You may already be familiar with the concepts of data protection and data privacy. Data protection and privacy are widely regulated in the EU through the General Data Protection Regulation (GDPR) that has become the golden standard for data protection, influencing regulation outside the EU.
Similarly, as in the case of other requirements for trustworthy AI, also privacy and protection of data must be guaranteed throughout the whole lifecycle of the AI system.
Data protection and privacy are often mentioned in the same sentence, however, there is an important distinction between the two concepts: data protection refers to tools and policies restricting access to personal data – data protection protects against unauthorized access, whereas privacy defines who in the organizations or entities has authorized access to the personal data.
Data that must be safeguarded for data protection and privacy purposes includes information that is provided by the user of the system as well as information concerning the user of the system that is generated when the user interacts with the system.
Data privacy and protection is an integral requirement of trustworthy AI is because it ensures that information collected from individuals by the system is not used unlawfully nor will it be used to discriminate against them. The latter is of particular importance as collecting information about individuals, either as provided by the users of the systems directly or that is collected as a consequence of individuals using the system, may allow the system to deduce not only the individuals’ preferences but also more sensitive information such as gender, age, religious or political views and even sexual orientation.
The key to ensuring that your system is private and protects data is achieved by taking privacy and data protection in to account even before the system is developed. How exactly do you do this? By implementing data protection and privacy by design, meaning that the system is developed data protection and privacy in mind that together with other safeguards ensures holistic approach to privacy and data protection.
Additionally, organizations should ensure that dataprotocols that govern the access to personal data are put in place where the organization handles individual’s data. These data protocols should determine who has access to the data under which circumstances. The purpose of such protocols is to ensure that only qualified personnel that need the access to the data and have the required competencies to access it, are granted the access.
Therefore, to ensure privacy and protection of the data, entities should take the following actions:
To summarize, protection of data and privacy is an important concept to create a trustworthy AI. As data treated more and more as a currency, ensuring its protection is of growing importance to regulators around the world. Therefore, entities must have in place effective processes, measures and tools to ensure the rights and freedoms of individuals related to privacy and protection of personal data. Furthermore, for the purposes of good governance, the measures, processes and tools in place to protect the data and privacy of individuals should be documented. Documentation ensures holistic governance and promotes transparency, ensuring the trustworthiness of your AI.
 High-Level Expert Group on AI by European Commission: Ethics Guidelines for Trustworthy AI. See also IEEE: Ethically Aligned Design, first edition.
 High-Level Expert Group on AI by European Commission: Assessment List for Trustworthy Artificial Intelligence (ALTAI).