GDPR and AI: Moving RIM into the Future

Published On August 07, 2018

2018 has been a monumental year for information governance (IG). Two things in particular — GDPR and AI — will greatly affect records and information management and organizations’ handling of personal information. The General Data Protection Regulation (GDPR) requires any organization that services Europe to protect the personally identifiable information of its citizens. Organizations that fail to comply can pay penalties of up to 20 million euros or 4% of global annual turnover, whichever is higher.

These penalties underscore the importance of a comprehensive IG program within every organization that does business in Europe. And the combination of GDPR and AI heightens the importance. Crucially, GDPR requires any organization using artificial intelligence in a decision-making process to be able to provide documentation of that process. AI systems must be closely monitored to ensure they are producing accurate results. True, original design documentation of the AI process or system exists, but the GDPR requires ongoing documentation of the process or system in the case of an audit.

Such documentation can encourage collaboration and communication between IG and information technology departments, serving a dual purpose of compliance and continual quality control. This type of holistic IG program fosters a more productive organization.

Here are two real-world examples evincing the need for this documentation:

• The insurance industry uses AI systems to identify images to determine whether a car should be considered a total loss in an accident claim. However, these same systems can be tricked into authorizing a claim by displays of false images with the same pixel patterns. Unlike humans, the machines analyze pixel patterns rather than the whole photo and context.
• Chatbots frequently handle customer service interactions. Unfortunately, they can develop biases or other bad behaviors in a relatively short period of time. In 2016, Microsoft disabled a customer service chatbot because it had learned inappropriate responses to customers. In 2017, Facebook disabled two chatbots after they began conversing in their own made-up language.

These are just two examples illustrating the need for an IG plan to monitor AI systems. The data from these systems must be reviewed, tested, and corrected to prevent the development of bad behaviors. Remember the old technology axiom: “garbage in, garbage out.” Actively creating and maintaining this type of documentation helps an organization understand the data and assess the system’s business rules or patterns before they are approved and enforced across the organization.

Documentation also demonstrates the organization’s active governance of these systems, which matters for GDPR. And GDPR is only the beginning; many nations are implementing their own regulations regarding privacy and security. Regulations will always be with us, and it will take a coordinated effort across an enterprise, led by IG professionals, to meet the challenge.