The French Data Protection Authority (CNIL) has published final guidelines for developing AI systems with a strong focus on data protection. These guidelines are designed to support AI ecosystem players in complying with personal data protection legislation and offer practical solutions, illustrated with examples, for applying the rules of the GDPR to AI systems.
Essential elements of the guidelines include –
- Advice on determining the legal regime applicable to the processing of personal data during the development phase.
- Assistance in defining the purpose(s) of AI system development, taking into account its specific requirements.
- Identifying whether AI system suppliers should be classified as data controllers, joint controllers, or processors.
- Clarifications to the obligations surrounding data collection, data sources, and data reuse, to ensure that data processing activities have a solid legal foundation.
- Performing impact assessments when creating datasets for AI training, ensuring that potential data protection risks are identified and mitigated.
- Considering data protection principles at the outset of the AI system design phase, embedding privacy into the system architecture.
- Application of data protection principles to the management of training data, ensuring that data is collected, used, and stored in compliance with GDPR.
Click here to read the Guidelines on AI System Development and Data Protection.