USING ARTIFICIAL INTELLIGENCE TO MAKE AUTOMATED DECISIONS ABOUT PEOPLE
Making decisions using artificial intelligence (AI) can use more data points for a better and faster result - this is good, as long as you get it right!
The use of AI for decision-making and profiling can be beneficial when applied fairly, offering faster and more consistent decisions, especially with large data sets. However, when a decision impacts significant aspects of a person’s life, AI can lead to errors and unclear processes. The GDPR regulates making decisions like this to protect people from the risks of automated processing - both the UK and EU versions of the GDPR do this. The EU AI Act sits on top of these existing rules.
How does the UK GDPR apply?
The UK GDPR protects against decisions solely based on automated processing, including profiling, if these decisions have legal or significant effects. Profiling involves collecting and analysing personal data using AI. Under UK GDPR, even if AI assists with decisions, they may still be considered automated if AI is involved at any stage of the process.
What questions should be asked?
When using AI for decision-making, you need to consider:
Does the decision-making fall under the GDPR's prohibition on automated decision-making?
Does the decision have legal or significant effects on the person?
Is the decision fully automated?
Do exceptions apply, and if so, are the necessary safeguards in place?
Prohibited automated decision-making
You cannot use AI for decision-making if it has legal or significant effects on an individual and is fully automated, unless an exception applies. Legal effects include changes in legal status or rights (e.g., benefit entitlement), and significant effects impact someone's circumstances or choices (e.g., job offers or loan approvals). Human involvement in the decision must be meaningful, with the ability to override the AI's recommendations. Human in the loop is a growing compliance requirement.
Exceptions to the prohibition
You can use AI for decision-making if:
It is necessary for a contract with the data subject
It is authorised by law
The individual has given explicit consent
In all cases, safeguards must be in place to protect rights and freedoms, and the individual must have the right to challenge the decision or request human intervention.
Special category data
If AI profiling involves special category data, exceptions may still apply, provided explicit consent is given or the processing serves a substantial public interest. Special category data is:
personal data revealing racial or ethnic origin
personal data revealing political opinions
personal data revealing religious or philosophical beliefs
personal data revealing trade union membership
genetic data
biometric data (where used for identification purposes)
data concerning health
data concerning a person’s sex life
data concerning a person’s sexual orientation
Human oversight and transparency
For automated decisions with legal or significant effects, organisations must ensure a lawful basis for the processing and that the process is fair and transparent. This includes conducting data protection impact assessments (DPIAs), regularly reviewing AI systems, and giving individuals meaningful information about how decisions are made. People must be able to challenge decisions, express their views, and obtain human intervention.
Challenges with AI in decision-making
AI's complexity can make it difficult for humans to explain or challenge decisions, especially when AI systems are highly accurate but still wrong. To mitigate these issues, organisations must design AI systems with transparency, regularly audit for biases, and ensure that individuals can exercise their rights easily and meaningfully.
Making sure you get it right
If you are making automated decisions using technology (even when technically there is no ‘AI’) you must comply with the GDPR - and the more complex your technology, the more likely it will be that you have also triggered various requirements of the EU AI Act. You must carefully assess whether your use of AI falls under prohibited decision-making, whether exceptions apply, and if proper safeguards are in place. Providing transparency and meaningful human oversight is crucial in ensuring fairness and compliance with GDPR.
THANKS FOR READING