General Data Protection Regulation (GDPR), Artificial Intelligence (AI) and UK Organisations: A year of implementation of GDPR

The European General Data Protection Regulation (GDPR) became enforceable in 2018, reinforcing the protection of personal data and creating new obligations for organisations. This coincides with a rapid increase in the use of Artificial Intelligence (AI) technologies and a surge of available data. The implications of the GDPR for organisations using AI are significant, due to newly introduced responsibilities, yet these remain unclear. This paper explores the GDPR’s impact on organisations implementing or already using AI technologies, a year after becoming enforceable, focusing on UK organisations. Awareness, practices and challenges faced by companies implementing the GDPR are explored through the experience of experts working for a variety of UK organisations, in most cases as consultants or legal advisors. Their expertise in Artificial Intelligence, Data Protection and Digital Innovation, and understanding of the many organisations with which they have worked, offer insights into the understanding, perception and implementation of the Regulation. In this paper we first of all provide an overview of the key changes introduced by the GDPR, with a particular focus on those which relate to AI technologies, and explain the data protection challenges arising from the implementation of AI technologies. We then introduce the study and present the results. The discussion explores the themes which emerged from the data. We consider compliance, risk and preventive data protection, and examine some of the specific findings regarding automated and augmented AI and the repurposing of data. Finally, we consider in the conclusions key recommendations for the practice of data protection for organisations utilising AI technologies