How will GDPR affect AI?

The use of Artificial Intelligence (AI) is soaring; not just in the US, but also around the world as more and more industries design uses for Big Data and machine learning. Worldwide spending in AI is pegged to reach $57.6 billion by 2021, with more than half of that coming from discrete and processing manufacturing, healthcare, banking, and retail. Everywhere you look, companies and enterprises are gravitating towards AI by employing Big Data collection and analytics to turn input into quantifiable statements and actionable plans. But the ease of implementation and deployment of AI hit its first roadblock earlier this year with the release of the EU’s GDPR.

What is the GDPR?

Back in April 2016, the EU ratified the General Data Protection Regulation (GDPR) law, which was the first of its kind for a major political body. Its mission is to return the data rights of individuals to them, especially in regards to how that data is used outside the EU. To give companies time to adjust to the new requirements, the GDPR did not come online until May 25, 2018.

The main touch points of GDPR include:

  • IT and Training: All company employees have to receive mandatory training in data protection and individual privacy.
  • Transparency: Policies about how data is protected and how customer data is processed must be accessible to any interested party.
  • Access Control: Enterprises must be able to show they have proper security tools and processes to restrict the view of customers’ private data.
  • Personal Privacy: Every individual customer of at least 16 years of age has the right to dictate what data a company is allowed to collect from him or her, as well as the right to demand deletion of said data after it has been used.

Additionally, the data of any person under the age of 16 is controlled by a parent or legal guardian. In essence, these factors add up to companies minimizing the amount of data they collect and keep. It’s similar to how environmental regulations require companies to leave a smaller ‘footprint’ in the natural world. Not only must companies say in advance what they will be using personal data for, but they also cannot use it for anything else. If the data being collected is then used by AI to make automated decisions about people, the company must be able to explain the decision-making process.

Big Data vs. Data Protection

Big Data is so called because of the massive amount of bits of information it takes in. It’s like the world’s largest locomotive driving around the world nonstop by being fed coal continuously into its engine. The more data that can be consumed, the better AI is. Larger sample sizes give AI the ability to be smarter, to sound more human, to more accurately predict future decisions. The GDPR’s blueprint takes an opposite standpoint. It does not view data as a giant receptacle to be poured into AI’s belly for consumption, but as a precious commodity to be used sparingly and only for the benefit of the customer and the company.

Massive data-collection companies like Google and Facebook have felt the sting since Day One of the GDPR going live. Both companies have been challenged by a non-profit called None of Your Business (NOYB) on how they will alter their data collection methods in regards to the GDPR.

AI cannot adjust to GDPR enforcements on its own. The only way forward that maintains compliance is by human programmers altering the way information is collected and how it is fed into machine learning. The next phase of development in regards to citizens of the EU will have to involve AI systems being built to integrate consent actions into their processes.

Before data even reaches that level, organizations must change their processes to ascertain where and from who data is being collected, and make sure it is in line with GDPR standards. How many customers will refuse to grant consent? No one knows. But organizations must also be prepared to deal with a greater chance of flawed analysis. If only 75% of a company’s customers give consent to have their data used, companies must account for the missing 25% and how their lack of information will make for less perfect analysis going forward.

The new laws should make organizations view their customers more like people and less like statistics. Being a fountain of information for customers and explaining why and how data collection is occurring will be the first big step towards establishing trust. Customers are far more likely to consent to their data being used when they trust the company doing the asking.


Viewed from the AI industry looking outward, the challenges that GDPR brings can be viewed as a hindrance to future advancement and a move that will require changes to every AI design currently engaged with EU customers. However, this temporary roadblock is attempting to regulate something more idealistic and important than the rate at which computers can inhale and organize data. As the world grows more and more data-driven, taking a step back to realize the value of privacy and individual rights is a step in the right direction.