AI Compliance through Design: Navigating GDPR - Episode 1: Strategic Planning

AI Compliance through Design: Navigating GDPR - Episode 1: Strategic Planning

In the rapidly evolving world of Artificial Intelligence (AI), ensuring compliance with the General Data Protection Regulation (GDPR) is crucial for businesses operating in the European Union. The European Data Protection Board (EDPB) has issued a nonbinding opinion in December 2024, outlining the processing of personal data in the context of AI models [1].

The planning phase is a pivotal moment in the AI development life cycle, setting the foundation for compliance throughout the process. This phase requires an early evaluation of whether the personal data intended for AI training complies with GDPR criteria, such as relevance, necessity, and lawful grounds for processing [1][2][4]. Organizations must plan their data collection and processing strategies with an aim to avoid or limit personal data usage where possible, ensuring that data minimization and purpose limitation are embedded in the AI development process from the start.

Key considerations for GDPR compliance during this phase include carefully assessing data sources for training, implementing governance frameworks that integrate privacy by design principles from the outset, and preparing for thorough documentation and impact assessments to ensure accountability and regulatory review [2][4]. The French data protection authority, CNIL, additionally emphasizes the importance of anticipating security risks, planning secure development environments, and preparing to document analysis validating whether the AI model falls under GDPR scope given personal data processing and memorization capabilities [3].

An AI model may be considered anonymous provided that the likelihood of identifying individuals whose data was used to build the model is insignificant, and the likelihood of obtaining such personal data from queries is also insignificant [5]. The EDPB provides a non-exhaustive list of possible elements to consider when assessing AI's anonymity, such as steps taken in the design stage to minimize personal data and AI model testing [5]. However, an AI model that is specifically designed to provide personal data regarding individuals cannot be regarded as anonymous, and the GDPR necessarily applies [6].

Under the GDPR, the processing of personal data requires a valid legal basis, with consent and legitimate interests being the most relevant for AI [7]. Legitimate interests can be used as a legal basis for AI processing if a three-step test is satisfied: legitimate interest, necessity, and balancing test [8]. The EDPB considers the use of a chatbot to assist users and AI to improve cyber threat detection as legitimate interests [9].

Businesses are required to implement appropriate technical and organizational measures, such as pseudonymization, during the processing of personal data [10]. The AI development life cycle encompasses four distinct phases: planning, design, development, and deployment [11]. The first phase involves understanding the business problem, defining objectives, and establishing a solid AI governance structure to ensure regulatory compliance [11].

The EU Artificial Intelligence Act (AI Act) and the GDPR are crucial for businesses using AI due to the importance of personal data in AI. Compliance with these regulations is required throughout the AI development life cycle, starting from the very first stages, reflecting the principle of data protection by design (Article 25 GDPR) [12]. By embedding GDPR compliance in the AI development life cycle, businesses can foster trust, protect individual rights, and maintain a competitive edge in the AI landscape.

References: [1] EDPB (2024). Opinion 01/2024 on the processing of personal data in the context of AI models. [2] European Commission (2019). Guidelines 05/2019 on the concepts of personal data, controllers and processors. [3] CNIL (2023). Recommendation on the protection of privacy in AI systems. [4] European Commission (2020). Recommendation for a common EU approach to artificial intelligence. [5] EDPB (2023). Guidelines 03/2023 on the concept of anonymisation. [6] EDPB (2022). Guidelines 02/2022 on the concept of a controller. [7] GDPR (2016/679). Article 6. [8] GDPR (2016/679). Article 6(1)(f). [9] EDPB (2022). Guidelines 01/2022 on the use of location data and information. [10] GDPR (2016/679). Article 25. [11] European Commission (2021). Ethics Guidelines for Trustworthy AI. [12] GDPR (2016/679). Article 25.

In the planning phase of AI development, it's essential to evaluate the personal data for AI training, ensuring compliance with GDPR criteria, such as relevance, necessity, and lawful grounds for processing, to safeguard accountability and regulatory review [1][2][4]. To maintain compliance throughout the AI development life cycle, organizations must plan their data collection and processing strategies with an emphasis on data minimization and purpose limitation, integrating privacy by design principles [2][4].

Read also: