It’s not a shocking revelation to say that AI has come more into the focus of the DPO since the introduction of ChatGPT. In the context of algorithms and other learning models, we’ve encountered AI more often, but since ChatGPT, it has become unavoidable and also available to every employee in an organization.
A question for many DPOs is therefore: can we continue to rely on the existing handles of the GDPR, or do we need to look elsewhere for our guidance? After all, the GDPR was proposed in 2012 when this technology was still in its infancy. The fear that the GDPR is already outdated is probably unfounded. After all, innovation is timeless, and the basic principles of data processing have not changed much since 1980. They are comprehensive principles, and with a bit of mental gymnastics, they can also be applied to the AI context.
This means, for example, a greater focus on the principle of accuracy: what data was used in training the model, and how do we know it is correct and free of bias? We are familiar with the principle of “garbage in, garbage out”. Therefore, AI software providers must be explicitly asked what guarantees they can provide in this context.
At the same time, the impact of AI goes beyond merely processing personal data. While the GDPR governs the side of AI involving personal data through various general obligations and principles, there is a need for a broader framework for regulating AI in general. Europe was already thinking about this in the form of the AI Act before the ChatGPT hype.
The final stages are the hardest, although the AI Act has now reached the final stages of European approval. Fundamentally, we see many similarities with the GDPR, such as the general governance approach and risk-based approach. For example, an important role in the AI Act is reserved for the assessment of AI and the potential risks. A concept that DPOs are already familiar with in the form of the DPIA, so it’s not strange that organizations are already secretly looking to the DPO to monitor various obligations from the AI Act.
A prepared DPO counts for two, and let the AI Act and the synergy between the GDPR and the AI Act be precisely what our next Stay Tuned Session is about. In addition to the usual discussion of national and international matters of data protection authorities, this Stay Tuned workshop will focus on the AI Act and, more specifically, the implementation of an AI Impact Assessment.
For more information or to register? Look HERE