The “new spring” of Artificial Intelligence, as this period of AI expansion is called, presents incredible opportunities for businesses, individuals, and society. However, it also introduces significant challenges, particularly in terms of personal data protection, discrimination, biases, and wrongful decisions. For example, if an organisation uses AI to select suitable candidates’ CVs based on the CVs of top talent in the organisation, any past hiring tendencies could introduce automated discrimination based on gender, race, or nationality.
The European Union’s General Data Protection Regulation (GDPR) is one of the most stringent personal data protection regulations globally, and it plays a crucial role in shaping how organisations can develop, implement, and manage AI systems. Most of the time, AI systems process large quantities of personal data to function effectively, so they must comply with GDPR requirements — but how can organisations protect personal information according to the GDPR, while still allowing for innovation?
The expansion of AI presents significant opportunities, but it also poses challenges related to personal data protection, discrimination, and decision-making biases, which must comply with the GDPR’s strict requirements. Organisations using AI must ensure transparency, data minimisation, and accountability to respect individuals’ rights and comply with regulations while balancing innovation and privacy.
Where do the GDPR and AI intersect?
The GDPR is designed to protect the personal data of people in the European Union. It is not limited to its citizens and residents; it also protects people visiting the EU. It applies to any EU organisation, as well as organisations that reside outside of the European Union, if they offer goods and services to people in the EU or if they monitor their behavior.
Handling GDPR compliance for AI systems is a challenge because personal data processing is often opaque, automated, and based on patterns discovered from large datasets. One of the biggest challenges is lack of transparency, as AI’s decision-making processes are often seen as “black boxes,” making it difficult for individuals to understand how their data is being used and how decisions are made, and these decisions can impact individuals’ rights, particularly in cases of profiling or discrimination. Also, it is very difficult to ensure data minimisation and purpose limitation, as AI systems may require large datasets and complex operations, which violate these key principles.
Also, establishing legal grounds for processing personal data, especially in the area of using datasets that contain personal data for training purposes, is a serious challenge. Consent requires full transparency, and it can be withdrawn by the data subject, which would pose significant challenges for the functioning of the algorithm. Legitimate interest might be a solution, but the data controller must perform a legitimate interest assessment, identify all the freedoms and rights of the individuals that might be affected by the processing, and address all of them with technical and organisational measures.
Addressing these challenges requires a solid understanding of GDPR principles, alongside a strategic approach to managing AI development and deployment.
Key GDPR principles relevant to AI
To handle AI systems in a GDPR-compliant manner, they must comply with all GDPR principles. Let’s explore some of these principles, how they affect AI systems, and how compliance can be reached.
Lawfulness, fairness, and transparency
The GDPR requires that personal data be processed lawfully, fairly, and in a transparent manner. This means that, first of all, the AI system that is analysed for compliance must be compliant with all the other laws of the countries where it operates, not only the GDPR.
Fairness means that the AI system produces outputs that benefit mankind. This is where the EU AI Act comes to help, as certain practices that harm people are included in the list of forbidden AI systems in Article 5, practices like social scoring, AI systems that deploy subliminal techniques, AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage, and so on.
Transparency is key to GDPR compliance, which is why a data controller needs to explain in simple, short sentences what the algorithm does with the personal data that is being processed, the expected outcome of the processing, the main risks, and how are they are addressed. Usually, this information is delivered to the data subject by something called a privacy notice.
To learn more about what a privacy notice should contain, read this article: Everything you need to know about the GDPR Privacy Notice.
Purpose limitation
Personal data collected by organisations must be used for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In the AI context, this means AI models should be trained and deployed for specific purposes that have been clearly communicated to the data subjects, and that organisations must not use personal data for purposes beyond what was initially communicated, unless new legal grounds for processing are identified.
Data minimisation
AI systems consume large datasets of personal data for accurate predictions and insights, but the GDPR mandates that only the minimum amount of personal data necessary for the specific purpose be processed. Organisations need to assess the volume of personal data being used in AI systems and ensure that it is the least amount required for the intended purpose, and they must use techniques like anonymisation, pseudonymisation, or synthetic data generation to reduce reliance on personal data while still maintaining AI functionality.
Data accuracy
The GDPR requires that personal data be accurate and, where necessary, kept up to date. AI models trained on outdated or incorrect personal data can lead to inaccurate predictions or decisions, so data controllers must make sure that the datasets used for training AI systems are accurate, relevant, and have the right context. Also, they must implement mechanisms for regular updates or corrections to personal data and continuously monitor AI outcomes to ensure that decisions based on personal data reflect real-world accuracy.
Storage limitation
Personal data should not be kept for longer than is necessary for the purposes for which it was processed. In the AI domain, this means that personal data used to train or validate models should not be stored indefinitely. Organisations must establish retention schedules to periodically review, delete, or anonymise data that is no longer needed, and AI models should be updated or retrained with more recent personal data when necessary.
