The European Data Protection Supervisor (EDPS) AI guidance for EU institutions has lessons for businesses. This includes when inputting personal information into these tools. The recommendations from the guidance fall into five categories, which businesses can take as potential principles. Namely:
- Do your diligence. Know where personal information enters AI processes. Personal information can show up in training, during use, and in the results the AI gives. It is important to check every step for risks to personal data.
- Be transparent. Do not just use public data and hope for the best. Privacy laws impose obligations to tell people why their information is being collected and how it will be used. They also require telling people who will handle their personal data.
- Be accountable. This means making it clear who is responsible for decisions about personal data and keep accurate records. In the guide, the EDPS reminds EU Institutions that as AI changes, security risks like hacking become more common. So, businesses need to update their defenses often.
- Respect the rights of individuals. Let people see, fix, or remove their data, even if the data is hidden in AI systems. This can be technically demanding, but the burden is on the business to make it possible.
- Be thoughtful. Do not use a check-the-box approach to risk assessments. Before deploying a new generative AI system, conduct a full Data Protection Impact Assessment, question whether all data collection is genuinely necessary, and prefer anonymized or synthetic data where possible. Keeping up with regular checks for accuracy and bias, plus open communication with staff and users, helps build compliance.
Putting it into Practice: These recommendations were directed to EU Institutions, not private businesses. However, they may signal what regulators expect of businesses when implementing AI tools. As AI laws and obligations continue to develop, consider basing your privacy program on these principles from diligence to thoughtfulness. Taking a principle-based approach to compliance can allow your company to more nimbly react as laws develop and change.