Algorithms, AI and the GDPR
Is your company or organisation considering the use of algorithmic systems that involve the processing of personal data? Then you must determine in advance whether you can comply with the General Data Protection Regulation (GDPR). First identify the privacy risks and ensure the right measures are taken to protect the data of your customers, citizens or patients. Also if it concerns a pilot, test or trial project.
On this page
The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, monitors all types of personal data processing operations. The technical manner in which this processing is carried out is irrelevant in that matter. The GDPR has been drafted in a technology-neutral manner to accommodate technological developments. The Dutch DPA also monitors AI and algorithms that process personal data.
The GDPR contains a number of rules that are particularly important when using AI & algorithms.
Quick answers
For organisations
2 questions and answers
Should I ask people for their views if I want to use machine learning?
Yes, usually you need to ask the people involved for their views.
If you use algorithmic systems in a project and process personal data, you must carry out a data protection impact assessment (DPIA). The GDPR states that in a DPIA, 'Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing'.
If you don't ask data subjects (or their representatives) for their views, it is virtually impossible to gain insight into the possible privacy violations for these people. Especially with complex or large-scale projects.
Am I obliged to explain my algorithms, even if they are a trade secret?
Under the GDPR, you are obliged to inform data subjects about what you do with their personal data and why. They have a right to information.
Furthermore, the GDPR states that you must provide this information 'in a concise, transparent, intelligible and easily accessible form, using clear and plain language'. Secret (covert) processing is therefore not possible.
Additional rules apply if profiling is involved. This is often the case when using self-learning algorithms.
But that doesn't mean that the explanation to data subjects must also contain trade secrets. However, this explanation must make clear how you process personal data, also if the processing concerns, for example, fraud prevention.