Data Protection & Artificial Intelligence: Best Practice

Data Protection & Artificial Intelligence: Best Practice

James Crossland

Digital Marketing Manager|Kerv digital

Published 06/07/22 under:

Have a question about something here?

Get in touch

Resolving the conflicts between the masses of data AI requires and an individual’s right to privacy

 

The unlimited potential Artificial Intelligence can bring to an organisation is far too broad a subject to discuss here (although we have discussed it at length elsewhere) but unfortunately, with the benefits of AI also come the pitfalls…

 

The main pitfall we’ll be focussing on here is that of data protection, and all its associated concerns, such as privacy and data security.

 

Under GDPR (or whatever equivalent legislation applies within your territory), using technology for the processing and handling of personal data through complex computer systems (and often rather opaque algorithms) is something you’ll need to consider very, very carefully as an organisation.

 

Let’s make it clear. We’re not trying to put you off Artificial Intelligence, merely stating that it’s use requires due consideration.

 

Its potential, when applied to a business’ processes through the right partner, are nearly limitless.

But there are things you need to consider (and again… the right partner should be able to help you with that).

 

The following should give you a brief oversight on how to you mitigate any data protection risks arising from the implementation of an AI project within your organisation without scaring you so much you lose sight of the benefits that such a project can deliver.

If at the end however, you still have questions, feel free to get in touch to discuss your needs further…

Taking A Risk Based Approach To Data Protection & Artificial Intelligence

First things first… This is going to be a lot less complicated than you thought it might be.

 

When you’re assessing the impact Data Protection may have on your Artificial Intelligence project (no matter how complex) it’s worth remembering the questions that will need answering will be the exact same questions that needed answering for all your other projects.

 

  • What data will be used and if there is personal data being processed do I really need it?
  • Is the data being processed under one of the lawful bases for processing?
  • Have I adequately informed my end-users of how their data is being used?
  • Is the data being processed securely?

 

The starting point for this is completing a DPIA and deciding (and documenting) what data is relevant and needed for the project. This will be key alongside the steps you’ve taken to secure said data.

 

If no personal data is being captured, everything becomes much simpler.

 

Don’t forget personal data is any information relating to an identifiable natural person who can be identified, directly or indirectly, by any of the information being processed.  If you absolutely must use personal data, then ensure adequate controls are used to restrict access, keep it safely encrypted and pseudo-anonymise where possible.

 

As with all projects, the key to getting this right will be through a principle of Privacy By Design.

If you make it your goal to mitigate privacy risks as part of the initial project design, rather than as a rushed (and potentially bodged) bolt on at the end of the project, it’s likely you’ll be successful in coming up with a valid and compliant Data Protection solution.

 

No matter what the project, good Data Protection governances have always been dependent on specific factors such as…

The types of data being captured, what the data will be used for, how the data will be used, where the data will be used, if there are any special categories of data etc.

Whilst AI technologies do make this trickier and are likely by design to include automated decision making (AI by its very nature requires as much unfettered data as possible, whilst Privacy By Design focusses on data minimisation) the important thing is to be able to demonstrate the steps you have taken to mitigate as many risk factors as possible.

 

It’s important that this task isn’t just delegated to your Data Scientists or Developers though.

AI developers may have a tendency to prioritise data collection and a wider view than that will be needed.

These steps can’t be a tick box exercise either; you should never underestimate the amount of time, expertise or resources your AI governance and risk management efforts deserve if you want to be compliant.

Data Protection & Artificial Intelligence: How To Set Your Risk Appetite

A risk based approach to data protection and AI means you must consider (and document) how you comply with your obligations under the law by taking specific measures that are appropriate to your organisation and showing you’ve balanced the risks to an individual rights and freedoms vs your legitimate business interests.

 

Setting your risk appetite should be intentional and expected to form part of an AI strategy document. This will also affect the possible range of algorithms that can be chosen from to use in your solution.

 

The AI strategy document should scope out frameworks for applying AI within your organisation over a horizon of 3-5 years and it should assess the risks that will be posed to said individual’s rights and freedoms.

 

When it comes to AI technology, the various risks posed by your project and how data is to be processed will mean you need to take a balanced approach between those competing interests to ensure you remain compliant.

 

But…

That doesn’t mean you need to assume a zero-risk stance.

