Why Machine Learning and Data Science Complicate GDPR Compliance
Data science, machine learning, and AI present new compliance
issues. Simply marking and redacting PII is no longer good enough to
prevent sensitive inferences. Data analysis systems can and will
rediscover the redacted information. And correlations in data can pick
up unfairness from the world or make problematic inferences.
- Machine learning can easily make decisions based on sensitive
attributes, even when they’re removed from data, making the concept
of PII obsolete.
- The GDPR places restrictions on processing personal data. But
when you can't tell what is and isn't personal data easily,
compliance can be a challenge.
Key data science questions for GDPR compliance include:
- How do you know which data can be included in a particular
- What do you do when you must delete data? Can you keep models
based on those data?
- Do you have obligations to explain how a model works? To explain
how it impacts decisions?
- Will data-focused technologies give correct answers without
using an illegal or protected basis for any decisions?
GDPR and Data Governance Requirements
The GDPR sharpens data governance imperatives to make uses of data
more transparent, accountable, and unbiased. The GDPR makes data
governance a compliance concern, due to:
- The GDPR's demand for explicit and meaningful consent from data subjects;
- Limits on “profiling” and on processing certain categories of
sensitive personal data;
- Controls around “automated decision making”; and
- The requirement that data controllers provide “Meaningful
information about the logic involved” in data processing.
Any organization which aims to be GDPR compliant must be able to
answer, for all of its data:
- Where did our data come from? For how long do we store our data?
- How do we use our data? Do we have a legal basis for processing or storing our data?
- Which kinds of data can we safely combine and use together?
- What kinds of analysis or predictions are allowed?
Additionally, traditional data governace activities can be
complicated by GDPR requirements, including:
- The right of subjects to contest/modify/delete their data;
- The requirement in certain cases to perform and retain data
protection impact assessments;
- The demand that certain decisions or profiling activities not be
based on sensitive classes of data;
- The need to have documented policies and a designated data
protection officer; and
- Requirements around adequacy determinations for cross-border data transfers.
Solving for GDPR compatibility with Data Science,
Machine Learning, and AI
Rocky Coast Research can help you review your GDPR compliance
posture with respect to data governance, data analysis, machine
learning, and artificial intelligence. Managing risk under the GDPR is
challenging, especially for enterprises using data-oriented
technologies. A multi-disciplinary, cross-functional approach provides
the best path to risk governance. Together with our partners on the
legal side, Rocky Coast Research can help your business by:
- Defining a compliance roadmap and appropriate internal data governance processes.
- Conducting data processing audits.
- Scoping and preparing data protection impact assessments.
- Serving as a data protection officer.