Data protection and AI systems 2

The lifecycle of an AI system has two stages: the development stage and the operation stage. The development stage covers all activities before the deployment of the system, such as the development of the algorithm, collecting and processing the training data, and training the system. The operation stage begins when the AI system is deployed and introduced to the use it was designed for.

Examples of common AI systems we encounter in our daily lives

The recommendation systems of streaming services that analyse the listening or watch histories of users, recognise patterns in users’ interests and use this information to recommend new content to the users.
The recommendation systems of online shops that analyse the purchase history of users, recognise patterns in users’ interests and use this information to recommend new products to users.
Email spam filters that analyse email messages and recognise features based on which they filter out spam messages from other messages.
Map services and navigation tools that analyse traffic data and suggest routes based on it.
Search engines that analyse the behaviour of users and recommend search results based on the analysis.
Chatbots used for customer service that analyse the information entered to them and generate responses based on the analysis.
Personal AI assistants that help users create content, comprise information from several sources, and use the information to create schedules and to-do lists.

How must data protection legislation be considered in AI systems?

Data protection legislation must be complied with regardless of the type of the technology, meaning in AI systems as well. Data protection legislation must always be complied with if personal data is processed automatically.

Large quantities of personal data is often used in the development and use of AI systems. A legal basis must exist for the processing, and data protection principles such as data minimisation and purpose limitation must be taken into account.

If no personal data is processed in the development or use of an AI system, data protection legislation is not applied. In order for an organisation to be sure whether they process personal data in connection with an AI system or not, the organisation must carefully familiarise itself with the definitions of personal data and personal data processing. The organisation must also carefully familiarise itself with the AI system to be deployed and its operation.

Read more:

Assess risks and data protection impact

An organisation developing or deploying an AI system must always assess the risks of personal data processing before it starts processing personal data. This ensures that the organisation can, already at the planning stage, determine the measures it must take to control the risks and ensure that the processing is lawful.

Organisations must always comply with the data protection principles in their operations and ensure that the principles are implemented according to the risk level of the planned processing. Risks must be assessed specifically from the perspective of the people whose data is processed, the data subjects, and the risks the personal data processing could expose the data subjects to must be identified. A risk assessment can also be a useful tool for assessing the risks the organisation is exposed to.

One tool for risk assessment is the data protection impact assessment (DPIA). According to the General Data Protection Regulation (GDPR), an impact assessment must be carried out especially when new technology will be used for personal data processing.

The criteria for high risk

Evaluation or scoring of natural persons
Automated decision making that could have legal effects for natural persons
Systematic supervision of people
Processing of special categories of personal data or other very private data
Extensive processing of personal data
Combining datasets
Processing personal data belonging to vulnerable persons such as children
Using new technology or organisational solutions or innovative use

An impact assessment is also mandatory when the planned processing activities are included in the Data Protection Ombudsman’s list of processing operations which require data protection impact assessment. An organisation planning to develop or deploy an AI system should familiarise itself with the list and the criteria for high risk when it assesses whether a DPIA is required.

Even if carrying out a DPIA is not mandatory, the organisation can benefit from the process whenever it plans activities that include personal data processing. A DPIA supports compliance with the requirements of data protection legislation.

Ensure the lawfulness of processing: when can personal data be used?

A legal basis or a processing basis is always required for personal data processing. A processing basis is required both for the development of AI systems and their use if they involve personal data processing. The basis must exist already at the stage where the personal data is collected and used for the development and training of the AI system.

The processing of different types of personal data and the stages of the development and deployment of an AI system should be separated. This enables choosing processing bases and risk management measures that best fit each stage separately if necessary.

According to Article 6 of the GDPR, the bases for processing personal data are the data subject’s consent, contract, the controller’s legal obligation, protection of vital interests, a task carried out in the public interest or the exercise of official authority, and the legitimate interest of the controller or a third party.