Skip to main content
AI Ethics and the European AI Act

Navigating the EU’s proposed Artificial Intelligence Act: What Organisations Need to Know

Written by Cynthia Hoza on . Posted in Cloud, Data Governance, Data Insights, Data Privacy, Data Protection, Glossary, Machine Learning.

The EU AI Act (the “AI Act”) is the world’s first comprehensive AI law. The Act lays down a harmonised legal framework for the development, supply, and use of AI products and services in the EU.  

To whom does the AI Act apply? 

The legal framework will apply to all AI systems impacting people in the EU, regardless of where systems are developed or deployed. 

When will the AI Act take effect? 

The AI Act is currently expected to enter into force in Q2-Q3 2024, with different obligations then taking effect in stages. 

Understanding the  AI Act’s Objectives 

The draft AI Act seeks to achieve a set of specific objectives:  

  • Ensuring that AI systems placed on the EU market are safe and respect existing EU law; 
  • Ensuring legal certainty to facilitate investment and innovation in AI; 
  • Enhancing governance and effective enforcement of EU law on fundamental rights and safety requirements applicable to AI systems; and  
  • Facilitating the development of a single market for lawful, safe, and trustworthy AI applications and preventing market fragmentation.  

AI Act: different rules for different risk levels 

The new rules establish obligations for providers and users depending on the level of risk from artificial intelligence. While many AI systems pose minimal risk, they need to be assessed. 

 
1. Unacceptable risk 

Unacceptable risk AI systems are systems considered a threat to people and will be banned.  

They include: 

  • Cognitive behavioural manipulation of people or specific vulnerable groups: for example, voice-activated toys that encourage dangerous behaviour in children. 
  • Social scoring: classifying people based on behaviour, socio-economic status, or personal characteristics. 
  • Biometric identification and categorisation of people. 
  • Real-time and remote biometric identification systems, such as facial recognition. 

Some exceptions may be allowed for law enforcement purposes. “Real-time” remote biometric identification systems will be allowed in a limited number of serious cases, while “post” remote biometric identification systems, where identification occurs after a significant delay, will be allowed to prosecute serious crimes and only after court approval. 

2. High risk 

AI systems that negatively affect safety or fundamental rights will be considered high risk and will be divided into two categories: 

1) AI systems that are used in products falling under the EU’s product safety legislation. This includes toys, aviation, cars, medical devices and lifts. 

2) AI systems falling into specific areas that will have to be registered in an EU database: 

  • Management and operation of critical infrastructure 
  • Education and vocational training 
  • Employment, worker management and access to self-employment 
  • Access to and enjoyment of essential private services and public services and benefits 
  • Law enforcement 
  • Migration, asylum and border control management 
  • Assistance in legal interpretation and application of the law. 

 
All high-risk AI systems will be assessed before being put on the market and also throughout their lifecycle. 

3. General purpose and generative AI 
Generative AI, like ChatGPT, would have to comply with transparency requirements: 

  • Disclosing that the content was generated by AI. 
  • Designing the model to prevent it from generating illegal content. 
  • Publishing summaries of copyrighted data used for training. 

High-impact general-purpose AI models that might pose systemic risk, such as the more advanced AI model GPT-4, would have to undergo thorough evaluations and any serious incidents would have to be reported to the European Commission. 

4. Limited risk 

Limited risk AI systems should comply with minimal transparency requirements that would allow users to make informed decisions. After interacting with the applications, the user can then decide whether they want to continue using it. Users should be made aware when they are interacting with AI. This includes AI systems that generate or manipulate image, audio or video content, for example deepfakes. 

Opportunities 

Ethical Leadership: Organisations that prioritise ethical AI practices and demonstrate a commitment to responsible innovation can enhance their reputation and build trust with consumers, employees, and regulators. By aligning with the principles of the AI Act, organisations can position themselves as leaders in ethical AI deployment. 

Innovation and Differentiation: The AI Act promotes regulatory sandboxes and real-world testing, providing opportunities for Organisations to innovate and develop AI solutions in a controlled environment. Companies that invest in compliance and develop AI systems that meet the  AI Act’s standards can differentiate themselves in the market and gain a competitive edge. 

Market Expansion: Compliance with the AI Act allows Organisations to access the European market with confidence, as they demonstrate adherence to regulatory requirements and respect for fundamental human rights. This opens opportunities for expansion and growth in a region that values ethical AI practices. 

Talent Acquisition: Companies that invest in talent acquisition and training to support AIA compliance with the AI Act can attract top-tier professionals with expertise in AI governance, ethics, and regulatory compliance. Building a skilled workforce capable of navigating the complexities of AI regulation is essential for long-term success. 

The AI Act represents a real opportunity for Organisations that are looking to leverage the power of AI. However, there are some threats that business leaders also need to consider. 

Threats: 

Compliance Costs: The AI Act imposes significant compliance costs on Organisations, including overhead expenses related to risk assessments, governance frameworks, and regulatory reporting. Companies that fail to allocate sufficient resources to the Act’s compliance may face financial strain and operational challenges. 

Fines and Penalties: Non-compliance with the AI Act can result in substantial fines ranging from €7.5 million to €35 million, or a percentage of global turnover. Organisations that neglect the AI Act’s requirements or underestimate the severity of regulatory violations risk facing severe financial penalties that could impact their bottom line and reputation. 

Operational Disruption: Implementing robust governance and oversight measures to ensure  compliance with the AI Act may require operational adjustments and process changes. Organisations that fail to adapt their operations to meet the AI Act’s standards may experience disruption and inefficiencies that hinder productivity and competitiveness. 

