The Role of Data Protection in AI Governance

The Role of Data Protection in Accountable AI

There is no AI without data protection. AI fundamentally relies on data, and personal data will inevitably be part of the vast amounts of information required to build, use, and deploy AI systems. Many data requirements under the EU AI Act overlap with GDPR requirements (intentional and unintentional data use, impact assessments, risk assessments, incident handling, etc.). This familiarity allows Data Protection Officers (DPOs) to quickly assess the AI Act’s requirements. In addition to complying with the new provisions of the EU AI Act, the GDPR also applies to the same data processing, and the corresponding assessments must be conducted in tandem. DPOs are accustomed to dealing with contextual situations, ensuring transparency, assessing ethical aspects of data processing, and, most importantly, establishing accountable and trustworthy data protection governance frameworks—all of which are applicable in the AI governance context.

The Importance of Organizational Factors in Managing AI Risk Profiles

The AI governance framework should be tailored to the organization’s size, industry, resource availability, and strategic objectives to effectively manage risk and ensure responsible use of AI. By aligning the governance framework with these factors, organizations can ensure that AI technologies are developed and deployed in a way that supports business objectives while adhering to ethical standards and regulatory requirements.

Ulrika Dellrud

Large companies with diverse and complex AI activities need more comprehensive AI governance frameworks. In contrast, small and medium-sized enterprises (SMEs) may have fewer AI applications and can focus on key risk areas without extensive bureaucracy. Companies operating in highly regulated industries will need to consider additional stringent regulatory requirements in their AI governance frameworks. For companies where AI is not central to the business model, the governance framework can focus on minimizing risks in specific applications without extensive oversight of all business functions.

Benefits and Pitfalls of Working with AI Beyond Personal Data

The existing remit and mandate of the data protection function provide much of the knowledge required for an AI governance framework. It can positively influence ethical AI development and help shape AI policies, which has an important strategic impact, helps build trust, and enables the function to remain at the forefront of both technology and data protection law. However, there are several pitfalls when dealing with AI and personal data, including the complexity of navigating other areas of law and compliance, dealing with an ever-changing regulatory landscape, and balancing innovation with data protection. To better understand the world of AI, individuals need to expand their remit into other, less familiar areas and think beyond their existing expertise.

Effective Collaboration Between Key Stakeholders and the AI Function

While data privacy may initially play an important role in AI governance, successful integration of AI into the organization requires effective collaboration among various significant stakeholders (e.g., procurement, legal, security, privacy, compliance, risk, business, finance, etc.) through cross-functional teams. To achieve this, the overarching framework must ensure senior management support for joint AI initiatives. This ensures that priorities are set and resources are allocated accordingly while aligning AI projects with the organization's goals.

At the ISACA Europe Conference 2024, scheduled from October 23 to 25, Ulrika Dellrud and Punit Bhatia will discuss "The Role of Privacy in AI Governance" in more detail.

For more information about the ISACA Europe Conference 2024 and to register, please visit the ISACA Europe Conference website.