Abstract
The General Data Protection Regulation (GDPR) is a European Union regulation that will replace the existing Data Protection Directive on 25 May 2018. The most significant change is a huge increase in the maximum fine that can be levied for breaches of the regulation. Yet fewer than half of UK companies are fully aware of GDPR—and a number of those who were preparing for it stopped doing so when the Brexit vote was announced. A last-minute rush to become compliant is therefore expected, and numerous companies are starting to offer advice, checklists and consultancy on how to comply with GDPR. In such an environment, artificial intelligence technologies ought to be able to assist by providing best advice; asking all and only the relevant questions; monitoring activities; and carrying out assessments. The paper considers four areas of GDPR compliance where rule based technologies and/or machine learning techniques may be relevant: Following compliance checklists and codes of conduct; Supporting risk assessments; Complying with the new regulations regarding technologies that perform automatic profiling; Complying with the new regulations concerning recognising and reporting breaches of security. It concludes that AI technology can support each of these four areas. The requirements that GDPR (or organisations that need to comply with GDPR) state for explanation and justification of reasoning imply that rule-based approaches are likely to be more helpful than machine learning approaches. However, there may be good business reasons to take a different approach in some circumstances.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Al-Abdulkarim L, Atkinson K, Bench-Capon T (2016) A methodology for designing systems to reason with legal cases using abstract dialectical frameworks. Artif Intell Law 24(1):1–49
Aletras N, Tsarapatsanis D, Preotiuc-Pietro D, Lampos V (2016) Predicting judicial decisions of the European Court of Human Rights: a natural language processing perspective. Peer J Comput Sci. doi:10.7717/peerj-cs.93
Ashford W (2017) UK firms struggling to manage cyber threats, survey shows, Computer Weekly, 19 Jan 2017. http://www.computerweekly.com/news/450411265/UK-firms-struggling-to-manage-cyber-threats-survey-shows. Accessed 12 July 2017
Burt A (2017) Is there a ‘right to explanation’ for machine learning in the GDPR? IAPP, Jun 1, 2017. https://iapp.org/news/a/is-there-a-right-to-explanation-for-machine-learning-in-the-gdpr/. Accessed 12 July 2017
Dhurandhar A, Ravi R, Graves B, Maniachari G, Ettl M (2015) Robust system for identifying procurement fraud. In Proceedings of the twenty seventh conference on innovative applications in artificial intelligence (IAAI-15), Austin, Texas, Jan 25–29 2015, pp 3896–3903
Evans M (2016) GDPR checklist. Norton Rose Fulbright LLP. http://www.nortonrosefulbright.com/files/gdpr-checklist-139465.pdf. Accessed 12 July 2017
Google Spain SL (2014) Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, C-131/12, ECJ
Gordon TF (2013) Introducing the Carneades web application. In: Proceedings of the fourteenth international conference on artificial intelligence and law. ACM, pp 243–244
Information Commissioner’s Office (2017) Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now. V2.0 20170525. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf. Downloaded 12 July 2017
Juran J (1951) Quality control handbook. McGraw-Hill, New York City
Kingston J (1991) X-MATE: Creating an interpretation model for credit risk assessment. In: Research and development in expert systems VIII: proceedings of 11th annual technical conference of the BCS specialist group. Cambridge University Press, pp 165–174
Kingston J (2016) Artificial intelligence and legal liability. In: Bramer M, Petridis M (eds) Research and development in intelligent systems XXXIII: incorporating applications and innovations in intelligent systems XXIV, pp 269–279
Leyden J (2017) Last year’s ICO fines would be 79 times higher under GDPR. The Register, 28 Apr 2017. https://www.theregister.co.uk/2017/04/28/ico_fines_post_gdpr_analysis/. Accessed 13 July 2017
Maldoff G. (2017), The risk-based approach in the GDPR: interpretation and implications. IAPP https://iapp.org/media/pdf/resource_center/GDPR_Study_Maldoff.pdf. Accessed 12 July 2017
Muthuri R, Boella G, Hulstijn J, Capecchi S, Humphreys L (2017) Compliance patterns: harnessing value modeling and legal interpretation to manage regulatory conversations. In: Proceedings of the 16th international conference on AI and law, London, 12–16 June 2017
Nwana HS, Paton RC, Bench-Capon TJM, Shave MJR (1991) Facilitating the development of knowledge based systems. AI Commun 4(2–3):60–73
Pareto V (1897) Cours d’Économie Politique. F. Rouge, Lausanne
Routen, T (1989) Hierarchically organised formalisations. In: Proceedings of the 2nd international conference on artificial intelligence and law. ACM, pp 242–250
Thompson ED, Frolich E, Bellows JC, Bassford BE, Skiko EJ, Fox MS (2015) Process Diagnosis System (PDS)—A 30 Year History. In: Proceedings of the twenty seventh conference on innovative applications in artificial intelligence (IAAI-15), Austin, Texas, Jan 25–29 2015, pp 3928–3934
van Engers TM (2006) Legal engineering: a structural approach to improving legal quality. In: Macintosh A, Ellis R, Allen T (eds) Applications and innovations in intelligent systems XIII. Springer, Berlin, pp 3–10
Van Kralingen RW, Visser PRS, Bench-Capon TJM, Van Den Herik H (1999) A principled approach to developing legal knowledge systems. Int J Hum Comput Stud 51(6):1127–1154
Vyas N, Farringdon J, Andre D, Stivoric J (2012) Machine learning and sensor fusion for estimating continuous energy expenditure. AI Mag 33(2):55–66
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kingston, J. Using artificial intelligence to support compliance with the general data protection regulation. Artif Intell Law 25, 429–443 (2017). https://doi.org/10.1007/s10506-017-9206-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10506-017-9206-9