Artificial Intelligence and Data Protection - Navigating UK GDPR Compliance
Artificial intelligence (AI), particularly generative AI like Chat GPT, is becoming increasingly mainstream.
We share the excitement surrounding AI, and understand the benefits it can bring to charities, but it is important to consider data protection compliance when choosing and using an AI service. We set out some of the key points below.
Fairness and Bias
Your charity should ensure that any use of AI is not discriminatory. This has implications for data protection compliance because the Information Commissioner's Office (data protection regulator) is clear that any processing that leads to unjust discrimination will violate the fairness principle of the UK GDPR. There are other laws, notably the Equality Act 2010, that you will also need to consider.
Transparency sits alongside fairness in the first principle of the UK GDPR. Be clear with individuals about how their personal data will be used. This can be challenging with AI because of its complexity. It is essential that the personal data is not used in a way that is unexpected to the individuals concerned.
Carry out a Data Protection Impact Assessment
Charities must carry out a Data Protection Impact Assessment (DPIA) before processing personal data in a way that is likely to result in a high risk to individuals. In many cases the use of generative AI will meet this threshold. Even if it is not a strict legal requirement, a DPIA is a useful exercise to methodically consider and document data protection compliance. It will also help your charity to understand what personal data the AI system will have access to if integrated within your systems.
Controller or Processor?
Under the UK GDPR organisations processing personal data are either a controller, a joint controller or a processor. If your charity uses an external AI provider, your data protection obligations will be partly dependent on what role the AI provider is playing.It's possible for an AI provider to be a controller or joint controller for some phases or purposes of processing, and a processor for others.
Security
You must consider how to avoid a data breach. It is an obligation under the UK GDPR to implement appropriate measures keep personal data secure. What measures are appropriate will depend on the specific AI system, and what you're using it for, but they are likely to include controls around what personal data you permit staff to input into the AI system and considering how the AI integrates into your existing IT system.
The National Cyber Security Centre (NCSC) has highlighted the cyber risks created by generative AI. One of the risks is cyber criminals using AI to write convincing phishing emails - spam emails that try to trick people into providing information, click on bad links or open harmful attachments. Your charity's information security training for staff (and trustees) must include how to spot phishing emails. This training must be supplemented by policies and technical measures to keep personal data secure.
What Do Your Staff Need to Know?
Consider what training, policies and procedures are needed to ensure that those who are using AI do so in line with the legal and regulatory requirements.
How Can We Help?
We offer bitesize eLearning on Data Protection to help you train staff on their responsibilities. To find out more and book a free demonstration please visit the VWV Plus Data Protection elearning course page or contact Imogen Street at 0738 454 5998.