On January 12, 2020, the Spanish Supervisory Authority (“AEPD”) issued guidance on how to audit personal data processing activities that involve Artificial Intelligence (“AI”) (available here, in Spanish).  The AEPD’s guidance is directed at data controllers and processors, as well as AI developers, data protection officers (“DPO”), and auditors.  The guidance aims to help ensure that products and services which incorporate AI comply with the requirements of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”).


The AEPD’s guidance sets out several non-binding recommendations on how to establish a procedure for auditing AI when it is used for personal data processing, including a proposed methodology and control objectives, as well as suggestions for human oversight and transparency mechanisms.  As such, the guidance does not actually establish specific requirements for auditing AI, but rather, indicates that the ISO/IEC JTC 1/SC42 Committees are working on more specific AI auditing standards that will be published in the future.


According to the guidance, the first step in preparing an AI audit is to decide on the scope.  The audit can cover some or all personal data processing activities involving AI, and/or may cover the entire (or only part of the) development cycle of an AI application.  The AI audit procedure should also set out the methodology, objectives pursued, and mechanisms used to ensure appropriate human oversight and transparency – all in accordance with the accountability principle of Article 5 of the GDPR.

Audit Methodology

The AEPD’s guidance further recommends that an AI auditing methodology should incorporate the following elements:

  • the GDPR’s principles should serve as guiding criteria for the audit;
  • auditors should have appropriate knowledge about the type(s) of AI used in the data processing and data protection law;
  • where necessary, one of the auditors should be a data scientist; and
  • the DPO (to the extent there is one) should collaborate with the auditors to clarify any issues that arise regarding the purpose, nature, scope and context of data processing which may affect or precondition the behavior of the AI component.

Objectives and Controls

The guidance provides the following illustrative list of objectives for AI audits, with each objective accompanied by a set of controls that should be incorporated to achieve the relevant objective:

  • AI component identification and transparency;
  • purpose of the AI component;
  • basic characteristics of the AI component;
  • data management; and
  • verification and validation.

This latest guidance of the AEPD complements previous guidance issued in February 2020 on ensuring the GDPR compliance of AI more generally (available here, in Spanish).  This also follows AI auditing guidance published in July 2020 by the United Kingdom’s Information Commissioner’s Office (see our prior blog post summarizing that guidance here).  Covington will continue monitoring AI developments and their impact on data privacy and cybersecurity, so be on the lookout for our latest blog updates and client alerts in this space.