and settings are set at the highest standard as a default, and AI solutions are designed with privacy principles at their core.

Data Protection Impact Assessment (DPIA)

Under Article 35(3) of GDPR, a DPIA is required in case of ‘a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.’

Based on the broad requirement under Article 35(3), most AI solutions would require a DPIA to be completed prior to implementation. As part of a DPIA, organisations are required to carry out a detailed assessment of the AI solution from a data protection perspective, including the technical and organisational security measures which are applied.

Prior consultation of the Supervisory Authority

Where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk, the controller must consult the relevant Data Protection Supervisory Authority under Article 36 of GDPR.

On completion of a DPIA therefore, organisations should consider whether there are any residual risks which are rated as high that it was not able to address through mitigation, and whether engagement with a Supervisory Authority is required.

Data Subject Rights

The GDPR also introduces a number of enhanced rights for individuals with regard to their personal data, such as the right of access to processed personal data, the right to be informed about the processing, the right to restrict the processing, the right to erase the personal data concerning the data subject, the right to object to the processing of personal data and the right to data portability (Data Subject Rights).

In practice, employing new AI solutions will require processes for handling Data Subject Rights requests to be tailored to take into account the methods of processing. These processes need to be clearly defined and documented before new technologies are deployed to ensure an organisation can comply with its obligations in connection with Data Subject Rights requests.

GDPR and Brexit 

The GDPR has extraterritorial effect and will apply to organisations that carry out cross border processing of EU personal data in certain circumstances.  It follows that, after Brexit, UK companies carrying out cross border processing of EU personal data will still be subject to the respective obligations under the GDPR. In addition, the UK has implemented the GDPR into national legislation - the UK GDPR. Therefore UK organisations will be required to adhere to these principles in connection with all processing of personal data.

Current at 20 November 2020