Communicating Your AI and Robotics Products’ GDPR Compliance
It’s important to understand the world of law and regulations when developing any data-driven product. Data powers most modern technology. Many AI systems and robots would be impossible to develop without data. For instance, without data, an autonomous vehicle would be unable to find the fastest route to take you home after a long day at work. Your favorite streaming service would no longer give you a good recommendation for a new TV series to binge-watch. Google wouldn’t have predictive text. Robo-advisors would fail to assist you in making money based on your investment preferences, past actions, and current financial situation.
The European Union’s General Data Protection Regulation privacy and security law creates firm limits and regulates how companies can collect, store, use, share, and even access personal data. Because of GDPR and laws like it, many tech companies worry about the future (or at least commercial viability) of AI and robotics. However, it is best to think of GDPR compliance as a speed bump rather than a barricade. The law actually exists to help keep people safer, not unlike a speedbump. Of course, not every company in the United States needs to comply with GDPR. For more information on which companies must comply, you can view our earlier article on GDPR coverage here. That said, companies that must comply with GDPR should determine how it regulates and limits their ability to collect, use, and share personal data.
The European Union is not trying to prevent all use of personal data. Instead, with a view towards giving individuals rights and controls over how others use their personal data, the GDPR simply requires additional controls to manage data and use. For instance, controls must allow individuals the ability to access, correct, and move personal data, as well as request deletion of it when it is no longer needed. If tech companies manage personal data while empowering individuals to exercise their rights, they will have enough data to innovate and remain competitive.
Privacy and Security Considerations for AI & Robotics
There are a few things GDPR-covered companies should keep in mind when developing compliant AI systems or robots. First, whether or not companies develop these products for B2B or B2C applications, they should analyze the target use cases carefully. Products developed for business use might not collect or use as much personal data (and thus fewer restrictions may apply under the law). Nonetheless, GDPR will greatly impact AI systems and robots developed for individual end-users.
Here are some of the many other considerations that companies must take into account:
Age of Consent: The GDPR sets a default age of 16 years old for deciding when a child can give valid consent. Some EU countries have chosen to lower the age of consent to as young as 13 years old. But, what about tech products used by consumers that are 12 years old or younger? Minors in this age group watch TV shows, play video games, access home security panels, and use websites for research. Using Alexa, some may even be able to order items online. For younger persons below the age of consent, a parent or guardian would need to provide consent on the child’s behalf.
Transparency: The GDPR requires companies to avoid technical jargon and hard to understand language in privacy policies, and instead use clear and plain text that consumers can understand. Consumers need to know what personal data is being collected, how, why, and by whom. They need to understand how companies use and share personal data.
The Right to an Explanation: When companies use automated personal data processing, as they do with AI systems, they must provide consumers with an explanation of how the system came up with the results it did when the consumer requests one. As part of that explanation, a company may need to explain how its AI algorithms make decisions, and how an AI’s decision may impact (or did impact) the requesting consumer. Providing an explanation may be difficult for many AI systems, but GDPR requires it nonetheless.
The Right To Be Forgotten: One of the most controversial GDPR requirements for tech companies is providing the right for users to demand that all their data be erased from servers. Tech companies like to hang on to data for as long as possible, even after users close their accounts. The data mined from their use of platforms help AI algorithms to predict user preferences so companies can stay ahead of the game. If more people request to have data removed from servers, AI systems could potentially malfunction or make less-informed decisions due to a dearth of data. While some exceptions exist under the law allowing continued personal data, companies must have mechanisms to facilitate deletion requests.
Accountability for AI’s Actions: PC Mag, a well-known American tech magazine, points out that even engineers don’t fully understand how AI systems arrive at their decisions. This may sound strange for people who do not work in tech; how could the makers not know how the AI functions at any given juncture? That type of tracking is easier said than done; the fact of the matter is that the entire reason companies rely on AI is because machines can consider an astronomical number of possibilities within seconds. A perfect example of this is Google’s search engine; it returns your results in microseconds. GDPR will now hold companies accountable for AI’s decisions, sometimes making manual reviews necessary to keep in line with privacy and security regulations. System designers need to build in mechanisms into new systems to facilitate requests for explanations. The time to create explainability mechanisms is now.
Third-Party Sharing: Companies must be careful about sharing personal data with third parties. GDPR requires companies transferring personal data to service providers to ensure their vendors provide GDPR-level protection. They must not only ensure protection on paper by agreement, they must also oversee their vendors to ensure that they actually provide the protection they promised in the agreement.
