The new digital arms race has begun and revolves around artificial intelligence (AI) and machine learning (ML).  Companies are seeking to get an advantage on their competitors by gaining insights or automating outcomes using AI and ML.  The General Data Protection Regulation (GDPR) from the European Union will force companies to re-examine their use of AI and ML when determining outcomes for European citizens and residents.

What does GDPR say about AI and ML?

GDPR does not explicitly reference AI and ML technologies.  Article 22 within GDPR is titled “Automated individual decision-making, including profiling”.  Automated decision-making is what AI and ML are all about.  The legislation states that the “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”  If a company is using AI and ML, that company should be working with its general counsel to determine if the output of the AI or ML constitutes a legal effect or something as similarly impacting.

How can I leverage AI and ML while still adhering to GDPR?

First and foremost, the easiest way to deal with GDPR is to get the data subject’s explicit consent.  Simple enough, a company just needs to get the data subject to agree to whatever action the AI determines is appropriate.  How many customers will give up that much control to a computer?


A company must be prepared for a data subject to remove their consent.  What does a company do then?  Stop doing business?  Another option is to implement a system that leverages explainable AI.


Explainable AI is AI where a human can easily understand the actions taken.  Explainable AI allows the automation of decision making which then can be leveraged by an individual to agree or disagree with the actions.  Decisions are no longer “based solely on automated processing”, and can still have the efficacy that AI and ML bring.

Is there any good news about dealing with GDPR and AI?

AI and ML are still in their infancy.  Starting with the right data privacy framework, right design principles, right technology, a company can sail confidently into the future.  NetApp provides state-of-the-art capabilities through its unified security features, integrated data protection and comprehensive audit logging to help address GDPR.  All these features can be leveraged in the AI/ML pipeline line.

Juan Mojica

Juan Mojica is a senior product manager in the ONTAP team responsible for security, networking, and the kernel. Juan has spent his career solving customers’ problems by developing enterprise and service provider software working at Cisco, Allscripts, and NetApp. Juan has his BS and MS in computer engineering from Georgia Tech, and has his MBA from Duke’s Fuqua School of Business.

Add comment