The Guidance on AI and Data Protection from the ICO was updated on 15th March 2023. The updated guidance provides further clarity on how organisations can comply with data protection laws when using AI systems.
What topics does the ICO guidance cover?
The guidance covers the following topics:
- Data protection impact assessments
The guidance also includes a number of case studies that illustrate how organisations have applied the guidance in practice.
The ICO's guidance is a valuable resource for organisations that are using AI systems. It provides clear and practical advice on how to comply with data protection laws when using AI systems.
How is the principle of ‘fairness’ impacted?
One of the key principles of data protection law is fairness. This means that organisations must ensure that they do not use AI systems in a way that is unfair or discriminatory.
The ICO's guidance provides several factors that organisations should consider when assessing fairness, including:
- The purpose for which the AI system is being used
- The impact of the AI system on individuals
- The safeguards that are in place to protect individuals
How is accountability affected?
Organisations that use AI systems must be accountable for the way in which they use these systems. This means that they must be able to demonstrate that they are complying with data protection laws.
The ICO's guidance outlines several steps that organisations can take to ensure that they are accountable for the use of AI systems, including:
- Documenting the use of AI systems
- Implementing appropriate governance arrangements
- Conducting data protection impact assessments
Training staff on data protection law
Why is transparency important?
Organisations that use AI systems must be transparent about the way in which these systems work. This means that they must provide individuals with information about how their personal data is being used by AI systems.
The ICO's guidance provides several ways that organisations can be transparent about the use of AI systems, including:
- Providing clear and concise information about the AI system
- Making it easy for individuals to understand how their personal data is being used
- Providing individuals with the opportunity to opt out of the use of AI systems
What is the concept of ‘explainability’?
Organisations that use AI systems must be able to explain how these systems work. This means that they must be able to provide individuals with an explanation of how their personal data is being used by AI systems.
The ICO's guidance offers several examples of how organisations can be explainable about the use of AI systems, including:
- Providing individuals with access to the data that is used by AI systems
- Providing individuals with information about the algorithms that are used by AI systems
- Providing individuals with information about how AI systems make decisions
How can AI bias be mitigated?
AI systems can be biased. This means that they can make decisions that are unfair or discriminatory.
To mitigate bias in AI systems the ICO recommends a number of steps including:
- Collecting data from a diverse range of individuals
- Using algorithms that are designed to be fair
- Testing AI systems for bias
- Monitoring AI systems for bias
When are data protection impact assessments required?
Organisations that use AI systems must conduct data protection impact assessments (DPIAs) if the use of these systems is likely to result in a high risk to individuals' rights and freedoms.
A DPIA is a process that organisations can use to identify, assess, and mitigate the risks to individuals' rights and freedoms posed by the use of AI systems.
The ICO recommends actions that organisations can take to conduct a DPIA, including:
- Identifying the risks posed by the use of AI systems
- Assessing the impact of these risks on individuals' rights and freedoms
- Mitigating the risks posed by AI systems
- Monitoring the effectiveness of the mitigation measures
How 3CS can help
For further guidance on AI and Data Protection or any corporate or commercial legal matter, please get in touch with your usual 3CS contact.