How to handle AI from a GDPR perspective

The “new spring” of Artificial Intelligence, as this period of AI expansion is called, presents incredible opportunities for businesses, individuals, and society. However, it also introduces significant challenges, particularly in terms of personal data protection, discrimination, biases, and wrongful decisions. For example, if an organisation uses AI to select suitable candidates’ CVs based on the CVs of top talent in the organisation, any past hiring tendencies could introduce automated discrimination based on gender, race, or nationality.

The European Union’s General Data Protection Regulation (GDPR) is one of the most stringent personal data protection regulations globally, and it plays a crucial role in shaping how organisations can develop, implement, and manage AI systems. Most of the time, AI systems process large quantities of personal data to function effectively, so they must comply with GDPR requirements — but how can organisations protect personal information according to the GDPR, while still allowing for innovation?

The expansion of AI presents significant opportunities, but it also poses challenges related to personal data protection, discrimination, and decision-making biases, which must comply with the GDPR’s strict requirements. Organisations using AI must ensure transparency, data minimisation, and accountability to respect individuals’ rights and comply with regulations while balancing innovation and privacy.

Where do the GDPR and AI intersect?

The GDPR is designed to protect the personal data of people in the European Union. It is not limited to its citizens and residents; it also protects people visiting the EU. It applies to any EU organisation, as well as organisations that reside outside of the European Union, if they offer goods and services to people in the EU or if they monitor their behavior.

Handling GDPR compliance for AI systems is a challenge because personal data processing is often opaque, automated, and based on patterns discovered from large datasets. One of the biggest challenges is lack of transparency, as AI’s decision-making processes are often seen as “black boxes,” making it difficult for individuals to understand how their data is being used and how decisions are made, and these decisions can impact individuals’ rights, particularly in cases of profiling or discrimination. Also, it is very difficult to ensure data minimisation and purpose limitation, as AI systems may require large datasets and complex operations, which violate these key principles.

Also, establishing legal grounds for processing personal data, especially in the area of using datasets that contain personal data for training purposes, is a serious challenge. Consent requires full transparency, and it can be withdrawn by the data subject, which would pose significant challenges for the functioning of the algorithm. Legitimate interest might be a solution, but the data controller must perform a legitimate interest assessment, identify all the freedoms and rights of the individuals that might be affected by the processing, and address all of them with technical and organisational measures.

Addressing these challenges requires a solid understanding of GDPR principles, alongside a strategic approach to managing AI development and deployment.

Key GDPR principles relevant to AI

To handle AI systems in a GDPR-compliant manner, they must comply with all GDPR principles. Let’s explore some of these principles, how they affect AI systems, and how compliance can be reached.

How to Ensure AI Compliance with GDPR Regulations | Advisera

Lawfulness, fairness, and transparency

The GDPR requires that personal data be processed lawfully, fairly, and in a transparent manner. This means that, first of all, the AI system that is analysed for compliance must be compliant with all the other laws of the countries where it operates, not only the GDPR.

Fairness means that the AI system produces outputs that benefit mankind. This is where the EU AI Act comes to help, as certain practices that harm people are included in the list of forbidden AI systems in Article 5, practices like social scoring, AI systems that deploy subliminal techniques, AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage, and so on.

Transparency is key to GDPR compliance, which is why a data controller needs to explain in simple, short sentences what the algorithm does with the personal data that is being processed, the expected outcome of the processing, the main risks, and how are they are addressed. Usually, this information is delivered to the data subject by something called a privacy notice.

To learn more about what a privacy notice should contain, read this article: Everything you need to know about the GDPR Privacy Notice.

Purpose limitation

Personal data collected by organisations must be used for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In the AI context, this means AI models should be trained and deployed for specific purposes that have been clearly communicated to the data subjects, and that organisations must not use personal data for purposes beyond what was initially communicated, unless new legal grounds for processing are identified.

Data minimisation

AI systems consume large datasets of personal data for accurate predictions and insights, but the GDPR mandates that only the minimum amount of personal data necessary for the specific purpose be processed. Organisations need to assess the volume of personal data being used in AI systems and ensure that it is the least amount required for the intended purpose, and they must use techniques like anonymisation, pseudonymisation, or synthetic data generation to reduce reliance on personal data while still maintaining AI functionality.

Data accuracy

The GDPR requires that personal data be accurate and, where necessary, kept up to date. AI models trained on outdated or incorrect personal data can lead to inaccurate predictions or decisions, so data controllers must make sure that the datasets used for training AI systems are accurate, relevant, and have the right context. Also, they must implement mechanisms for regular updates or corrections to personal data and continuously monitor AI outcomes to ensure that decisions based on personal data reflect real-world accuracy.

Storage limitation

Personal data should not be kept for longer than is necessary for the purposes for which it was processed. In the AI domain, this means that personal data used to train or validate models should not be stored indefinitely. Organisations must establish retention schedules to periodically review, delete, or anonymise data that is no longer needed, and AI models should be updated or retrained with more recent personal data when necessary.

Integrity and confidentiality

This is one of the most important principles in the GDPR as it relates to the security of personal data. AI systems must be designed with robust security measures to protect against data breaches, unauthorised access, and other forms of misuse by means of encryption, access controls, and regular security audits to protect the personal data used in AI. The emergence of privacy-enhancing technologies like federated learning, differential privacy, or homomorphic encryption minimise the risks of exposing sensitive data while still enabling AI functionalities.

Data protection by design and by default

This is a very interesting principle that requires data controllers to make sure that they not only process personal data in a GDPR-compliant manner, but also, they must design personal data processing operations that are GDPR-compliant. This means that data controllers must make sure that they adhere to the above principles from the design phase of the processing operations.

