GDPR preparation for AI innovators.

A practitioner's checklist to prepare for receiving effective legal advice when building data-driven products in the EU.

Navigating GDPR compliance can be daunting, especially for product managers and business owners developing AI products in regulated industries. Based on our years of experience working with innovators (from start-ups to multinational corporations), we at THETA understand the complexities involved.

This list is designed to help you effectively prepare for legal consultations, ensuring efficient use of time and resources. The idea is that this article can make you aware of many of the key themes that you will be discussing with you lawyer, so as you think about them, take a moment to write them down. You may not have the answers to all the questions in here, this is completely fine, because then you can use the meeting with your lawyers to get clarity.

To make it easier for you, we created a template for a briefing document that you can download for free here . Of course, you should avoid overloading your counsel with too much information, aim to strike a balance between being comprehensive and concise and focus above all on providing a clear, unambiguous overview that can serve as guidance throughout your consultations. You don't need to throw everything at your lawyer right away, but it's great if you have most of the key information available if they ask you deeper questions.

Please note that this list is not a substitute for legal advice, but a tool to maximise the value of your consultations.

1—Summarise your AI product

It is important for lawyers to understand the broader context of what you are doing. It helps them understand the implications for data use, and may alert you to other legal issues. If you already have a formal description of your intended use, provide that; otherwise, use these questions to help you create a comprehensive description.

Questions:

• What is the intended use of your AI product?
• Who are the intended users?
• What is the intended usage environment?
• What is the AI product not intended for?

2—Understand your data

Clearly outline what kind of data you have and how you intend to collect it. In particular, it is important to understand why certain data is needed and its sensitivity.

Operational data inputs:

• What data inputs does your AI product need to make a prediction? List the all data types in detail and preferably provide an example. If applicable, tag any personally identifiable information, data that is sensitive, and distinguish between human reported and automatically generated data (e.g. from sensors)
• What data is nice to have, but not essential?

Ground truth data:

Ground truth data is essential for training your AI models to ensure accurate predictions.

Questions:

• What data do you need to train your algorithm? (be very specific, provide examples, and again highlight any data that is either sensitive or might make it possible to identify the person to whom a data set belongs)
• Are you reusing existing data or collecting new data prospectively?
• Do you intend to reuse data originally collected for other purposes? (Consider how it might or may not be suitable for your new use case, for example, data that has been collected for billing purposes is often not useful to train models that should predict a diagnosis)

General questions:

• Is the data you collect limited to what is necessary for your purposes?
• Can any data be eliminated or replaced with less sensitive information?
• Do you have a clear legal basis for processing each type of data?
• Can you provide documentation or evidence to support the chosen legal basis?
• How much data (of how many individuals) do you realistically think you will be processing in the near and longer term future?
• In what countries do you plan to be active for the time being? How about the future? (Hint, if possible, try to reduce complexity by not playing in too many constituencies at once that all come with quite different compliance requirements).

3—Informed consent and transparency

Consent must be explicit, informed (understandable and complete) and documented.

Questions:

• How do you plan to obtain consent to use data in AI training?
• How will you inform individuals about data use?
• What do you do to make your communications clear, concise and accessible?

4—Data security and privacy measures

It's important to ensure robust data protection.

Questions:

• What technical and organisational measures are already in place to protect data?
• Are there regular security audits and updates?
• Do you have a plan for detecting, reporting and responding to data breaches?
• What are your data retention and deletion policies?

5—Data subject rights

Outline your approach to data subject rights.

Questions:

• How do or will you you handle requests for access, rectification and erasure of data?
• How will you ensure that individuals can easily exercise their data rights through your systems?

6—Cloud integration and third party compliance

Ensuring third-party compliance is critical.

Question:

• How do you ensure your cloud providers are GDPR compliant?
• Do you have data processing agreements in place with these providers?
• What mechanisms do you use for international data transfers, if necessary?
• Are you aware of data storage locations and their GDPR compliance?

7—Accountability and governance

Establish a strong governance framework to ensure ongoing compliance.

Question:

• Is a Data Protection Officer (DPO) required for your organisation? (If you don't know, ask your lawyer for guidance, if you prepared the previous questions well enough, they should be able to give you an answer quickly)
• If you haven't already, can you appoint a DPO within your organisation or do you need an outsourced service to meet all the requirements?
• How do you keep records of all data processing activities? Do you have templates and standardised processes in place?
• Have you conducted Data Protection Impact Assessments (DPIAs) for high risk processing activities?
• How often do you review and audit your privacy practices, or intend to do so?

8—Supplier and employee management

Ensure GDPR compliance throughout your supply chain and within your organisation.

Questions:

• What third party vendors do you work with or intend to work with?
• How do you verify that third-party vendors are GDPR compliant? (If you have information on that already, either in the form of webpage links or documents that you received from the vendor, then you can attach the to your briefing)
• Do you have contracts that specify GDPR compliance requirements?
• What training programmes do you have in place for GDPR compliance?
• How do you ensure ongoing awareness and compliance with data protection practices? (For example, if you already have a quality management system, you can explain how they are reflected in it)
• How do you keep policies up to date with regulatory changes and technological advances? (Some specialised GDPR consultancies and software providers offer you update services that you could consider)

9—Before the legal meeting

Ensure a productive legal meeting by preparing thoroughly:

Tasks:

• Document current practices: Create a detailed report of your data handling practices, policies and procedures.
• List specific questions: Prepare specific questions on areas where you need legal clarification.
• Gather relevant documentation: Bring any necessary documentation, such as data processing agreements and DPIA reports.
• Define objectives: Clearly state your objectives for the meeting.

By following this checklist, you can approach your meetings for GDPR compliance with confidence, make the most of your legal consultations, and effectively move your data-driven initiatives forward. If you have questions, please reach out to me and check out our AI development tools for regulated use cases on www.thetadx.ai