As the new General Data Protection Regulations (GDPR) go into effect today, companies are scrambling to either comply or deny service to subscribers in the European Union (EU). There is a lot of ambiguity in the GDPR and many subject to interpretation that I’m sure will be a boon for the legal industry.
There are two things you need to be aware of with GDPR:
- Companies violating the regulation are subject to a penalty of up to 20 million euros or 4% of their global revenue (turnover), whichever is higher. (Article 83)
- GDPR is not limited to companies with their headquarters in EU, but to all companies that are holding data from EU citizen. (Article 3)
If you're a U.S. company doing business with folks or companies in the EU, this includes you.
To understand how the GDPR will impact companies using AI applications, a good starting point is to look at Article 22: Automated Individual Decision-Making, Including Profiling in the GDPR which states,
'The data subject shall have the right not to be subject to a decision based solely automated processing, including profiling, which produces legal effects concerning him or her..."
A quick glance of this Article should raise the 'Uh Oh' flag for the data analyst and legal. Machine learning is all about 'automated process' which begs the question, "What or which processing leads to 'legal effects'?"
For example, if I used ML to determine whether or not to extend a line of credit to a new customer, does that mean I'm in violation of Article 22 since denial 'may' cause legal harm to that potential customer? If I refuse to give further discounts to a client based on my algorithm's price optimization model, am I in violation?
To further complicate this, Article 9 Paragraph 1 regarding 'Processing Personal Data' states the following:
"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited."
As a company, if I'm not allowed to use this type of information, it will no doubt hinder the effectiveness of my ML predictive algorithms.
Now, there are some exceptions in the GDPR that mitigate Article 9 and 22; the biggest one being consent (e.g., the data subject has given explicit consent to the processing of those personal data for one or more specified purposes).
But, if you're a large enterprise, getting consent from each customer might be a bit difficult as you're asking clients to make a binary decision: full consent to use their information or not.
Problem: How can I as a customer give a company consent (think Facebook, LinkedIn, et al) if I don't know what information they've collected on me? There are currently no universal 'data profiling' systems in place that will allow the consumer/customer to go to one location and see what available information a company has on them so that they can make a 'yes or no' decision on consent.
That said, the GDPR does provide a remedy for the collection of data and how the data can be stored using Pseudonymization; a form of encryption which changes identifiable data into artificial unique identifiers. Said another way, if you can store someone's data without the data pointing to that specific individual, you can use it.
Another similar approach is 'Anonymizing Data'; removing any identifiable attributes of a person in the data. This is, in turn, protects an individual’s identity while still storing their data. It’s a way of ‘decoupling ‘ the personal from personal data/information.
Like any new law taking effect, the unintended consequences have yet to show themselves. How this will all shake out and what adjustments will be made by companies and the GDPR as this rolls out will cause much consternation on all sides.
Implementation began today and already sites are going dark and companies like Facebook and Google are in violation.
In the words of the Spartan King Leonidas in the movie '300', "Unless I miss my guess, we're in for one wild night." Replace 'night' with 'ride' and it captures the disruptive zeitgeist of this new regulation.
#gdpr #artificialintelligence #machinelearning #salesexmachina