To learn more about data protection principles, read this article: Contents of the Data Protection Policy according to GDPR.

Accountability

The data controller is required to demonstrate compliance with the GDPR at any time. This means that if a data processor or an employee creates a data breach or processes personal data in a noncompliant manner, the controller is accountable. It is very important to determine clear accountabilities and roles in the processing of personal data in AI systems by producers, distributors & implementers, and deployers. Coming back to the EU AI Act, all of these actors have clear roles and responsibilities, but in the GDPR their roles are either data controllers, joint data controllers, or processors. It is crucial to determine the role of each actor in the processing of personal data in AI systems, in order to clearly establish who is accountable for what and to communicate this accurately to the data subjects.

Lawful bases for processing personal data in AI

To comply with the GDPR, organisations need to establish a legal basis for processing personal data through AI systems.

Consent

In the consent case, individuals must provide clear, informed consent before their data can be used for AI processing. Consent should be specific, informed, freely given, and revocable. As mentioned previously, this can be a challenge because if the consent is withdrawn, all personal data of the data subject must be deleted, including personal data that has been generated by the algorithm.

Performance of a contract

If the AI system processes personal data to perform a contract with the data subject (e.g., an AI-based recommendation system for a service subscribed to by the user), this can provide a lawful basis, but the data controller must demonstrate that the processing is actually necessary for the performance of the contract.

Legal obligation

AI may process data when it is required for compliance with legal obligations, such as regulatory reporting or fraud prevention, or even to save the lives of individuals, in the case of vital interests.

Vital interest

In certain cases, AI might be required to process personal data in order to save the life of an individual.

Public interest and legitimate interest

Organisations can process personal data if it is necessary for their legitimate interests, provided these interests are not overridden by individuals’ rights and freedoms. AI applications must undergo legitimate interest assessments, or even data protection impact assessments, to ensure compliance.

Organisations must document the legal basis for each AI-related data processing activity and ensure that data subjects are informed of the rationale.

See also: Is consent needed? Six legal bases to process data according to GDPR.

Data subject rights in the context of AI

The GDPR grants data subjects various rights over their personal data, and organisations must ensure that AI systems respect these rights.

Right to be informed and right of access

Individuals have the right to know whether their data is being processed, the purposes of processing, third parties involved, and retention timelines, and they also have the right to access the personal data being processed. Organisations must provide clear, concise information about how AI processes personal data and offer data access in a user-friendly format.

Right to rectify personal data

Data subjects can request correction of inaccurate or incomplete personal data. If AI systems rely on erroneous data for decision-making, organisations must offer a way to rectify the source data.

Right to be forgotten

Individuals can request deletion of their personal data under certain conditions, so AI systems should be designed to accommodate such requests, which may involve removing the individual’s data from training datasets or anonymising it beyond re-identification using privacy-enhancing technologies like differential privacy.

Right to request restriction of processing

If an individual submits a restriction of processing request, the data controller should limit how their data is used, particularly during disputes about data accuracy or lawfulness of processing. AI models must be capable of pausing or restricting the use of certain data without compromising functionality.

Right of data export

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transfer it to another controller. This right presents a challenge for AI, as organisations need to ensure that personal data generated through AI processing can be extracted in a compatible format.

Right to objection

Individuals can also object to the processing of their personal data for specific purposes based on legitimate interest or public interest, including profiling or direct marketing. AI systems, especially those involving automated decision-making, must provide mechanisms for individuals to object and potentially opt out of automated processing.

Right not to be subject to decisions based solely on automated processing

Under Article 22 of the GDPR, individuals have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. If an AI system makes such decisions, organisations must implement safeguards such as human intervention, providing explanations, and allowing individuals to challenge the outcome.

Read also: Data subject rights according to GDPR.

Correct approach to processing personal data in AI

Handling AI under the GDPR requires a thoughtful and diligent approach. Organisations must navigate the complex relationship between AI’s need for personal data and the GDPR’s strict requirements by focusing on transparency, data minimisation, accountability, and individual rights. By embedding personal data protection into the design and operation of AI systems, businesses can leverage the power of AI while respecting privacy and complying with regulatory standards.

The evolving nature of AI and personal data protection regulations will require continuous monitoring and adaptation, but with careful planning and execution, organisations can strike the right balance between innovation and compliance.

To implement GDPR requirements in your AI project, use our EU GDPR Premium Documentation Toolkit.

Advisera Tudor Galos

Tudor Galos

Tudor is the Senior Privacy & AI Consultant at Tudor Galos Consulting, a cutting-edge boutique consultancy renowned for its forward-thinking, human-centric approach to innovation and digital transformation. With over 20 years of experience in sales, marketing, and management consulting, Tudor brings a wealth of expertise in privacy, AI governance, and data-driven strategy. He specializes in helping organizations navigate the complex landscape of data protection, ensuring compliance with global privacy regulations while unlocking the full potential of AI technologies.

Tudor is a trusted advisor to over 200 companies globally, guiding them through critical decisions that shape their digital futures. His strategic support spans the implementation of robust AI governance frameworks, enabling businesses to mitigate risks, enhance ethical decision-making, and drive AI innovation with confidence. By focusing on data governance and privacy-first practices, Tudor ensures that organizations can leverage the power of digital transformation while building trust with customers, partners, and regulators. His insights help businesses future-proof their operations in an increasingly regulated and technology-driven world, positioning them for long-term success in the era of AI and digital transformation.

Read more articles by Tudor Galos