Recently, the Spanish Data Protection Agency (AEPD) has published a guide with the requirements for audits of personal data processing that include Artificial Intelligence (IA), which provides guidance and a list of possible control objectives and specific controls that could be incorporated into these audits from a data protection perspective. According to the AEPD, the processing of personal data in which AI is used to carry out analysis and inferences requires the application of a mature development model that provides quality and privacy guarantees, as well as effective control measures, correction, responsibility, accountability, risk management and transparency relating to the systems and data processing in which it is used.
The Guide Requirements for audits of personal data processing that include Artificial Intelligence It is the result of a deep analysis and has been developed based on a study carried out by Éticas Research and Consulting under the commission and supervision of the Spanish Data Protection Agency and the reviews carried out by experts from the Artificial Intelligence Hub of the Higher Research Council Scientific (CSIC AI HUB), from the Observatory of the social and ethical impact of artificial intelligence (OdiseIA), from the Professional Association of Higher Bodies of Information Systems and Technologies of Public Administrations (ASTIC), Teaching Innovation Group in Cybersecurity (CiberGID)-ETSI Informática – UNED and the Center for Technological and Industrial Development (CDTI).
From the perspective of the General Data Protection Regulation (GDPR), article 24 establishes the obligation on the part of those who process data to apply “appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing is in accordance with the “this Regulation.” This requires having objective criteria designed to carry out the audit of artificial intelligence components from a data protection perspective. In this sense, the Guide includes objectives such as inventorying the audited artificial intelligence component, identifying responsibilities and complying with the principle of transparency; identify the purposes and intended uses and context of use of the component; analyze the proportionality and necessity of the treatment, determine the recipients of the data and the limits on their conservation; ensure the quality of the data, control possible biases and verify and validate the actions carried out and the results obtained. In relation to each of these objectives, the Guide identifies a variety of controls that facilitate their achievement.
This Guide, together with the so-called Adaptation to the RGPD of data processing that incorporates Artificial Intelligence. An introduction, published in February 2020, constitute two useful tools for the DPD with regard to effective compliance with the principles of personal data protection in treatments that include artificial intelligence solutions.
Source: AEPD.
1. AEPD. Requirements for audits of personal data processing that include Artificial Intelligence.
2. The selection of the controls to be audited, the extent of their analysis and the formality required in their implementation will depend, as in any audit, on the objective and scope defined for it, as well as the risk analysis carried out. The auditor must select the controls that are appropriate for the specific audit and add those that he deems appropriate.
3. These measures must be selected “taking into account the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and severity for the rights and freedoms of people” and one of those tools to “Ensuring and being able to demonstrate” compliance with the GDPR is conducting audits.
4. complying with the principle of active responsibility of the RGPD, among others.
