Two acronyms are sure to grab headlines in 2018: AI and GDPR.
Gartner called AI the most disruptive technology of the next 10 years, and the technology will certainly continue to generate attention with advances and new applications in 2018.
The General Data Protection Regulation (GDPR) — a set of stringent European Union rules governing the way companies collect, manage, and use information about EU citizens — was described as a top priority by 92 percent of corporate leaders who responded to a recent survey.
GDPR has put in place a May 25th, 2018 compliance deadline with significant penalties for noncompliance. If an organization doesn’t meet this deadline, it is subject to fines of up to 4 percent of its annual worldwide revenue or €20 million, whichever is greater.
This begs the question: Can AI help organizations meet the GDPR’s compliance deadline and avoid penalties?
After all, AI is all about handling and deriving insights from vast amounts of data, and GDPR demands that organizations comb through their databases for rafts of personal information that falls under GDPR’s purview.
The answer: AI probably won’t be a magic bullet as companies scramble to address the regulation’s provisions.
For one thing, AI, despite all its promise, has not yet reached the adoption tipping point necessary to make it much of a factor in the GDPR effort.
“Total investment (internal and external) in AI reached somewhere in the range of $26 billion to $39 billion in 2016, with external investment tripling since 2013,” a McKinsey report says. “Despite this level of investment, however, AI adoption is in its infancy, with just 20 percent of our survey respondents using one or more AI technologies at scale or in a core part of their business, and only half of those using three or more.”
For another thing, it’s questionable to what extent AI can tackle the unique GDPR requirements, most of which simply don’t lend well to automation.
GDPR aims to give EU citizens greater control over their personal data and to hold companies accountable on matters such as data use consent, data anonymization, breach notification, cross-border data transfer, and appointment of data protection officers.
For example, organizations will have to honor individuals’ “right to be forgotten,” where applicable — fulfilling requests to delete information and providing proof that it was done. They must also obtain explicit, rather than implied, permission to gather data. And they are required to allow people to see their own data in a commonly readable format.
GDPR covers any information that can be used to directly or indirectly identify an individual — such as names, photos, email addresses, financial details, posts on social networking sites, medical information, or a computer IP address — no matter when it was collected.
In fact, there are questions about whether the EU will catch AI itself in its legal crosshairs because GDPR states that European citizens have a right to explanation when an automated decision is made about them.
The system will undoubtedly work those issues out, but, in the meantime, companies should roll up their sleeves and take a thorough, systematic approach to preparing for the May 25th deadline rather than looking to AI as a panacea. That multi-step strategy should include:
Data. A comprehensive plan to document and categorize the personal data an organization has, where it came from, and who it is shared with.
Privacy notices. A review of privacy notices to align with new GDPR requirements.
Individuals’ rights. People have enhanced rights, such as the right to be forgotten, and new rights, such as data portability. This demands a check of procedures, processes, and data formats to ensure the new terms can be met.
Legal basis for processing personal data. Companies will need to document the legal basis for processing personal data, in privacy notices and other places.
Consent. Companies should review how they obtain and record consent, as they will be required to document it. Consent must be a positive indication; it cannot be inferred. An audit trail is necessary.
Children. There will be new safeguards for children’s data. Companies will need to establish systems to verify individuals’ ages and gather parental or guardian consent for data-processing activity.
Data breaches. New breach notification rules and new fines will affect many organizations, making it essential to understand how to detect, report, and investigate personal data breaches.
Privacy by design. A privacy by design and data minimization approach will become an express legal requirement. It’s important for organizations to plan how to meet the new terms.
Data protection officers. Organizations may need to designate a data protection officer and figure out who will take responsibility for compliance and how they will position the role.
There are many issues organizations need to consider as they ensure GDPR compliance. But for now, only a human can do the heavy lifting required by this process.
David Fowler is head of privacy and digital compliance at Act-On Software, a marketing automation provider.