Software Responsibility and the General Data Protection Regulation (GDPR)

Fairness, Accountability, and Transparency are required by the new law

Why Machine Learning and Data Science Complicate GDPR Compliance

Data science, machine learning, and AI present new compliance issues. Simply marking and redacting PII is no longer good enough to prevent sensitive inferences. Data analysis systems can and will rediscover the redacted information. And correlations in data can pick up unfairness from the world or make problematic inferences.

  • Machine learning can easily make decisions based on sensitive attributes, even when they’re removed from data, making the concept of PII obsolete.
  • The GDPR places restrictions on processing personal data. But when you can't tell what is and isn't personal data easily, compliance can be a challenge.

Key data science questions for GDPR compliance include:

  • How do you know which data can be included in a particular model?
  • What do you do when you must delete data? Can you keep models based on those data?
  • Do you have obligations to explain how a model works? To explain how it impacts decisions?
  • Will data-focused technologies give correct answers without using an illegal or protected basis for any decisions?

GDPR and Data Governance Requirements

The GDPR sharpens data governance imperatives to make uses of data more transparent, accountable, and unbiased. The GDPR makes data governance a compliance concern, due to:

  • The GDPR's demand for explicit and meaningful consent from data subjects;
  • Limits on “profiling” and on processing certain categories of sensitive personal data;
  • Controls around “automated decision making”; and
  • The requirement that data controllers provide “Meaningful information about the logic involved” in data processing.

Any organization which aims to be GDPR compliant must be able to answer, for all of its data:

  • Where did our data come from? For how long do we store our data?
  • How do we use our data? Do we have a legal basis for processing or storing our data?
  • Which kinds of data can we safely combine and use together?
  • What kinds of analysis or predictions are allowed?
Additionally, traditional data governace activities can be complicated by GDPR requirements, including:

  • The right of subjects to contest/modify/delete their data;
  • The requirement in certain cases to perform and retain data protection impact assessments;
  • The demand that certain decisions or profiling activities not be based on sensitive classes of data;
  • The need to have documented policies and a designated data protection officer; and
  • Requirements around adequacy determinations for cross-border data transfers.

Solving for GDPR compatibility with Data Science, Machine Learning, and AI

Rocky Coast Research can help you review your GDPR compliance posture with respect to data governance, data analysis, machine learning, and artificial intelligence. Managing risk under the GDPR is challenging, especially for enterprises using data-oriented technologies. A multi-disciplinary, cross-functional approach provides the best path to risk governance. Together with our partners on the legal side, Rocky Coast Research can help your business by:

  • Defining a compliance roadmap and appropriate internal data governance processes.
  • Conducting data processing audits.
  • Scoping and preparing data protection impact assessments.
  • Serving as a data protection officer.