The ICO exists to empower you through information.

This section is predominantly for AI engineers and key decision makers in the development and use of AI products and services. It also provides foundation knowledge for DPOs and risk managers. 

Control measure: A risk-based approach has been taken to analysing and navigating potential and existing trade-offs between data protection considerations and people’s rights on one hand and other competing values and interests on the other.

Risk: Inadequate or inappropriate analysis or decisions lead to AI systems that incorrectly prioritise one criteria over another more important one. The UK GDPR requires appropriate technical and organisational measures to be put in place to implement the data protection principles effectively and safeguard people’s rights. This may breach UK GDPR articles 5(1)a-b and 25.

Ways to meet our expectations:

  • ‘Bake in’ data protection to your processing activities and business practices, throughout the lifecycle from the design stage. 
  • Document the approach and methodology for identifying and assessing AI trade-offs, including the reasons for adopting or rejecting particular technical approaches.
  • Use available technical approaches to minimise the need for any trade-offs and evaluate the potential impact on people.
  • Review trade-offs regularly by applying a robust, independent, and risk-based process.
  • Review emerging or new trade-offs that could arise if new considerations come to light during ongoing system performance monitoring and quality assurance checks.
  • Consider the following when designing your AI system:
    • AI algorithm accuracy vs explainability (increasing data points means more accurate algorithms but are more difficult to work with and for people to understand).
    • AI accuracy vs speed (increasing data points may improve accuracy but reduce speed of decisions).
    • AI transparency vs understandability (too much technical detail might prevent people from understanding).
    • AI transparency vs security risk (explaining the system fully to people may highlight security vulnerabilities).
  • Ensure decisions made during the trade-off analysis are signed off at an appropriately senior level.

Options to consider:

  • Release a new product if new datasets become available, rather than adding this new information to an existing system or model, if there is the potential for this to impact on system performance, bias, discrimination, or statistical accuracy.
  • Conduct an algorithmic or privacy impact assessment (AIAs) in addition to the DPIA, to evaluate the potential societal impacts of AI systems. This includes their implications for people’s individual rights, social justice, and human dignity. This involves assessing the potential biases, discrimination, and unintended consequences of AI system decisions on diverse stakeholder groups.
  • Engage with relevant stakeholders (including people, civil society organisations, regulatory authorities and domain experts) to solicit input and feedback on potential trade-offs between data protection considerations, people’s rights, and other competing values and interests.

 

Control measure: As part of model and system development, there is a documented assessment to balance the trade-off between the level of human work and automation (where the level of human involvement reduces over time as the AI model moves to full automation).

Risk: If the move towards automation, and the trade-off this could have on accuracy, is not fully considered, there is a risk the system will not be ready for full automation and will start to produce inaccurate results. This may breach UK GDPR articles 5(1)(a) to (f).

Ways to meet our expectations:

  • Include a development timeline with set milestones and review dates in the product and technical specification documents.
  • Document the analysis and decisions of trade-offs about human involvement vs automation in a DPIA. This helps to ensure compliance with UK GDPR articles 5(2) and 22.
  • Test each move to further automation for accuracy and ensure this is signed off at a senior level.

Options to consider:

  • Perform contextual assessments and document and justify your assumptions about the relative value of different requirements for specific AI use cases.