On January 12, 2020, the Spanish Supervisory Authority (“AEPD”) issued guidance on how to audit personal data processing activities that involve Artificial Intelligence (“AI”) (available here, in Spanish).  The AEPD’s guidance is directed at data controllers and processors, as well as AI developers, data protection officers (“DPO”), and auditors.  The guidance aims to help ensure that products and services which incorporate AI comply with the requirements of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”).

Purpose

The AEPD’s guidance sets out several non-binding recommendations on how to establish a procedure for auditing AI when it is used for personal data processing, including a proposed methodology and control objectives, as well as suggestions for human oversight and transparency mechanisms.  As such, the guidance does not actually establish specific requirements for auditing AI, but rather, indicates that the ISO/IEC JTC 1/SC42 Committees are working on more specific AI auditing standards that will be published in the future.

Scope

According to the guidance, the first step in preparing an AI audit is to decide on the scope.  The audit can cover some or all personal data processing activities involving AI, and/or may cover the entire (or only part of the) development cycle of an AI application.  The AI audit procedure should also set out the methodology, objectives pursued, and mechanisms used to ensure appropriate human oversight and transparency – all in accordance with the accountability principle of Article 5 of the GDPR.

Audit Methodology

The AEPD’s guidance further recommends that an AI auditing methodology should incorporate the following elements:

  • the GDPR’s principles should serve as guiding criteria for the audit;
  • auditors should have appropriate knowledge about the type(s) of AI used in the data processing and data protection law;
  • where necessary, one of the auditors should be a data scientist; and
  • the DPO (to the extent there is one) should collaborate with the auditors to clarify any issues that arise regarding the purpose, nature, scope and context of data processing which may affect or precondition the behavior of the AI component.

Objectives and Controls

The guidance provides the following illustrative list of objectives for AI audits, with each objective accompanied by a set of controls that should be incorporated to achieve the relevant objective:

  • AI component identification and transparency;
  • purpose of the AI component;
  • basic characteristics of the AI component;
  • data management; and
  • verification and validation.

This latest guidance of the AEPD complements previous guidance issued in February 2020 on ensuring the GDPR compliance of AI more generally (available here, in Spanish).  This also follows AI auditing guidance published in July 2020 by the United Kingdom’s Information Commissioner’s Office (see our prior blog post summarizing that guidance here).  Covington will continue monitoring AI developments and their impact on data privacy and cybersecurity, so be on the lookout for our latest blog updates and client alerts in this space.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Rosa Oyarzabal Rosa Oyarzabal

Rosa Oyarzabal Arigita is an associate in the Life Sciences team. She assists clients across a range of regulatory, legal and procedural matters in the pharmaceutical and food sectors, and her practice focuses on EU and Spanish regulatory advice.

Rosa has acquired significant…

Rosa Oyarzabal Arigita is an associate in the Life Sciences team. She assists clients across a range of regulatory, legal and procedural matters in the pharmaceutical and food sectors, and her practice focuses on EU and Spanish regulatory advice.

Rosa has acquired significant experience in the pharmaceutical advertising space, both at EU level as well in Member States such as Spain and Belgium. She is also familiar with the EU food and advertising rules, and regularly advises clients in the plant-based sector on these topics. As part of her practice, Rosa also assists clients with the implementation of the Nagoya Protocol and the access and benefit sharing rules of a number of jurisdictions.

Rosa has assisted in multiple litigations in front of the European Court of Justice, including as part of pro bono efforts. For example, Rosa plead in front of the Court of Justice for case C-356/21, concerning the rights of LGBTQIA+ self-employed persons to not be discriminated against when contracting with another party and during the performance of their activities.