On January 12, 2020, the Spanish Supervisory Authority (“AEPD”) issued guidance on how to audit personal data processing activities that involve Artificial Intelligence (“AI”) (available here, in Spanish).  The AEPD’s guidance is directed at data controllers and processors, as well as AI developers, data protection officers (“DPO”), and auditors.  The guidance aims to help ensure that products and services which incorporate AI comply with the requirements of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”).

Purpose

The AEPD’s guidance sets out several non-binding recommendations on how to establish a procedure for auditing AI when it is used for personal data processing, including a proposed methodology and control objectives, as well as suggestions for human oversight and transparency mechanisms.  As such, the guidance does not actually establish specific requirements for auditing AI, but rather, indicates that the ISO/IEC JTC 1/SC42 Committees are working on more specific AI auditing standards that will be published in the future.

Scope

According to the guidance, the first step in preparing an AI audit is to decide on the scope.  The audit can cover some or all personal data processing activities involving AI, and/or may cover the entire (or only part of the) development cycle of an AI application.  The AI audit procedure should also set out the methodology, objectives pursued, and mechanisms used to ensure appropriate human oversight and transparency – all in accordance with the accountability principle of Article 5 of the GDPR.

Audit Methodology

The AEPD’s guidance further recommends that an AI auditing methodology should incorporate the following elements:

  • the GDPR’s principles should serve as guiding criteria for the audit;
  • auditors should have appropriate knowledge about the type(s) of AI used in the data processing and data protection law;
  • where necessary, one of the auditors should be a data scientist; and
  • the DPO (to the extent there is one) should collaborate with the auditors to clarify any issues that arise regarding the purpose, nature, scope and context of data processing which may affect or precondition the behavior of the AI component.

Objectives and Controls

The guidance provides the following illustrative list of objectives for AI audits, with each objective accompanied by a set of controls that should be incorporated to achieve the relevant objective:

  • AI component identification and transparency;
  • purpose of the AI component;
  • basic characteristics of the AI component;
  • data management; and
  • verification and validation.

This latest guidance of the AEPD complements previous guidance issued in February 2020 on ensuring the GDPR compliance of AI more generally (available here, in Spanish).  This also follows AI auditing guidance published in July 2020 by the United Kingdom’s Information Commissioner’s Office (see our prior blog post summarizing that guidance here).  Covington will continue monitoring AI developments and their impact on data privacy and cybersecurity, so be on the lookout for our latest blog updates and client alerts in this space.

Print:
EmailTweetLikeLinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.