Artificial Intelligence and GDPR – Ensuring your Firm is Compliant

The lack of training is worrisome as it forms a key component in GDPR adherence, with companies only as compliant as their least trained member of staff. There are particular data protection challenges posed by AI technologies. Research has identified a ‘shadow culture’ in many industries, where staff are trialling large language models (LLMs) and other AI platforms outside the formal framework of company policies. Many AI systems process personal data and the ‘black box’ nature of the technology means it is often unclear what data is being processed and how decisions or outcomes have been reached. This is a particular concern where decisions have legal effects for individuals.

Data Protection by Design and Default

Under the GDPR, privacy considerations must be baked in from the outset of any data processing project, meeting the Article 25 requirement for data protection by design and default. Data Protection Impact Assessments (DPIAs) are one of the best ways in which a firm can demonstrate this accountability and compliance. It is a process through which data protection risks are identified along with proposed mitigants to offset these. There are many freely available templates that companies can use. The European Data Protection Board (EDPB) is currently working on a version that is likely in time to be widely adopted as standard. 

The GDPR requires a DPIA to be undertaken in certain high-risk instances; however, it is increasingly seen as a best practice tool that demonstrates transparency and a strong data privacy culture. Importantly for firms, use of a DPIA can identify risks at an early stage, reducing the potential for costly delays and rollbacks at a later point in the project. This is particularly important at a time when companies are investing substantial time and resources on new AI systems and platforms.

What Steps can PR Professionals Take?

AI technologies are developing at a rapid pace. Alongside this, data protection continues to be a fast evolving discipline as it responds to the challenges posed by the digital economy. Whilst recognising this dynamic environment, there are a number of practical steps PR professionals can take to ensure their use of AI technologies remains GDPR compliant.

1. Consider data privacy from the outset of a project. A Data Protection Impact Assessment (DPIA) is a key mechanism to meet the GDPR’s principle of data protection by design and default.
2. Undertake a detailed audit of existing AI systems and personal data processing within the firm.
3. Ensure AI systems process personal data in a manner that is GDPR compliant.
4. Identify where the company is a data controller or a data processor.
5. Assess whether AI systems are transferring or storing personal data outside of the EU/EEA.
6. Put in place clear processes for how AI is used within the business.
7. Review privacy notices and public facing information to ensure it remains transparent, easily understood and up to date.
8. Continue to monitor the advice and guidance from the Data Protection Commission, the European Data Protection Board and other relevant bodies.
9. Undertake regular refresher training on data protection best practice, both for new and existing staff.
10. Lastly, companies should keep a close eye this year on developments around the EU’s proposed Digital Omnibus – a package of measures intended to simplify compliance with a range of EU laws, including the GDPR.

Conclusion

GDPR compliance is a journey rather than a destination and an effective privacy culture is built iteratively over time. Whilst AI platforms pose particular data protection risks, having clear processes and procedures in place that are seen to have buy-in from senior leadership is a highly effective way to develop a strong culture throughout the organisation.