AI meets Data Protection: How to navigate the risks and unlock the potential

8 Jul

According to a 2023 McKinsey report, the percentage of businesses using AI has risen from 20% in 2017 to over 50% in 2023, and shows no sign of slowing down. In the two months following the launch of ChatGPT in 2022, over 100 million users adopted the tool, making it the fastest growing consumer app in history. It now boasts over 122 million daily users.

AI has infiltrated, disrupted and impacted the way entire sectors operate at a speed which few people can comprehend. The first ‘AI-driven law firm’ was approved for practice by the Solicitors Regulatory Authority (SRA) earlier this year. However, with this revolution, businesses must pause and reflect because, according to ChatGPT itself, “with great innovation, comes great responsibility”.

Our data protection experts have outlined their top tips for promoting effective use of AI within business, whilst maintaining an acute awareness of, and full compliance with, UK GDPR and the Data Protection Act 2018:

1. Have a clear understanding of when data protection legislation applies to AI, and what the perceived risks are when dealing with AI and personal data;
2. Know what your obligations are when using AI tools;
3. Understand the implications of using automated decision making; and 
4. Make sure you are kept informed about all the latest regulations.

Applicability

By virtue of holding, using and processing large volumes of data, the AI system that your business uses may mean that the UK GDPR applies.

Remember, ‘personal data’, as defined within UK GDPR, expands far beyond names; it includes anything that can lead to an individual being identified, such as customer details, behavioural data, financial information and ID or reference numbers. Make sure that your business knows how to assess whether your use of any AI tools exposes you to data protection legislation. Given the way AI operates generally, it is likely there will be some privacy implications to consider.

Your obligations

If the UK GDPR applies to your use of AI tools, there are a number of considerations that will help ensure your ongoing compliance with data protection legislation.

Under the guiding UK GDPR principle of ‘accountability’, you’ll need to show not only that you have complied, but also the details of how you have complied.  This becomes all the more important when processing sensitive personal data, and completing a Data Protection Impact Assessment (DPIA) is a solid starting point.  

Similarly, under the guiding UK GDPR principle of ‘transparency’, you will need to include certain information within your privacy notices, including the type and nature of AI you’re using, how you will use that AI for the purpose of processing, and the reasons behind that purpose so that people understand how and why their information will be used.

Finally, any personal data that sits on an AI platform, or within an algorithm, must be kept both secure and restricted – this becomes more important if the data is a protected characteristic, such as religion or ethnicity, and there are strict compliance requirements in order to use that data at all.

Automated decision making

Increasingly, businesses are relying on AI to support—or even fully automate—decision-making processes. For example, a financial services provider might use an AI model to assess creditworthiness and automatically approve or deny a loan application.

Under the UK GDPR, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision produces legal effects or similarly significant impacts on them. This means that if a decision is made without any meaningful human involvement and it significantly affects someone—such as denying a loan or a job—specific rules apply.

There are limited exceptions to this rule, including when:

• The decision is necessary for entering into or performing a contract.
• It is authorised by relevant law.
• The individual has given explicit consent.

Even when an exception applies, organisations must implement appropriate safeguards, such as:

• The right for individuals to obtain human intervention.
• The ability to express their point of view.
• The right to contest the decision.

If your organisation plans to use automated decision-making, it’s essential to ensure that these safeguards are in place and that your use falls within the specific exceptions outlined in the UK GDPR.

Stay informed

There is currently no general statutory regulation of AI in the UK. There is, however, an EU AI Act, which has helped to shape and structure the UK AI (Regulation) Bill in the UK, currently being processed in Parliament, but it is not likely to progress significantly this year.

As a first step to increase your knowledge of the interplay between AI and data protection, the Government recently released this AI Playbook, covering topics such as using AI safely and responsibly, and building AI solutions which are tailored to your needs. Further, the Information Commissioner’s Office (ICO) has issued guidance on AI and data protection.

And remember, if you’re unsure if or how your use of AI impacts personal data that you hold within your business, you should seek professional advice to understand the external regulations and any potential liabilities.

Feel free to reach out to the Data Protection team at Asserson with any questions.

Simon.weinberg@asserson.co.uk

Deborah.tastiel@asserson.co.uk