Skip to main content

Making sense of the GDPR & Artificial Intelligence paradox

(Image credit: Image Credit: Advanced)

The General Data Protection Regulation (GDPR) came into force in May 2018, to unify and regulate how data is processed, used, stored and exchanged for citizens and residents within the European Union (EU). While this law has been in effect for some time now, it still raises multiple questions for businesses around the world.

This is especially true for both those who provide and those who leverage Artificial Intelligence (AI) while conducting business in the EU. AI is dependent upon a healthy flow of data in order to drive business growth and generate valuable business insights. Article 22 of the GDPR concerns automated profiling and decision making and outlines the ramifications for the incorrect use of data in these circumstances. The problem is that the ultimate goal of AI is to make automated decisions without user consent.

In essence, Article 22 of the GDPR limits the potential use of AI as a tool to make efficient, automated, decisions… Or does it?

What does GDPR mean for AI?

AI and data are natural friends. AI works by analysing large buckets of pre-labelled data and making informed decisions from this data. Therefore, in order for organisations to reap the rewards AI promises to deliver, they need to ensure that the AI technology or software they are using has access to as much clean data as possible. The introduction of GDPR means that there are now limitations to what data organisations can provide to their systems to equip them for usage.

It may seem that this is a hindrance to the advent of AI, and in some cases, it has been. For instance, there have been instances of organisations that have had to delete vast pools of CRM contact data due to not having collected consent or evidence of prior activity and legitimate interest to satisfy Article 6 of GDPR, limiting their capability to apply an AI technology to their CRM data. In this respect, not only is the AI industry is suffering but also the individual organisations hoping to leverage it as it means they are not failing to realise the benefit of AI, but also failing to unlock the true revenue-generating potential of their CRM systems. In addition, one could argue that engineers who have spent their time ensuring that their products and services are GDPR-compliant could have better spent this time developing AI tools and programs.

Both these setbacks are however short-term, and in the long-run GDPR may actually serve to benefit both the AI and the technology industry. GDPR and other privacy regulations in-force around the world for that matter provide a framework for how businesses should handle personal data and protect customer privacy. They will encourage developers to put privacy at the front of the mind and build privacy standards into their products from the beginning. GDPR also provides a model of execution for organisations that brings privacy to the forefront, which AI can be successfully integrated into.

How to get the most out of AI under GDPR.

1. Investigate the law yourself, thoroughly. Although the documents may seem long and tedious to read through it is imperative that organisations do so, if they want to understand how to comply with the new laws. If you read it carefully enough, it is clear that most AI applications will not actually be inhibited by GDPR.

2. Listen to news, not fear-mongering. Enforcement of the GDPR will inform you of the real risks, and how to avoid them in the near future. Lessons should be learnt from Marriott and British Airways who both faced huge privacy fines under the GDPR. Make sure you monitor it, but do not allow them to alarm you. News of organisations being held accountable for their lack of compliance with the GDPR could cause unnecessary panic. For example, Google was fined €50 million fine, when this hit the headlines it panicked organisations without mainstream media giving context to the fine. Firstly, not all companies will be charged millions and millions. While violations could result in fines up 4 per cent of earnings, it is highly unlikely. Moreover, the best way to avoid fines is to simply follow the law.

Thoroughly vet your vendors. Sign valid data processing agreements. Be transparent. If you follow the law, you won’t end up in a sticky situation. See Article 83(3).

3. Prepare your AI. If there are concerns that your AI technology stack could be automatically capturing data, then you must prepare your AI tech to comply with these laws. If you ‘teach’ the AI the privacy element that is needed, then it will follow these laws. If you wanted a more advanced path for your AI to take, then you could even go as far as to input the data and information of GDPR. For example, Article 6 of GDPR states that organisations cannot process or obtain data without consent and legitimate interest in the customer. So, making your AI keep a record of consent when it asks for data ensures this will not only prepare the AI but also keep your company away from breaching any law.

While GDPR does further complicate the collection of data subject data in many cases, GDPR and AI are clearly not arch enemies. The existence of this regulation may create the trust and acceptance that is necessary to drive AI growth in the EU, so it should not be feared but embraced by AI-driven organisations.

Oleg Rogynskyy, Founder & CEO,

Oleg Rogynskyy is the Founder and CEO of