Written by: Haim Ravia and Dotan Hammer
The European Data Protection Supervisor (EDPS) has issued guidelines on generative AI and personal data for EU institutions (EUIs) to ensure compliance with GDPR-like regulations that apply to EU institutions. These guidelines emphasize core data protection principles and offer practical examples to help anticipate and manage risks and challenges. While generative AI offers innovative solutions across various fields, it also presents significant challenges to fundamental rights and freedoms. As AI technologies evolve, EUIs must use them responsibly for the public good, ensuring they adhere to legal frameworks when processing personal data.
The guidelines call on EUIs to –
- Clearly identify whether they are controllers, processors, or joint controllers for specific processing operations and understand their obligations and responsibilities under the Regulation.
- Involve all stakeholders, including Data Protection Officers (DPOs), Legal, IT, and Local Information Security Officers (LISOs), to ensure robust data governance and regulatory compliance. Establish an AI task force and develop an action plan that includes awareness campaigns and internal guidance.
- Manage risks throughout the AI system’s lifecycle with regular monitoring and identification of emerging risks. Consult the EDPS if unmitigable risks arise. Ensure personal data processing is legally justified under the Regulation and that consent meets regulatory requirements.
- Ensure effective generative AI systems with well-structured datasets that prioritize quality over quantity. Continuously assess data accuracy throughout the system’s lifecycle and reconsider system use if accuracy cannot be maintained.
- Provide individuals with all required information under the GDPR-like regulation when using generative AI systems that process personal data, and ensure this information is regularly updated.
- Carefully consider the use of generative AI systems in decision-making to avoid unfair, unethical, or discriminatory outcomes. Prioritize bias minimization and mitigation and maintain oversight of algorithms and training data.
- Implement measures to safeguard individual rights from the system’s early stages, with detailed recording and traceability of processing activities.
- Plan for IT security, including continuous monitoring and technical support, to address security risks and malicious attacks.
Click here to read the EDPS’s guidelines on generative AI and personal data for EUIs.
