The GDPR and the AI ​​Act

29 May 2023
| No comments
The GDPR and the AI ​​Act

Share post

The GDPR has now been in force for five years and the European Commission wants to improve the regulation in the first half of the year. In concrete terms, binding deadlines for forwarding complaints and a general processing deadline for complete complaint procedures are to be introduced.

The EU will regulate the topic of AI separately in the “AI Act”, whereby GDPR and AI are closely intertwined, as the ban on ChatGPT in Italy shows. Mark Molyneux, EMEA CTO at Cohesity, explains how companies can use the potential of AI for themselves, under controlled legal risk, and formulates four specific recommendations:

Legal, technical and ethical issues

“ChatGPT has made AI freely available to everyone and brought it into everyday life. This January, more than 100 million active users are said to have used the AI ​​- two months after its launch. This makes ChatGPT the fastest growing consumer application in history, according to Reuters. And with every new version, this AI gets bigger and better. And with every new version, it raises more questions - legal, technical and ethical. Because there is a lack of transparency, no one from the outside can look into this black box.

The Italian government has decided to ban ChatGPT. According to the Italian public prosecutor, the AI ​​violates the principles of the GDPR. The European states and their data protection authorities see it as their duty to take AI into account. It fits the picture that the facial recognition company Clearview AI was fined three times in the past year of up to 20 million euros. Privacy advocates in the UK, Italy and Greece felt this company and its AI was violating citizens' rights.

Violations of the GDPR

The overall picture is blurred, but there are clear tendencies that the use of AI with certain data creates legal risks when handling GDPR-relevant data. And the statistics show that the authorities in Europe continue to impose heavy penalties – especially against big data. From May 2022 to May this year, fines totaling €1,1 billion were levied – nine of the top ten fines were imposed on US tech giants.

The EU wants to regulate the legal situation more clearly in the AI ​​Act. The Europe-wide AI law cleared the first hurdle on May 11 and is scheduled to be passed in the plenum in mid-June. It will take until 2024 for the law to actually come into force. And only much later does it become clear in the first cases how it actually works in practice. What is certain is that companies and their employees will face new tasks and obligations from a compliance perspective.

controlled risk

Nobody in the free economy can afford to wait until then. Companies and private individuals now need clear orientation. Because they want to use the great potential of this technology, the first companies are already doing it. There are four clear recommendations on how companies can approach this without causing legal risks and still not getting in the way of users. And at the same time to be positioned in such a way that the AI ​​Act can be fully implemented without turning IT upside down:

  • Always think about compliance: Whether the use of AI affects compliance simply depends on the application scenario and the data used. Anyone who wants to use AI in compliance with the GDPR should seek the advice of a data protection expert before introducing it.
  • know data: Companies and their employees need to know exactly what data they are feeding the AI ​​with and what value this data has for the company. Some AI providers deliberately delegate this decision to the data owner because they know the data best.
  • Understand the content of the data: In order for data owners to make the right decisions, the value and content of the data must be clear. In everyday life, this task is gigantic and most companies have piled up mountains of information that they know nothing about. AI and machine learning can help massively in this area and defuse one of the most complex problems by automatically classifying company data. Predefined filters immediately fish compliance-relevant data such as credit cards or other personal details out of the data pool and mark them. Once loose on the data, this AI develops a company-related language, a company dialect. And the longer she works and the more company data she examines, the more accurate her results become. The charm of this AI-driven classification is particularly evident when new requirements have to be met. Whatever the AI ​​Act brings, the ML and AI-driven classification will be able to search for these additional attributes and give the company a piece of future security.
  • Control data flows: Once the data has been ranked and classified with the correct characteristics, rules can be automatically enforced by the underlying data management platform without the data owner having to intervene. This reduces the chances for human error and the risks. For example, a company could enforce that certain data such as intellectual property or financial data may never be passed on to other storage locations or external AI modules. Modern data management platforms control access to this data by automatically encrypting it and requiring users to authorize themselves using access controls and multi-factor authentication.

Do you have a moment?

Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!

You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.

Here you go directly to the survey
 

Conclusion: AI will transform the economy like the Internet did. Companies want their employees to use AI in innovative ways. AI itself has the power to tame AI by being able to examine the data and its content. This opens up many good ways for companies to control the use of AI without having to fear high risks and penalties.”

More at Cohesity.com

 

About Cohesity

Cohesity greatly simplifies data management. The solution makes it easier to secure, manage and create value from data - across the data center, edge and cloud. We offer a full suite of services consolidated on a multi-cloud data platform: data backup and recovery, disaster recovery, file and object services, development / testing, and data compliance, security and analytics. This reduces the complexity and avoids the fragmentation of the mass data. Cohesity can be provided as a service, as a self-managed solution, and through Cohesity partners.

 

Matching articles on the topic

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

Digital Security: Consumers trust banks the most

A digital trust survey showed that banks, healthcare and government are the most trusted by consumers. The media- ➡ Read more

Darknet job exchange: Hackers are looking for renegade insiders

The Darknet is not only an exchange for illegal goods, but also a place where hackers look for new accomplices ➡ Read more

Solar energy systems – how safe are they?

A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates. trend ➡ Read more

Stories
, , , ,