Info about AI and GDPR
Information obligation in the development and use of AI tools
It is difficult for companies to fulfil their information obligations when developing and using AI tools in accordance with the GDPR.
Right to information
Data subjects have several rights under the GDPR, one of which is the right to information under Articles 13 and 14 of the GDPR. In other words, data subjects should be informed about the processing of their personal data. This applies both when the personal data is collected and if they request the information.
Examples of what data subjects have the right to receive information about
- What the purpose if of the processing.
- The legal basis on which the processing is based.
- The storage period.
- Who may access the personal data, such as third parties.
- What rights the data subjects have under the GDPR.
Difficulty meeting the information obligations
It is not always easy to meet the requirements regarding the information obligation under the GDPR when developing and using AI tools. It can be difficult to explain how an AI model works and for the data subjects to gain insight into it.
Deep learning and the black box
Deep learning is often a method used to develop an AI model. It is a form of machine learning. Through this method, it is possible to process very large amounts of information that a natural person cannot possibly see. In addition, it is difficult for natural persons to map the different parameters and how they relate to each other, and thus how the AI model obtains its results.
Black box
When a user of an AI model knows only the input and output, it is considered a black box.
It is difficult to live up to the information obligation when an AI model is used to make decisions about physical individuals. Note that it does not relieve a company from informing data subjects, even though the AI model is considered a black box and it is difficult to explain how the AI model works.
Checklist to meet the requirements in accordance with the information obligation in the development and use of AI models
1. Try to avoid automated decisions
It is good to try to avoid using automated decision-making, as the rules are stricter and harder to follow then. Analyze carefully whether it is necessary to use automated decision-making. If necessary, it is useful to examine whether it is possible to supplement it with a human intervention in order not to rely solely on the automated decision.
2. Keep the rights of data subjects in mind
It is good to always keep the rights of data subjects in mind when designing and using the AI model. In addition, it is important to take adequate technical and organisational security measures. If it is possible to anonymise the personal data, the company should do so.
3. Follow up regularly
An AI model should be constantly followed up, in order to create as good of an understanding of it as possible. For example, how the result is produced and ensure that the algorithms used are non-discriminatory.
4. Document inputs and final results
Companies must be able to show that they comply with the GDPR and therefore it is good to always document the GDPR work. For example, how different input data affect the result, and how the data subjects can affect the result. In addition, it is good to document the conclusions carefully.
Learn more about AI
Discriminatory algorithms
It is important to keep in mind not to use discriminatory algorithms when developing and using AI models, since it is forbidden. This applies whether such usage is intentional or not. Therefore, it is good to constantly test the AI tools, to make sure that they are not discriminatory. Discriminatory algorithms violate the fundamental principle of lawfullness, fairness and transparency, which is one of the seven (7) principles of the GDPR that companies must comply with.