Appendix 2: Personal data and GDPR in the context of AI

AI systems frequently rely on large datasets that may contain personal data. Data protection regulations, such as the EU General Data Protection Regulation (GDPR), apply to both the development and use of these systems. Relevant considerations for the auditor are:

• Purpose limitation: Personal data must only be collected and used for a clear, specific purpose. Any further processing has to be compatible with the original purpose, with some limited exceptions. When an AI is trained on historical data (possibly collected before the project started), further processing of this kind must be covered by the original purpose.
• Data minimisation: The use of personal data has to be limited to what is necessary to fulfil the purpose it was collected for. This applies to both the final model and any data used during testing or training. Auditors should check which data is used, its role in system performance, and how it is handled throughout development.
• Proportionality: The amount and type of data used must be proportionate to the purpose and not overly intrusive. For example, using facial recognition to monitor school attendance is likely to be excessive.
• Transparency: Explainable processes and decisions are a general requirement for public services, especially if personal data is involved. Personal data should be processed transparently.
• The organisation developing and using the AI system is responsible for following data protection rules and complying with GDPR. If the AI poses a high risk to individuals’ rights, a data protection impact assessment (DPIA) is required. The DPIA should provide evidence that less risky alternatives have been considered. Auditors can usually check compliance by reviewing the documentation.