A zero-risk stance in of itself would be immensely impractical (the law even recognises this).

What it’s about is assessing your own use of AI and doing your utmost, at an organisational level, to mitigate the Data Protection risks.

Consider the following:

 

  • Have you thoroughly (and accurately) assessed the risks to an individual’s rights and privacy that may come about due to your AI activities?
  • Have you determined how all these risks will be mitigated?
  • How will you collate, store and use this data?
  • What volume and sensitivity of data are you collecting?
  • What’s the final outcome you’re attempting to achieve by collating and processing this data?
  • Have you clearly documented these risk assessments?

 

Whilst this process may feel long winded and a ‘nuisance’, doing it correctly will give you a much better picture of your organisations risk proposition and exposure and how adequate your governance’s are in balancing out the various conflicts. It will also help you to justify your actions if you are challenged in the future.

Identifying The Controller Of Your AI Technology

It’s not uncommon to have several different organisations involved in the planning, development and then deployment of Artificial Intelligence technology.

 

Whilst GDPR legislation does recognise that not all the parties involved in the processing of this data will have the same degree of control over the data being processed, it’s still incredibly important to identify who’s the controller, who’s a joint controller and who’s just processing the data… and then document these facts.

How To Make AI Systems Conform To The Data Minimisation Principle

GDPR’s data minimisation principle states you should be storing and processing the minimum amount of personal data you can to achieve your businesses goals.

 

  1. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation) –GDPR 5(1)(c)

 

As we’ve already mentioned though, AI technology requires pretty much the exact opposite… so how do reconcile these two seemingly diametrically opposed stands?

Whilst it may sound like a huge obstacle to overcome, a closer look at the legislation shows the way forward.

 

It clearly states that the data used needs to be limited to only what is necessary to complete your stated goals. Whilst AI certainly pushes that limit, the two are both still possible to conform to.

How you go about determining what is ‘adequate, relevant and limited’ is therefore going to be specific to your circumstances and should be captured within you DPIA.

 

Once you understand what data is being captured, the purpose it will be used for, and what measures are needed to manage the security risks when processing that data, when it is time to implement AI, Microsoft Azure can help.

 

We end by simply listing a few products from Microsoft within Azure, Windows or Office 365 that illustrate all the options that can be layered up to to create defense-in-depth for your data:

 

  • Azure Information Protection
  • SQL Server Transparent Data Encryption (TDE)
  • Dynamic Data Masking
  • Always Encrypted
  • Data Classification
  • Azure Advanced Threat Protection
  • PIMs
  • Group Policy
  • Conditional Access Policies
  • MFA through Azure AD
  • ·Azure Recovery Services Vault
  • Intune
  • Azure Application Gateway
  • ·Azure API Gateway
  • Azure Firewall
  • Azure Sentinel
Related Articles

You might also be interested in

From our world to yours

Compliance monitoring under the spotlight

From our world to yours

The rise of business messaging apps and the need to stay on...

From our world to yours

Compliance: important ownership changes while adapting for flexible remote workforces

From our world to yours

Data silos and legacy compliance monitoring systems – barriers to effective surveillance...

From our world to yours

What it takes to top the Gartner CCaaS Magic Quadrant

From our world to yours

Why gamification is topping the bill for contact centre agent workforce management...

From our world to yours

8 contact centre trends to future proof your business

From our world to yours

Spotlight on Local Government – Where is CX heading for citizens?

From our world to yours

Think bigger with Microsoft Teams.

From our world to yours

Microsoft Teams is here to stay, what’s the next step?

From our world to yours

At Kerv we want to make customer-first really mean something…

From our world to yours

Different by design

From our world to yours

How Engagement Technology is Transforming the Membership Sector

From our world to yours

A modern CRM system needs a modern data platform

From our world to yours

What is… Microsoft Cloud for NonProfit?

From our world to yours

6 Back-office technologies modern supply chains should already be using

From our world to yours

Re-imagining CX in a golden age of integrations – combining Genesys and...

From our world to yours

Maximising CX value through AI-driven digital engagement

From our world to yours

Experience as a Service: What it is, why it’s important and where...

