An AI/robot, with pick axe, mining data
PHOTO: Shutterstock

It is now just about a month before the GDPR regulation comes into effect. While it will force enterprises to take greater care of the personal data of their clients, there are implications for the development of emerging technologies too. It will, for example, make the deployment and use of artificial intelligence systems and apps more difficult and in some cases even slow down the rapid pace of ongoing development.

GDPR Makes Data Collection Harder

If data is the new oil, prices just went up, John Koetsier, a mobile economist at TUNE, a mobile marketing measurement company in Seattle, said. GDPR makes collecting data harder and more expensive, and that will have an impact on artificial intelligence. The most pain, however, will be felt by small organizations who are trying to build AI systems but who do not have huge streams of incoming first-party data. The big tech companies tend to have access to never-ending data from their own customers, making it much easier to get consent.

The effects of GDPR on AI will be two-fold. With respect to processing that has direct legal effects on the customer, such as credit applications, e-recruiting, or workplace monitoring, the GDPR will limit the usefulness of AI for these purposes, according to Lily Li, a privacy lawyer and owner of Metaverse Law, In these situations, under Article 22 and Recital 71, a business would generally need to undergo the time-consuming process of obtaining and recording explicit consent from all customers involved. 

However she says, with respect to fraud prevention and breach detection, the GDPR will likely increase the usefulness of AI. "AI detection of cyber threats will likely protect the rights of customers, and serves legitimate interests as recognized in Recital 47, GDPR will spur investments in AI cybersecurity” she said.

Related Article: The Missing Step in Reaching GDPR Compliance: Privacy Shield

The Promise Of Blockchain

Andrea Chmielinski Bigazzi is founder and CEO of Cinncinatti, Ohio-based Privacy Rules, an organization that provides experts and resources on privacy matters. He said that the GDPR obliges entities to adopt the best cybersecurity measures and internal human IT-hygiene procedures available at each single moment in processes. The more general human skills and global cybersecurity tools advance, the more they will have to be adopted and implemented by organizations.

While Artificial Intelligence/Machine Learning (AI-ML) solutions mature, automated processes can be seen as amplifiers and enhancers of human analysis, but cannot replace, at least not yet, the capacity of human intelligence and talent to regularly assess and evaluate the effectiveness of security and consider risks presented by processing. He said there are three reasons for this:

  1. AI/ML is also available to hackers and cybercriminals
  2. AL/ML is subject to license and copyright. Entities using AI/ML might be prevented by the effective use of the most updated software by simple reasons of competition among cybersecurity companies and trademarks.
  3. 95 percent of data breaches are reported as being caused by human error, and humans are in the best position to predict and prevent errors of other humans.

What extra precautions do companies have to take for AI-powered projects because of GDPR? “Increase transparency and trust between the company and their employees, partners and customers,” he said. 

One method that could be used is Blockchain, said Chmielinski Bigazzi. Blockchain organizes data in blocks and updates entries using an append-only structure, so any attempt to modify an entry destroys this structure and makes the attempt visible. "Blockchain helps make everyone aware of how their data is being used and can take immediate action at the first signs of any improper use,” he said.  

Related Article: Blockchain: 10 Questions To Ask Before Diving In

Finding The Middle Ground

The GDPR directive specifically indicates that data subjects (individuals’ whose data the company has) can contest automated processes related to management of their personal data.  Already though, the technology exists for machines to make what we might understand as judgment calls on data actions — whether to delete it, mask it or move it based on machine learning. In a rules-based approach, the human is playing puppet master and deciding what the system will automate.

In this scenario, Farid Vij, Director of Information Governance, ZL Technologies  said, it is still the human making the judgment call. While AI and machine-learning seems like the silver bullet to many, in resolving a GDPR challenge that is so expansive across a plethora of data, it also creates a challenge of explaining to regulators how these decisions are made, and raises as many questions as it answers.

There is a happy medium in this scenario where technologies require human decisions, but still apply automated rules-based decisions. In these cases, the human isn’t automating the decision, he, or she, is just automating the action. The human decides the rules for how data is managed or deleted or whatever the action is, and then let the technology implement it. You could call it automation with human oversight. You’re leveraging the tech, but at the end of the day you’re the one telling it what to do. “We have to be very prescriptive in how this technology is leveraged, ensuring that we — humans — are the ones still making determinations and judgment calls while allowing technology to do the heavy-lifting of implementing and executing the results of those determinations,” Vij said.  

GDPR And Personal Data

At the root of GDPR is personal data that directly or indirectly identifies a natural person in any format. It mandates that organizations cannot keep data and content forever and advocates better records management and strong information governance. That, however, is where the compliance challenge lies — information is locked inside of documents, according to Bruce Orcutt, senior vice president of global marketing at Moscow-based ABBYY, a global provider of content intelligence solutions. Companies are turning to "cognitive robot process automation" which combines advanced technologies such as natural language processing, artificial intelligence, machine learning and data analytics to mimic human activities such as perceiving, inferring, gathering evidence, hypothesizing, reasoning and interacting with human counterparts.

However, for Ramon Chen, Chief Product Officer at Reltio, GDPR was introduced because of technoloiges like AI and Machine Learning and will limit the ways these technologies are used. That is not to say that they will stop development, but simply that it will ensure that they develop while taking into considerations privacy concerns.

While analytics and rules have been used long before AI and ML entered the picture, GDPR requires that an individual has the right to request proof of how the conclusion or result was derived and have the right to a human review of the decision. “GDPR is simply echoing the skepticism that exists around the use of the AI and ML blackbox, which places complete trust and autonomous decision making on data management and insights,” he said.

“Even experienced IT professionals whose careers are focused on automation and reducing manual effort have conveyed that they feel more comfortable being able to see suggestions and a pattern of consistent success before accepting AI/ML-generated actions unilaterally with no intervention,' said Chen.

What is Master Data Management and How Can it Help

Even still, master data management (MDM) is a capability that can be used as a foundational component in helping companies comply with another GDPR requirement known as the right to be forgotten, which necessitates that a company understands every location where they may have stored an individual's data and can remove it when requested.

MDM includes the ability to automatically reconcile data across a variety of sources at scale and has, as part of its core capabilities, a framework for matching records, that will get routed to a human called a data steward when matches are too close to call. Ironically, a similar human intervention will be necessary when a person requests review of an AI/ML-based decision.

Chen added that traditional data management platforms have always brought together data of all types and sources. Many are adding on AI/ML to modernize their capabilities. However, enterprises must ensure that any tools they use contain a full suite of audit and lineage capabilities necessary to give them the transparency to comply with every GDPR requirement, especially when AI and ML are used. “It's a challenge facing many companies as their legacy data management tools were not designed from the ground up to meet the regulatory requirements and expectations now being enforced,” he said.

The international managing director of Provo, Utah-based InsideSales ,Martin Moran, pointed out that GDPR adds a level of complexity to AI development. GDPR is largely focused on PII (personally identifiable information), and there are several requirements companies will need to comply with. One is having consent from an individual to process personal data, another is the ability to show how that data is being stored, used and repurposed

“I believe the impact of GDPR will vary depending on the process companies have already taken towards AI in development stages. For companies that are indiscriminately capturing data and not managing that data in the context of existing legislation, the impact of GDPR will be fundamental,” he said.