Just released: How to raise venture capital in 2023

Download
Cyber Liability

How to Conduct a Thorough DPIA for AI Compliance [with GDPR]

WilHamory FounderShield
Wil Hamory

Financial Practice Lead

Article Summary
TL:DR

Key Takeaways
WilHamory FounderShield
Wil Hamory

Financial Practice Lead

If you’re part of the 39% of SMBs that adopted AI in the past year, conducting a Data Protection Impact Assessment (DPIA) might be on your radar already. But if it’s not, or if you’re looking for ways to ease into it, this comprehensive guide will give you the basics on how to analyze, identify, and minimize the data protection risks with a DPIA.

Understanding a DPIA and GDPR

For organizations operating in Europe or handling EU citizens’ data, the DPIA was established by the European Data Protection Supervisor (EDPS) to ensure parties properly protect sensitive user information in risky projects or plans — AI included. This evaluation is required for specific activities, such as processing on a large scale of special categories of data and automated processing, including profiling, that will influence decision-making.

This process aims to cut potential data protection issues at the root and minimize risks in the future, especially in the face of rising private data concerns stemming from AI models.

The DPIA is one of many data safety measures from the General Data Protection Regulation (GDPR), which any entity operating in the European Economic Area must comply with. GDPR was put into effect in the EU in 2018 amid the tech boom to regulate the collection and processing of personal data, giving individuals control over which information is shared and used by different organizations.

Understanding AI Compliance

It could be said that no other technology has ever required as much data to run as AI. This data could encompass anything: books, online articles, paintings, music, and personal data. This last element directly ties AI into GDPR as AI systems might also handle data from EU citizens to train their models and make decisions.

As such, any AI processes involving private data are subject to GDPR regulation — they must follow guidelines to minimize its usage, avoid repurposing it without additional consent, anonymize it, and remove it if requested.

GUIDE

De-Risking Fintech

Download

And it’s no secret that AI is a particularly tricky area for GDPR regulation, starting by the sheer growth of the datasets it’s trained on: Estimates suggest ChatGPT went from using 1.5 billion training parameters in 2019 to 175 billion in 2020. While it can anonymize information, experts say it can infer a person’s identity or traits like religion, income, and relationship status from data like purchase history, geolocation, and internet searches.

Steps to Conduct a DPIA for AI

Conducting a DPIA for AI systems is crucial for ensuring compliance with data protection regulations. This systematic process helps organizations identify and mitigate potential risks to individuals’ rights and freedoms.

Identifying When a DPIA Is Required for AI Projects

In most cases, AI companies or organizations using AI systems will require a DPIA as the technology often processes and uses personal data, whether the AI is ingrained in an e-commerce platform to make better purchasing suggestions, or helps automate tasks that handle personal data.

For example, the International Commissioner’s Office in the UK, which is in charge of vetting DPIA processes, identifies the next AI-related tasks, among many others, as requiring a DPIA:

  • Machine learning and deep learning systems
  • Intelligent transport systems
  • Smart technologies, including wearables
  • Some Internet of Things (IoT) applications

Mapping Data Flows and Understanding Data Processing Activities

After identifying the need for a DPIA, organizations must outline in detail how they plan to use personal data in AI systems. Some facts to consider are how data is planned to be processed and its source, how it’s collected and stored, the amount used and its level of sensitivity, who the data belongs to and their relation to the company, and the outcome of processing this data.

This must also include every stage the data must go through when being processed to ascertain how it might affect individuals.

Assessing Data Protection Risks Specific To AI

Knowing all the ins and outs of an AI company’s data flow helps assess potential risks and their likelihood, especially when it comes to personal data and how its usage can affect the rights and freedoms of individuals. This assessment is, arguably, the most important part of the DPIA process.

Beyond the routine risk assessment companies usually conduct in their management strategies, they must also ask these questions regarding AI:

  • Will the outcome of using personal data result in financial loss for individuals?
  • Will they lose control over their personal data?
  • Will it cause reputational damage or discrimination?
  • Will it represent a loss of confidentiality, and identity theft or fraud?

