Artificial Intelligence and the GDPR: a guide

Context of the guide

There are almost daily reports about new systems and applications that use artificial intelligence (AI). This rapid development of AI systems is a good thing, bearing in mind the many benefits they may bring. Nevertheless, there are also a number of legal, ethical and societal challenges that need to be addressed. It is essential that AI systems are developed and used within the existing regulatory framework. Because AI systems typically use large amounts of data, the General Data Protection Regulation (GDPR) is paramount. The GDPR protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. Provisions of the GDPR must therefore be complied with in the design, development and use of AI systems.

Various international data protection authorities have published studies and official policy documents on this subject in recent months. With this exploratory guide on AI and data protection, the Flemish Knowledge Centre for Data and Society (KCDS) also aims to clarify the application of the GDPR to AI systems.

Objectives of the guide

This guide has two objectives. Firstly, it aims to provide organisations and users with information on applying the GDPR in the design, development and use of AI systems. Secondly, the guide constitutes the framework from which other practical instruments will follow. These practical information sheets in Dutch are available online.

Structure of the guide

This guide is further structured into four sections:

• Chapter 2 discusses the concept of artificial intelligence and several other fundamental concepts.
• Chapter 3 examines the scope of the GDPR and applies it, where appropriate, in the context of AI.
• Chapter 4 explores how to ensure data protection in the design and development of AI systems.
• Chapter 5 studies how data protection can be ensured when AI systems are used.

Where useful, each section starts with an overview box, explaining both the essence of the section discussed and a number of concrete actions. The applicable provisions of the GDPR are then discussed in detail. This multilayered approach ensures that the guide, besides being a comprehensive (legal) analysis, also endeavours to be a practical instrument. In concrete terms, this means that it first needs to be checked whether a sheet has already been published by the KCDS on a given subject. If this is not (yet) the case, then the practical steps in this report can be looked at. Additional information can then be found in the respective sections. The general bibliography indicates for each chapter which official policy and government documents were taken into account. Footnotes were used to refer to the relevant provisions in the GDPR or to specific authors/sources (other than the rather general policy and government documents).

Limitations of the guide

It is not possible to cover all topics on data protection and AI (such as the role and tasks of the data protection officer or binding corporate rules) in this guide. It was decided to address topics of specific interest to AI, whereby general guides and tools published elsewhere can be consulted in relation to general GDPR-related questions. Topics not covered may still be addressed separately via sheets and/or other practical tools.