Integrity and confidentiality
This is one of the most important principles in the GDPR as it relates to the security of personal data. AI systems must be designed with robust security measures to protect against data breaches, unauthorised access, and other forms of misuse by means of encryption, access controls, and regular security audits to protect the personal data used in AI. The emergence of privacy-enhancing technologies like federated learning, differential privacy, or homomorphic encryption minimise the risks of exposing sensitive data while still enabling AI functionalities.
Data protection by design and by default
This is a very interesting principle that requires data controllers to make sure that they not only process personal data in a GDPR-compliant manner, but also, they must design personal data processing operations that are GDPR-compliant. This means that data controllers must make sure that they adhere to the above principles from the design phase of the processing operations.
To learn more about data protection principles, read this article: Contents of the Data Protection Policy according to GDPR.
Accountability
The data controller is required to demonstrate compliance with the GDPR at any time. This means that if a data processor or an employee creates a data breach or processes personal data in a noncompliant manner, the controller is accountable. It is very important to determine clear accountabilities and roles in the processing of personal data in AI systems by producers, distributors & implementers, and deployers. Coming back to the EU AI Act, all of these actors have clear roles and responsibilities, but in the GDPR their roles are either data controllers, joint data controllers, or processors. It is crucial to determine the role of each actor in the processing of personal data in AI systems, in order to clearly establish who is accountable for what and to communicate this accurately to the data subjects.
Lawful bases for processing personal data in AI
To comply with the GDPR, organisations need to establish a legal basis for processing personal data through AI systems.
Consent
In the consent case, individuals must provide clear, informed consent before their data can be used for AI processing. Consent should be specific, informed, freely given, and revocable. As mentioned previously, this can be a challenge because if the consent is withdrawn, all personal data of the data subject must be deleted, including personal data that has been generated by the algorithm.
Performance of a contract
If the AI system processes personal data to perform a contract with the data subject (e.g., an AI-based recommendation system for a service subscribed to by the user), this can provide a lawful basis, but the data controller must demonstrate that the processing is actually necessary for the performance of the contract.
Legal obligation
AI may process data when it is required for compliance with legal obligations, such as regulatory reporting or fraud prevention, or even to save the lives of individuals, in the case of vital interests.
Vital interest
In certain cases, AI might be required to process personal data in order to save the life of an individual.
Public interest and legitimate interest
Organisations can process personal data if it is necessary for their legitimate interests, provided these interests are not overridden by individuals’ rights and freedoms. AI applications must undergo legitimate interest assessments, or even data protection impact assessments, to ensure compliance.
Organisations must document the legal basis for each AI-related data processing activity and ensure that data subjects are informed of the rationale.
See also: Is consent needed? Six legal bases to process data according to GDPR.
Data subject rights in the context of AI
The GDPR grants data subjects various rights over their personal data, and organisations must ensure that AI systems respect these rights.
Right to be informed and right of access
Individuals have the right to know whether their data is being processed, the purposes of processing, third parties involved, and retention timelines, and they also have the right to access the personal data being processed. Organisations must provide clear, concise information about how AI processes personal data and offer data access in a user-friendly format.
Right to rectify personal data
Data subjects can request correction of inaccurate or incomplete personal data. If AI systems rely on erroneous data for decision-making, organisations must offer a way to rectify the source data.
Right to be forgotten
Individuals can request deletion of their personal data under certain conditions, so AI systems should be designed to accommodate such requests, which may involve removing the individual’s data from training datasets or anonymising it beyond re-identification using privacy-enhancing technologies like differential privacy.
Right to request restriction of processing
If an individual submits a restriction of processing request, the data controller should limit how their data is used, particularly during disputes about data accuracy or lawfulness of processing. AI models must be capable of pausing or restricting the use of certain data without compromising functionality.
Right of data export
Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transfer it to another controller. This right presents a challenge for AI, as organisations need to ensure that personal data generated through AI processing can be extracted in a compatible format.
Right to objection
Individuals can also object to the processing of their personal data for specific purposes based on legitimate interest or public interest, including profiling or direct marketing. AI systems, especially those involving automated decision-making, must provide mechanisms for individuals to object and potentially opt out of automated processing.
Right not to be subject to decisions based solely on automated processing
Under Article 22 of the GDPR, individuals have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. If an AI system makes such decisions, organisations must implement safeguards such as human intervention, providing explanations, and allowing individuals to challenge the outcome.
Read also: Data subject rights according to GDPR.
Correct approach to processing personal data in AI
Handling AI under the GDPR requires a thoughtful and diligent approach. Organisations must navigate the complex relationship between AI’s need for personal data and the GDPR’s strict requirements by focusing on transparency, data minimisation, accountability, and individual rights. By embedding personal data protection into the design and operation of AI systems, businesses can leverage the power of AI while respecting privacy and complying with regulatory standards.
The evolving nature of AI and personal data protection regulations will require continuous monitoring and adaptation, but with careful planning and execution, organisations can strike the right balance between innovation and compliance.
To implement GDPR requirements in your AI project, use our EU GDPR Premium Documentation Toolkit.