The 8 Main GDPR principles when using AI

Organisations can fulfil different roles in relation to AI systems. The processing of personal data is possible in each role. Two privacy roles are apparent from the GDPR: that of the controller and that of the processor. The focus points mentioned in the white paper have to be complied with by the controller. Processors have to follow the instructions given by the controller in this process. In order to guarantee that this happens, a processing agreement must be concluded.

In order to meet the GDPR, each AI system that involves the processing of personal data must have a well-defined, explicitly described and legitimate purpose for this processing. There are two phases in the development of a (machine learning) AI system: the learning phase and the operational phase. Because the two steps each have their own purpose, it must be assessed for each purpose separately whether they meet the requirements mentioned above. The purpose must already be established during the design phase of the system, to allow an assessment of the system’s suitability for the intended purposes and to determine whether an appropriate set-up is possible.

Just like any other data processing, the use of personal data in AI systems must be based on one of the six limitative, statutory grounds the GDPR offers. It can then be determined whether the processing of personal data is allowed in the first place, and which rights data subjects have with regard to the processing. Personal data that have been obtained unlawfully can never be used in AI systems. Special personal data can only be processed if the controller can rely on a statutory ground for exception.

Organizations must provide clarity on the use of personal data in AI systems and must ensure that data subjects understand the information that is provided. When using data sets obtained via third parties, it can be challenging to inform the data subjects (timely and individually).

The processing (such as collecting and using) of personal data must remain limited to what is necessary for the specific purpose, also in AI systems. This can be achieved through the careful selection and management of data sets and the minimising of the quantity of data that are used. You may also take a look at the 7 tips to comply with the principle of minimal data processing in the attached white paper.

Personal data cannot be retained for an unlimited period of time. The GDPR requires that a specific term be set after which data must either be deleted or anonymised. A common feature of AI systems is the necessity to retain data for a longer time for the purpose of training data sets and analysing the functioning of the AI system over a longer period of time. In principle, this need not be an obstacle, as long as it can be argued why this longer retention period is necessary, and as long as only those data that are required for this are retained from the data sets.

Data subjects have various rights under the GDPR to keep control over their personal data. The controller is obliged to inform the data subjects on the ways to exercise these rights. The rights apply to the personal data that are used throughout the life cycle of the AI system. Controllers are therefore advised to develop suitable mechanisms and rules already from the design phase onwards, in order to be able to respond timely and adequately to requests of data subjects.

Data subjects have the right not to be subjected to fully automated decisions, including profiling, which have legal consequences or significantly affect them otherwise. This is different if the data subject has consented to his or if the processing arises from laws or regulations or an agreement with the data subject. However, specific conditions will apply in that case, such as the right of the data subject to human intervention and the right to contest the decision.

The AI Act regards AI systems as products, whose product safety is checked in advance. Although this offers indirect protection against defective AI systems, data subjects do not have a direct role in the AI Act and cannot exercise their rights directly (see focus point 7 in the white paper). As opposed to the AI Act, the GDPR does guarantee the right of data subjects to data protection when their data are used in AI systems. The GDPR provides them with several rights to remain in control of their personal data that are being processed in this context. This is all the more reason for organizations using AI systems with the use of the personal data to comply with the rules from the GDPR.