The ICO has issued it’s guidance on design and implementation of data protection and GDPR for AI which can be found here. The ICO covers four areas or parts of guidance including
- part one addresses accountability and governance in AI, including data protection impact assessments (DPIAs);
- part two covers fair, lawful and transparent processing, including lawful bases, assessing and improving AI system performance, and mitigating potential discrimination;
- part three addresses data minimisation and security; and
- part four covers compliance with individual rights, including rights related to automated decision-making.
This guidance is a useful start but given the level of detail needed for activities such as data protection impact assessments for AI, a better offering would include an AI inspired tool to help learn and speed up AI compliance objectives. This is particularly true as the ICO is suggesting that DPIA’s be treated as a living document needing to be updated regularly. It uses an example of such a change where it gives the following example … ‘depending on the deployment, it could be that the demographics of the target population may shift, or that people adjust their behaviour over time in response to the processing itself. This is a phenomenon in AI known as ‘concept drift’.
The ICO also proposes “using state-of-the-art security practices and PET’s (privacy enhancing technologies) when using personal data in an AI context”. The guidance is good but providing tools to speed up the AI compliance process would be better , in my opinion. The burden on regulated firms can’t be understated not just for data protection and GDPR, but when combined with other regulatory frameworks which maybe industry specific such as PCI-DSS, Dodd-Frank etc.
The ICO has been good about providing templates, but now tools are what’s needed more than ever.
Dapro Technologies Ltd
The Privacy Experts
Let’s Work Together
About Us
We do this through our operating model which is based on a three pillar approach of experience, communication and research.
Our Three Pillars
The first of our pillars is Experience: We believe in order to succeed in optimizing an organizations CMM, you need technical and business process acumen or as is commonly known, people process and technology. In the context of data privacy this means that we bring our experience in helping firms to develop GRC governance and processes through several key areas. These area include; steering committee development, privacy policy development, data discovery / mapping, assessments, advisory services and legal context which underpins our methodology.
Our next pillar is Communication: Which is an ability to articulate a message appropriate to the audience, a skill learned through experience. We believe that in order to effectively communicate the impact of data protection regulation and the value of consumer confidence requires that the information is factually complete, plainly explained and delivered timely. Our modes of communication are often through remote and face to face consultations, short presentations, privacy awareness training, project plans, visio diagrams and KPI reporting all done to a professional standard.
And our last pillar is Research: In support of our mission to communicate factually complete information we place a high weighted value on research. The pace of regulatory change in privacy has yet to hit the peak of it’s curve. Pending opinions from the ECJ advocate general, add-on legislation enactments, new data breaches, vulnerability alerts, legal analysis and industry reports along with guidance from supervisory authorities themselves need to be factored in. In addition, frameworks and vendor implementation guidance need to be factored in. We have extensive experience in implementing the latest ISO, NIST, CSA, PCI-DSS and CSP (AWS, Azure, GCP) controls into environments as appropriate to your needs.
TELL US MORE ABOUT YOUR PROJECT
If you’d like to have a confidential discussion about your organizational needs, please fill out the form below and we’ll get back to you shortly.
TRUSTED BY GLOBAL BRANDS
About Us
We do this through our operating model which is based on a three pillar approach of experience, communication and research.
Our Three Pillars
The first of our pillars is Experience: We believe in order to succeed in optimizing an organizations CMM, you need technical and business process acumen or as is commonly known, people process and technology. In the context of data privacy this means that we bring our experience in helping firms to develop GRC governance and processes through several key areas. These area include; steering committee development, privacy policy development, data discovery / mapping, assessments, advisory services and legal context which underpins our methodology.
Our next pillar is Communication: Which is an ability to articulate a message appropriate to the audience, a skill learned through experience. We believe that in order to effectively communicate the impact of data protection regulation and the value of consumer confidence requires that the information is factually complete, plainly explained and delivered timely. Our modes of communication are often through remote and face to face consultations, short presentations, privacy awareness training, project plans, visio diagrams and KPI reporting all done to a professional standard.
And our last pillar is Research: In support of our mission to communicate factually complete information we place a high weighted value on research. The pace of regulatory change in privacy has yet to hit the peak of it’s curve. Pending opinions from the ECJ advocate general, add-on legislation enactments, new data breaches, vulnerability alerts, legal analysis and industry reports along with guidance from supervisory authorities themselves need to be factored in. In addition, frameworks and vendor implementation guidance need to be factored in. We have extensive experience in implementing the latest ISO, NIST, CSA, PCI-DSS and CSP (AWS, Azure, GCP) controls into environments as appropriate to your needs.
Leave A Comment
You must be logged in to post a comment.