AI does not provide a shortcut to GDPR compliance
摘要：Two acronyms are sure to grab headlines in 2018: AI and GDPR.Gartner called AI the most disruptive technology of the next 10 years. The technology will certainly continue to generate increased attention about its advances and new applications in 2018.
Two acronyms are sure to grab headlines in 2018: AI and GDPR.
Gartner called AI the most disruptive technology of the next 10 years. The technology will certainly continue to generate increased attention about its advances and new applications in 2018.
The General Data Protection Regulation (GDPR) — a set of stringent European Union rules governing the way companies collect, manage, and use information on EU citizens — was described as a top priority by 92 percent of corporate leaders who responded to a recent survey.
Which begs the question: Will these two big trends merge? Can AI help organizations meet the GDPR’s May 25th, 2018 compliance deadline and avoid penalties? (If an organization doesn’t meet this deadline, it is subject to fines of up to 4 percent of its annual worldwide revenue or €20 million — whichever is greater.)
After all, AI is all about handling and deriving insights from vast amounts of data, and GDPR demands that organizations pore through their databases for rafts of personal information that falls under GDPR’s purview.
The answer: AI probably won’t be a magic bullet as companies scramble to address the regulation’s provisions.
For one thing, AI, despite all its promise, has not yet reached the adoption tipping point necessary to make it much of a factor in the GDPR effort.
“Total investment (internal and external) in AI reached somewhere in the range of $26 billion to $39 billion in 2016, with external investment tripling since 2013,” a McKinsey report says. “Despite this level of investment, however, AI adoption is in its infancy, with just 20 percent of our survey respondents using one or more AI technologies at scale or in a core part of their business, and only half of those using three or more.”
For another thing, it’s questionable to what extent an AI can tackle the unique GDPR requirements, most of which simply don’t lend well to automation.
GDPR aims to give EU citizens greater control over their personal data and hold companies accountable on matters such as data use consent, data anonymization, breach notification, cross-border data transfer, and appointment of data protection officers.
For example, organizations will have to honor individuals’ “right to be forgotten” — fulfilling requests to delete information on them and providing proof it was done. They must obtain explicit permission to gather data, rather than implied. And they are required to allow people to see their own data in a commonly readable format.
GDPR covers any information that can be used to directly or indirectly identify an individual – such as names, photos, email addresses, financial details, posts on social networking sites, medical information, or a computer IP address – no matter when it was collected.
In fact, there are questions about whether the EU will catch AI itself in its legal crosshairs because GDPR states that European citizens have a right to explanation when an automated decision is made about them.
The system will undoubtedly work those issues out, but, in the meantime, companies should roll up their sleeves with a thorough, systematic approach to prepare for the May 25th deadline rather than look to AI as a panacea. That multi-step strategy should include:
Data. A comprehensive plan to document and categorize the personal data an organization has, where it came from, and who it is shared with.
Privacy notices. A review of privacy notices to align with new GDPR requirements.
Individuals’ rights. People have enhanced rights, such as the right to be forgotten, and new rights, such as data portability. This demands a check of procedures, processes, and data formats to ensure the new terms can be met.
A legal basis for processing personal data. Companies will need to document the legal basis for processing personal data, in privacy notices and other places.
Consent. Companies should review how they obtain and record consent as they will be required to document it. Consent must be a positive indication; it cannot be inferred. An audit trail is necessary.
Children. There will be new safeguards for children’s data. Companies will need to establish systems to verify individuals’ ages and gather parental or guardian consent for the data processing activity.
Data breaches. New breach notification rules and new fines will affect many organizations, raising the importance of the need to understand how to detect, report, and investigate personal data breaches.
Privacy by design. A privacy by design and data minimization approach will become an express legal requirement. It’s important for organizations to plan how they will meet the new terms now.
Data protection officers. Organizations may need to designate a data protection officer. They should figure out who will take responsibility for compliance and how they will position the role.
There are many issues organizations need to consider as they ensure GDPR compliance. For now, only a human can do the heavy lifting in this process, not artificial intelligence.
David Fowler is head of privacy and digital compliance at Act-On Software, a marketing automation provider.