Regulation on data governance – Data Governance Act
The document contains new rules for data exchange within the EU. The regulation was adopted by the European Parliament on April 6, 2022. It aims to help businesses use big data in innovative ways. With artificial intelligence, organizations can:
– increase productivity,
– improve products,
– lower barriers to entry,
– introduce new products,
– reduce energy consumption emissions.
Today, many companies are still considering introducing systems using machine learning and deep learning into their organizations at an appropriate scale. The purpose of implementing data management regulations using this method was also to build trust in terms of information processing. The new regulations mainly enable:
– better use of data collected in public sector areas,
– creation of common European data spaces for multiple industries,
– secure sharing of data on a large scale.
Guidelines for the use and management of personal data in AI systems – CNIL
Following the issuance of the Data Governance Act Regulation – the French body CNIL has also presented the main principles for the protection and analysis of personal data using artificial intelligence. Since the use of AI to process personal data often causes a lot of controversy, CNIL presented the requirements to be followed in order to manage personal data in accordance with the provisions of the RODO.
Here are some of the most important:
– Define the goal – the system should be implemented and adapted according to the goal. It must be defined on the basis of a predetermined design and in line with the organization’s mission;
– establish the legal basis – an AI-driven system using personal data can only be implemented if it meets the justification established by law. According to the RODO, IT systems should first and foremost ensure the compliance of information processing;
– establish a retention period for the information – personal data must not be stored for long periods of time. The provisions of the RODO enforce the establishment of a period after which the data should be deleted or properly archived. The retention period should be determined by the data controller;
– protect data from the risks associated with artificial intelligence models – the use of machine learning is based on the creation of models. Many studies have shown that large language models used in information systems tend to remember certain textual elements. Potential attacks on these models could lead to the leakage of personal data, such as name, phone number, etc.
It is therefore necessary to implement both technical and organizational measures to minimize this risk;
– Ensure transparency of information – RODO regulations require that all communications and information related to the processing of personal data be understandable, transparent and easily accessible;
– Ensure accessibility to data – people whose data is used in AI information systems have the full right to control it. In this case, the person responsible for access to the file should provide detailed information to the persons concerned, for example, about the form of processing of their personal data;
– Automate decision-making – an organization may implement automation of processes regarding decision-making if a person consents to it. Automated decision-making is allowed with consideration of Article 22 of the DPA.
In addition, the CNIL has also stressed the importance of assessing AI systems, publishing a guide to auditing artificial intelligence (AI) systems. The study aims to enable an enterprise-wide assessment of the maturity of AI software in relation to RODO regulations.
Here are some of the most important aspects to consider when evaluating your systems for RODO compliance:
– comply with the provisions of the RODO when collecting and building the database,
– ensure the quality and transparency of the system when using it,
– analyze risks and prevent breaches,
– preserve the right of freedom of individuals when processing data,
– ensure proof of system compliance with various standards, certifications and codes.