Communicating GDPR Compliance
Consumers are entering a new era of control in California, other parts of the United States, and the European Union. Globally, more countries and states are enacting data protection laws of their own with an eye towards consistency with GDPR. To remain competitive and build trust, companies will need to communicate their compliance to consumers in a way they understand. To achieve this, there must be standards in place that people recognize and trust.
The GDPR privacy policy makes provisions for certification schemes and the creation of accredited bodies. For example, in the U.K., it is the responsibility of the Information Commissioner’s Office to complete the following tasks related to these provisions:
Publish the final guidelines for accreditation of certification bodies that will assess compliance with certification schemes’ data protection criteria.
Seek opinions from the European Data Protection Board on additional accreditation requirements.
Begin accepting certification schemes for approval.
Finalize and publish additional accreditation requirements.
Facilitate a system in which certification bodies can look at companies’ compliance with a data protection framework and provide a trustmark seal or logo that companies can use to show to individual consumers that they meet the data protection criteria in the framework.
The ICO scheduled the completion of these activities for the summer and autumn of 2019. As of yet, there are no known official certification schemes or accreditation guidelines for GDPR compliance currently in place. Even so, there are four certifications and seals worth considering for demonstrating robust data protection practices. These are provided by organizations that companies and even governments have trusted with providing proof of compliance for other policies before the GDPR.
The first is the ISO 27001 Information Security Management standard. This standard is generally accepted as an international data security framework and is commonly used to help companies demonstrate the robustness of their security practices. Second, various certifications provided by TrustArc, a California-based organization that previously assisted with illustrating compliance for privacy laws in the United States, such as HIPAA. Third on the list is Cyber Essentials in the U.K. This certification is such a trusted standard of protection measures against cybercrime that some governments require companies to obtain this certification in order to qualify for government contracts. Finally, consider Europe-based EuroPriSe. This organization provides a privacy certificate to give consumers a sense of trust in the privacy practices of a company.
How To Use GDPR Compliance Communication as a Marketing Tool
For years, consumers in the European Union and the rest of the world remained ignorant of how tech companies collected and used their data. While they understood the benefits (or at least the services being offered), few people grasped the risks involved and the potential for misuse. Then, the events surrounding Facebook’s sharing of personal data with Cambridge Analytica came to light and raised awareness of the need for more robust personal data protection as the GDPR took effect. Concerns with data protection also motivated California’s legislature to enact privacy laws reminiscent of GDPR, or officially, the California Consumer Privacy Act. Given the widespread media coverage of new data protection laws, compliance with new standards provides the opportunity for other companies to differentiate themselves from their competitors, who may have lax personal data handling practices that led to data breaches and personal data oversharing and misuse. In short, marketing messages that emphasize strong data protection practices may give companies a competitive advantage over their competitors.
Companies that wish to embrace GDPR compliance as a marketing tool should consider certifications and seals that are currently available, and investigate those that are in the process of being developed. These seals and certifications should be openly displayed on websites, in apps, in ads, and on physical products. Seals and certifications provide immediate assurances to consumers of a company’s commitment to ensuring the security and ethical use of their personal data.
While consumers may acknowledge or recognize the many seals and certifications, few will truly appreciate the meaning of these without proper education. Companies may seek to further educate consumers by partnering with organizations already taking on this task and sponsoring some of their high-profile campaigns. By openly supporting rather than attempting to fight consumer rights and freedoms, companies may obtain and retain consumer trust for years to come.
What To Expect for AI and Robotics on the Road Ahead
Does the GDPR negatively affect the way AI and robotics will work now compared to how they did before? GDPR has definitely introduced some challenges for some companies, perhaps requiring rethinking entirely how they approach development of their products and services. However, after revamping their products and services, these companies may find that consumers find them more compelling than before.
Consider this analogy. Banning athletes from taking certain steroids and other performance-enhancing drugs in the Olympics created challenges and required a revamping of training programs. What have countries done since then to remain compliant and competitive? They helped their athletes train harder. Have the Olympics been any less entertaining or fulfilling because of these regulations? No, they haven’t.
Unlimited access to and use of data were the steroids of the tech community. The GDPR has slowed the race, but this provides an incentive for tech companies to become more creative and efficient within the new constraints. If tech companies can adhere to GDPR’s requirements, they can build trust with consumers and ultimately make their products and services more attractive.