Consider an organization adopting artificial intelligence (AI) as being represented by a self-driving car. Data serve as gasoline, which provides the driving force to the car; machine learning (ML) is the engine, which determines the performance of the car; and AI operates as the role of the sensor in the car, contributing to the process of automatic decision-making. A self-driving car with good performance requires more data input to obtain continuous driving force to become more competitive and make more accurate analysis and predictions. However, especially for an Internet finance organization, multiple relational datasets can easily result in “isolated islands of information,” which make it difficult to connect the datasets where they can talk to each other.
How to implement data sharing effectively without violating EU General Data Protection Regulation (GDPR) provisions becomes one of the biggest concerns of AI GDPR compliance. The following are questions answered in my recent Journal article:
- Will GDPR result in the prohibition of AI for use with EU individuals’ data?
- How does one obtain informed consent for an AI algorithm that cannot explain its decision-making criteria?
- If a user opts out, is an alternative human-based decision system available?
In my recent article, I explain the main conflicts between AI and GDPR (figure 1).
|
AI vs. GDPR |
Proposed Suggestions |
Reference GDPR Provisions |
|
Accuracy of automated decision-making |
|
Article 4(4), Article 9, Article 12, Article 13, Article 14, Article 15, Article 21, Article 22, Article 35(1) (3) |
|
The Right to Erasure |
|
Article 6, Article 9, Article 12, Article 17, Recital 65, Recital 66 |
|
Data minimization |
|
Article 5(1)(c), Recital 39, Article 16, Article 17 |
|
Transparency principle |
|
Article 5, Article 12, Article 13, Article 14 |
Read Andrea Tang's recent Journal article:
"Making AI GDPR Compliant," ISACA Journal, volume 6, 2019.