As the EU AI Act officially comes into force in August, we are set to see a phased implementation over the next few years. With the clock ticking, DPOs have an important role to play in supporting businesses to urgently assess AI policies and meet complex compliance requirements.
For the DPO, key considerations in response to these incoming changes must be clear at different phases of the law’s enforcement:
Immediate actions for privacy teams
- Assess organisational exposure to high-risk use of AI, as per EU AI Act definition of high-risk systems.
- Consider establishing core adjusting existing privacy risk assessments to include AI specific considerations. Your DPO can support implementation, including evaluating possible risks.
First six months of enforcement
- AI Governance: Ensure guidelines for responsible AI development and use are clearly defined within your organisation. Your DPO should have a seat at the table and be involved in establishing this new framework, as part of EU AI Act requirements is an attestation as to whether the AI system complies with the GDPR.
- Regulatory Compliance framework : The DPO can lead internal teams on creation of the required detailed documentation on data management rules and provide oversight over regulatory communication protocols with the National Data Protection Authorities.
- GPAI Regulations and Prohibited AI Review: As the rules for General Purpose AI take effect, it’s critical to be ready for the first review of prohibited AI applications. The EU AI Act introduced detailed rules for General Purpose AI (GPAI) and high-risk systems, including mandatory monitoring and reporting requirements.
Long-term considerations
- Monitoring of high-risk AI systems and maintenance of required regulatory compliance documentation will be the ongoing focus for organsations using AI.
- As an emerging technology, AI use requires upskilling and training of the workforce – the training should educate employees on risks posed by AI and on responsible AI use principles and the need for privacy by design and by default.
- DPOs should be continually involved in monitoring compliance with data protection law and collaborate closely with internal teams to ensure regulatory liaison with regards to AI.
HewardMills can help you navigate the EU AI Act by providing expertise in risk assessment, DPIAs, compliance strategies, and ongoing monitoring to ensure alignment with the Act’s requirements and protection of individuals’ rights.