Personal Data and AI Ethics: GDPR and Responsible AI

GDPR: What Business Needs to Know

General Data Protection Regulation (EU, 2018) is the most influential personal data law. It applies to any company processing data of EU residents, regardless of the company’s jurisdiction.

Key GDPR Principles:

• Lawfulness, fairness, transparency
• Purpose limitation (data only for declared purposes)
• Data minimization (collect only what is necessary)
• Accuracy
• Storage limitation (do not store indefinitely)
• Integrity and confidentiality
• Accountability

Data Subject Rights: right of access; right of rectification; right of erasure (“right to be forgotten”); right to data portability; right not to be subject to automated decisions.

Fines: up to €20 million or 4% of global turnover (whichever is greater). Meta — €1.2 billion fine (2023) for illegal data transfer to the US.

AI Ethics: From Principles to Practice

Five principles of ethical AI (OECD): human values and rights; transparency and explainability; reliability; accountability; inclusiveness.

Bias in AI: Amazon's hiring algorithm (2018) discriminated against women — trained on historical data where most hires were men. Amazon abandoned the system.

Explainable AI (XAI): methods for explaining “black box” decisions. SHAP — shows which features affected the prediction. LIME — local linear explanations.

AI Act (EU, 2024): the world’s first AI law. Four risk levels: unacceptable (ban on social scoring, mass surveillance), high (medicine, credit, hiring — strict requirements), limited, minimal.

Practical Assignment

A bank implements an AI scoring system for credit decisions. (1) What data may be used in accordance with GDPR? (2) How to ensure explainability — the client has the right to receive an explanation for refusal. (3) What biases might exist in the model? (4) How to conduct a discrimination audit?