From our world to yours

Achieving empathy across digital channels

From our world to yours

Redesigning CX from the ground up

From our world to yours

Genesys EMEA Cloud Partner of the Year 2020

From our world to yours

Life at Kerv Digital As A Functional Consultant

From our world to yours

Life @ Kerv Digital as an Apprentice Power Platform Consultant

From our world to yours

How To Increase Efficiency With Dynamics 365 Supply Chain Management

From our world to yours

Supply Chain Control Towers – The Tech That’s Changing Logistics Forever

From our world to yours

Supply Chain Digital Twins – The What, The Who & The Why...

From our world to yours

On-Demand Logistics & The Tech That Makes It Possible

From our world to yours

What Is… Insurtech?

From our world to yours

What Is… Microsoft Cloud For NonProfit?

From our world to yours

16 Times You’ve Been Using Artificial Intelligence Without Realising

From our world to yours

Jack’s Worried – His Website Is Losing Him Dues Paying Members

From our world to yours

From Paper Based To Cutting Edge… With Zero Downtime

From our world to yours

Life at Kerv Digital as a UX Designer

From our world to yours

Sarah is Sad – Her Staff Aren’t Finding New Members Or Engaging...

From our world to yours

How To Squeeze Hidden Value From The Hidden Data You Didn’t Know...

From our world to yours

Reducing Member Churn & Delivering Member Insights With Data Science

From our world to yours

Life @ Kerv Digital As A Dynamics Functional Consultant

From our world to yours

The Effect Fintech Is Having On Our Everyday Lives

From our world to yours

Dealing With Ethical Walls In Tech… Ethically

From our world to yours

Life @ Kerv Digital As A DevSecOps Engineer

From our world to yours

IOT: Dragging The Future Of Healthcare Into Today

From our world to yours

How Will Tech Revolutionise Health Care Over The Next Half Century?

From our world to yours

Empowering Public Transport With Big Data

From our world to yours

Putting Patients First Vs. Cost Concerns

From our world to yours

Life @ Kerv Digital As A Power Platform Solution Architect

From our world to yours

What’s The Best CRM For The Membership Sector?

From our world to yours

How Remote Patient Monitoring Data Can Drive Health Efficiencies

From our world to yours

Is A Career In NonProfit Digital Transformation Rewarding?

From our world to yours

Six Back-Office Functions NonProfits Should Be Using Robotic Process Automation For

From our world to yours

How Data Storage Management Will Change In 2022

From our world to yours

Business Central Vs Sage – Which Does Your Organisation Need?

From our world to yours

How To Debug Something With A Rubber Duck

From our world to yours

Using Design Thinking To Empower Digital Transformations

From our world to yours

How Business Central Can Keep You GDPR Compliant

From our world to yours

What Can Business Central Actually Do?

From our world to yours

Why Data Classification Is Vital To Your Organisation (And How To Easily...

From our world to yours

How To Inspect Items When Using The Execute Pipeline Activity In ADF/Synapse...

From our world to yours

How To Create UI Flow’s In Power Automate

From our world to yours

D365 BC Vs D365 FO: Let’s Settle This Once And For All!

From our world to yours

How To Drive Donor Engagement With Kerv Digital’s Free Powerups

From our world to yours

9 Awesome Benefits To The Microsoft Dataverse

From our world to yours

Canvas Apps Vs Model-Driven Apps

From our world to yours

How To Set Up Field Monitoring In Business Central

From our world to yours

Check Out The Benefits Of The Microsoft Catalyst IDEA Framework…

From our world to yours

Component Led Development, Or… How To Make Your Organisation Instantly More Resilient

From our world to yours

How To Achieve A Single Customer View In 5 Easy Steps

From our world to yours

Best Practice For Creating Cloud Flows With Microsoft Power Automate

From our world to yours

Legacy Estate Reduction… Or When To Get Rid Of Old Tech

From our world to yours

What Is Fintech?

From our world to yours

How To Get Better At: Online Continuous Personal Development (CPD)

From our world to yours

Virtual Exam Proctoring (Or How To Stop People Googling The Answers At...

From our world to yours

How Hyperautomation’s Benefiting PAO’s (Professional Accountancy Organisations)

From our world to yours

Cyber Security For Remote Working… How Everyone Can (And Has To) Pitch...

From our world to yours

What Is An Advanced Persistent Threat (APT’S) Attack?

From our world to yours

Visualising Your Data Differently With Power BI

From our world to yours

Database Marketing – What Is It & How Can You Benefit From...

