Use human intelligence to harness the benefits of artificial intelligence

As AI has become such a widespread phenomenon, I expect that many Data Protection Officers and Chief Privacy Officers are having difficulty assessing where their professional responsibilities begin and end.

We at PL&B report on AI at both policy and management levels, for example, as an issue for the Government and the Opposition within the context of the UK Data Protection and Digital Information Bill.

We have in the past year reported on how Data Protection Authorities have started to regulate AI companies, with Italy’s Garante and OpenAI’s Chat GPT taking the lead.(1) There are policy developments in several countries and international organisations.(2)

  • The EU has reached agreement on an EU AI Act at the political level.(3)
  • France’s CNIL issued in October, a helpful policy document: Ensuring the lawfulness of the data processing.(4)
  • The UK ICO issued its Guidance on AI and data protection updated in March last year which includes a toolkit and many more resources.(5)

But privacy professionals need to think not only about the policy level with an impact in the future, but also about their immediate concerns - what they will do at the level of their organisations. Data Protection managers have a multi-tasking role.

How can AI help DPOs’ daily workload?

This is the question which we are aiming to answer in our Roundtable in London on 23 January with the help of:

  • Alexandra Leonidou, the responsible policymaker, the Head of Frontier AI Regulation, AI Policy, at the UK’s Department for Science, Innovation and Technology, and
  • Stephen Almond, the responsible regulator, the Executive Director, Regulatory Risk, at the ICO.

While they set the policy and regulatory framework, the other participants, including companies in several sectors and law firms, will be discussing how organisations can play an active and constructive role in the deployment of AI tools for strategic advantage, while minimising legal and reputational risks.

Typical applications of AI in an organisation are for analysing documents, such as job applications and complaints reliant on personal data. Some AI applications are used for predictive analytics and scoring for risks in the areas of loans, insurance and health. Other applications, such as construction contracts, are less reliant on personal data. In every case, an AI model has to be tested and trained.

There is evidence that the ICO is clearly setting an independent path of moving towards closer working with EU institutions. First its Memorandum of Understanding with the European Data Protection Supervisor and second its acceptance of the case in the PL&B and Hogan Lovells joint memorandum to bring the UK version of Binding Corporate Rules closer to the EU version.

Risk profiles

Data Protection Officers (DPOs) need to consider and often report to management on risk profiles of AI used for different scenarios. At what point does the conclusion of an AI model need to be reviewed by a human? Some examples of AI bias in recruitment have now been recognised, such as discrimination relating to women or different ethnic groups. Which types of bias will be the next to be recognised?

If AI models are trained on data from more than a year ago, they cannot take into account important new developments. Results which are clearly wrong can be discounted by an attentive and intelligent human. But people will be less able to discern more subtle machine- made errors.

The core question for DPOs is the extent to which AI can see patterns in data and metadata relating to identifiable specific individuals and groups? How should the fundamental principle of fair and lawful data collection and interpretation be applied in this context?

As chairperson, I will encourage roundtable participants who are DPOs and their legal advisors to actively share with the group their experience in their roles as consumers of AI tools. To what extent can AI tools assist in data compliance, for example, in drafting Data Protection Impact Assessments (DPIAs), or using AI to respond to routine communications, such as enquiries, complaints and Data Subject Access Requests (DSARs)?

Our programme, carefully prepared over many months, will help raise participants’ awareness of the issues. It is not good enough to wait for guidance from elsewhere. Just like experience in recent years with the internet and cloud computing, DPOs and their legal advisers can use their human intelligence to harness the benefits of artificial intelligence to aid their work in a fair and lawful way.

We look forward to you joining us.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

  1. PL&B News - Italy’s Garante imposes and then withdraws a ban on ChatGPT
  2. PL&B International Report December 2023
  3. PL&B News - EU AI Act agreed at political level
  4. CNIL - Ensuring the lawfulness of the data processing
  5. ICO - Guidance on AI and data protection

January 2024

News & Blogs

January 2024 Report Contents