This last point represents the most pressing and perhaps likely scenarios organizations must tackle based on the recent state of AI and data safety. A cybersecurity report revealed that 77% of companies identified breaches to their AI in the past year, and the technology continues to be used for identity theft with deepfake technology.

Consulting With Stakeholders and Documenting the DPIA Process

After identifying potential risks from any AI tools used in the company, those in charge of this process must connect with stakeholders to discuss the next steps to minimize risks. Executives and their teams must be aware of possible threats to personal data to ensure they adjust their operations accordingly.

Communicating these findings will create a prevalent data safety awareness environment, entrenching security into every AI-related task within the company. As such, organizations can begin to uproot any risks and use their AI systems more responsibly.

To follow up on progress and future improvements, it’s vital to document the DPIA process step-by-step. This will also help companies stay compliant by easily showing proof of their DPIA efforts.

Key Considerations for AI Systems

While AI is bringing massive success for companies, both from the operational and fundraising sides, it’s important to consider some key practices before adopting it into operations.

To start, implementing AI systems should heighten rather than obscure transparency at the company. How does this system work? How can it be explained to employees and clients? How are its outcomes affecting services or products? Explainability should massively impact the decision to adopt AI, emphasizing the importance of knowing how the technology will work from beginning to end.

Moreover, engineers and decision-makers must focus on using as little personal data as possible. Minimizing it will immediately reduce risks related to it, from theft to misuse and more.

For model training purposes, they could resort to synthetic data instead, which is often used in the financial and healthcare sectors for safety reasons. This generated data from real-world samples comes as close as possible to real datasets to better train systems without safety issues.

Lastly, those involved in implementing AI systems must constantly monitor it and ensure it is fair and unbiased. For example, in healthcare, computer-aided diagnosis (CAD) systems have been known to return less accurate results for black patients, possibly stemming from low-quality and less diverse datasets used to train AI models.

But this shouldn’t just sit with the engineers. Anyone using AI systems at organizations must keep an eye out for anomalies when using the technology, flagging potential malfunctions and biases as they arise.

A thorough DPIA process won’t just help companies stay compliant and avoid fines and penalties — it will increase the quality of their operations above all. Keeping such powerful technology as AI functioning properly while safeguarding individuals’ rights and freedoms under GDPR regulations helps develop trustworthy companies with a competitive edge. Ultimately, it’s a win-win situation for everyone involved.

Insurance Rebuilt, End-to-End

We've supported startups from stealth mode to huge funding rounds.
Get a Custom Quote
Deco

Related Articles

data breach 2024
October 1 • Cyber Liability

Top 10 Cyber Security Data Breaches of 2024

Cybersecurity under attack in 2024! Discover the top 10 data breaches that rocked the world. Learn how major companies fell victim to cybercriminals. Understand the risks and take action to protect your business from cyber threats.

Read Article
supply chain disruptions
August 27 • Cyber Liability

Cyber Attacks & Supply Chain Disruptions: Startup’s Worst Enemy?

Explore the evolving threat landscape for supply chain disruptions, mitigation strategies, and the importance of risk management in today’s volatile business environment.

Read Article
cyber insurance pricing trends 2024
March 13 • Cyber Liability

Cyber Insurance Pricing Trends 2024

Uncertain about cyber insurance costs in 2024? Our article explores pricing trends, expert predictions on rate increases, and strategies to potentially reduce your cyber insurance premium.

Read Article
cyber liability insurance premiums
March 4 • Cyber Liability

7 “Must Haves” For Cyber Liability Insurance in 2024

With cyber liability insurance premiums rising, business leaders must have the inside scoop to keep costs low. Our partners at Blacksmith InfoSec delve into those tips and tricks.

Read Article
Cybersecurity Data Breaches
November 9 • Cyber Liability

Top 10 Cybersecurity Data Breaches of 2023

Today’s digital landscape is frightening for business leaders. Here’s a glimpse into some of the most cringe-worthy data breaches in 2023 — plus, how to avoid them.

Read Article
Cyber Insurance Pricing Trends
July 19 • Cyber Liability

Cyber Insurance Pricing Trends 2023

After a hard-hit 2022, let’s explore the lessons learned, what currently impacts the cyber market, and cyber insurance pricing trends to expect in the future.

Read Article