From our world to yours

Microsoft Dynamics Cloud Licensing Options – What’s Available?

From our world to yours

Privacy By Design – What You Need To Know

From our world to yours

How To Connect To A Named Sandbox Environment

From our world to yours

What Are The Different Types Of Cloud Licensing Agreements?

From our world to yours

How To Export To Text Files From Microsoft’s Business Central SAAS

From our world to yours

Technical Debt – The What, Why, When & How Do I Get...

From our world to yours

Ensuring Business Continuity With The Microsoft Stack

From our world to yours

What’s The Best CRM For The NonProfit Sector?

From our world to yours

Rage Donations – How To Engage Past The ‘Now’

From our world to yours

What Is It & How To Avoid: Vendor Lock-In

From our world to yours

The Bad Guys Don’t Care You’re The Good Guys

From our world to yours

Build The Future Of The NonProfit Sector… Today

From our world to yours

Shadow IT – 9 Things To Look Out For & 1 Unexpected...

From our world to yours

Organisational Debt & Why It Makes Digital Transformation Hard

From our world to yours

Discussing All Things RPA… Robotic Process Automation

From our world to yours

Creating A Low Code App Using PowerApps & The Power Platform

From our world to yours

Now’s The Time To Get Excited About Cognitive Search

From our world to yours

If You Don’t Have An Automated Deployment Process… You’re Already Obsolete

From our world to yours

Tips & Tricks To Creating Successful Volunteer Management Systems

From our world to yours

The Five Types Of Cyber Criminals

From our world to yours

Security-By-Design: Or… Better Safe Than Sorry!

From our world to yours

Leading With Technology In The Membership Sector

From our world to yours

What Does IAAS, PAAS & SAAS Stand For?

From our world to yours

What Is Business Architecture?

From our world to yours

What Is Data Gravity? (And How Your Organisation Can Benefit From It)

From our world to yours

How To Fix DateTime Stamps In Microsoft Dynamics 365

From our world to yours

6 Easy Steps For Promoting A Culture Of Cyber Security

From our world to yours

15 Cyber Security ‘Things’ To Safeguard Your Business

From our world to yours

Microsoft Dynamics 365: Settings In solutions

From our world to yours

13 Ways To Save Money When Using Microsoft Azure

From our world to yours

The Problems With Addresses In Microsoft Dynamics 365

From our world to yours

Understanding The Benefits Of Predictive Science In The NonProfit Sector

From our world to yours

Top 6 Digital Impacts On Membership Organisations

From our world to yours

The 7 Stages Of A Successful AI Project

From our world to yours

What’s The Difference Between UI And UX?

From our world to yours

8 Ways Your Business Can Increase Turnover With Big Data

From our world to yours

Dynamics 365 In NonProfits

From our world to yours

Kerv acquires TDS Global Communications Compliance Practice

From our world to yours

What is Microsoft’s Power Automate?

From our world to yours

What is InvestTech?

From our world to yours

Derek Is Stressed – His Purchasing Team Aren’t Coping With Long Winded...

From our world to yours

Life @ Kerv Digital As A Jnr DevSecOps Engineer…

From our world to yours

Life @ Kerv Digital As A Principal Architect

From our world to yours

Life @ Kerv Digital As An Azure DevSecOps Engineer…

From our world to yours

Life @ Kerv Digital As Head Of Client Services, Public Sector

From our world to yours

Life @ Kerv Digital As A Junior DevSecOps Engineer

From our world to yours

Life @ Kerv Digital As A Graphic Designer

From our world to yours

Microsoft Inspire 2022 – Here’s All The Big Announcements!

From our world to yours

The Need for WhatsApp Compliance Recording

From our world to yours

Life @ Kerv Digital As A UX Researcher

From our world to yours

Life @Kerv Digital As A Senior Delivery Manager

From our world to yours

Life @ Kerv Digital As A Senior Delivery Manager

From our world to yours

Data Silos and Legacy Compliance Monitoring Systems – Barriers to Effective Surveillance...

Have a question?

Leave your details and a member of the team will be in touch to help.
Type your first name here
Type your last name here
Type your phone number here
Type the company you represent here
By pressing send, you agree to our Terms and Conditions and Privacy Policy.
This field is for validation purposes and should be left unchanged.