Reputational Damage: Violations of the AI Act’s ethical standards or failures to comply with regulatory requirements can lead to reputational damage and loss of consumer trust. Organisations that are perceived as prioritising profit over ethics or disregarding fundamental human rights may face backlash from stakeholders and damage to their brand reputation. 

Conclusion  

In conclusion, while the AI Act presents opportunities for Organisations to demonstrate ethical leadership, drive innovation, and access new markets, it also poses significant threats in terms of compliance costs, fines, operational disruption, and reputational damage. By proactively addressing these challenges and investing in compliance with the AI Act, Organisations can navigate the regulatory landscape successfully and leverage AI technologies responsibly for long-term growth and sustainability. 

For more comprehensive information on Calligo’s Data Ethics and Governance solutions, visit https://cal.essence-design.co.uk

For more information on Calligo’s AI solutions, visit https://www.calligo.io

Year in Review Video Title Slide Linkedin - 2MB Resize 02

Data Transformation Predictions for 2024 – Calligo Data Leaders Roundtable

Written by Cynthia Hoza on . Posted in Beyond Data Podcast, Cloud Migration, Cloud Services Insights, Cloud Strategy, Cyber Security, Data Analytics, Data Engineering, Data Governance, Data Insights, Data Privacy, Data Protection, Data Strategy, Data Visualization, Data Warehousing, Glossary, Machine Learning, Managed Cloud, Resource Library. No Comments on Data Transformation Predictions for 2024 – Calligo Data Leaders Roundtable

 

In this lively debate you will hear from Calligo’s Practice Leads as they discuss their key takeaways from 2023 and their data predictions for 2024 and beyond.

Topics discussed include:

Regulation of AI including the EU AI act

AI hallucinations & AI bias

Data governance and data fines

Dashboard fatigue

Data ROI

<< PREVIOUS EPISODE
NEXT EPISODE >>

lie machines

Lie Machines – The global fight against misinformation

Written by Cynthia Hoza on . Posted in Beyond Data Podcast, Data Ethics, Data Governance, Data Insights, Glossary, Machine Learning, Machine Learning. No Comments on Lie Machines – The global fight against misinformation

Listen on Spotify

Exorcizing the ghost in the machine

In this latest podcast in our ‘Beyond Data’ series, Tessa Jones (Calligo’s Chief Data Scientist) and Peter Matson (Data Science Practice Lead) talk with Oxford University’s Professor Philip Howard about the threats posed to democracy by technology, specifically in the shape of Lie Machines.

Fact or fiction? Microtargeting with lie machines

In this age of social media, chatbots and AI it’s never been easier for individuals to share their opinions.  Instant communication to, and engagement with, a global audience is now commonplace, and it seems there’s no need to let facts get in the way of a good angle. As Mark Twain, or maybe Winston Churchill, or most probably Jonathan Swift famously said, “a lie can travel halfway around the world whilst the truth is still putting on its shoes.” A great example in itself of the ease in which misunderstandings and misappropriations can become canon.

In this vein, Professor Howard has spent years studying the mechanisms in which opinion, behavior and values can be manipulated and misdirected by lie machines:

“Lie machines are large, complex mechanisms made up of people, organizations, and social media algorithms that generate theories to fit a few facts, while leaving you with a crazy

conclusion easily undermined by accurate information. By manipulating data and algorithms in the service of a political agenda, the best lie machines generate false explanations that

seem to fit the facts.”

Lie Machines: How to Save Democracy from Troll Armies, Deceitful Robots, Junk News Operations, and Political Operatives

We find lie machines in all types of countries and governing structures. They share common elements – political actors produce the lies, social media firms distribute them, and paid consultants market them. High profile examples of the effectiveness of the lie machine include the UK’s Brexit campaign, and Trump’s electioneering – in both cases patently untrue ‘facts’ and arguments were targeted at key voters by disinformation networks, troll farms and lie machines. Algorithms direct individuals towards ever-more insular sources and extreme content:

 “A healthy, public-facing algorithm might occasionally introduce another credible source…  we know the platforms play around with this stuff, especially during elections in the US”

Controlled by bad actors and forming a global ecosystem of lie development and propagation, these lie machines spread their tendrils across every social media platform, moving out from Facebook as new outlets develop.

Computational propaganda

Lie machines have evolved and finessed themselves as technology advances. Instead of stealing the photos, social media handles and biographies of real people, AI now generates new pictures and personas and thus evades technology platforms’ troll-spotting software.

Spreading propaganda far and wide, with a convincing voice, the lie machine

  • Has a profound effect on society, with a scale that is difficult to quantify
  • Is perfectly engineered to target human vulnerabilities, reducing critical thinking
  • Deliberately misrepresents and appeals to emotions and prejudices, using our cognitive biases to bypass rational thought and create echo chambers
  • Is vague and unknowable – what training data was used for large language models? (Professor Howard postulates that every Gmail sent over the last 25 years may have been scraped, along with content from junk news sites)

Doing better – where does the onus sit? User or developer?

When it comes to developing processes to combat the lie machine, there’s no one legislation or guiding principle that works. We must always consider the regional and cultural context of both data and users. Research can’t necessarily be amalgamated or directly compared from different regions and countries – for example, we know that the placebo effect is always greater in US medical studies. To date, technology has not always built in cultural nuances in how people use words, with intent and meaning lost in translation – the majority of network takedown orders are for sites that are not in English.

Wherever there is human input, there are behavioral differences that make it much more difficult to apply common rules:

“People who manage cookies are above average in terms of their knowledge of technology, so these people are generally more purposeful in terms of how they set up their news feeds and where they go for information”

The huge amount of disinformation spread around Covid and the resulting vaccination campaign demonstrates how potent the lie machine is. It doesn’t need to convince people its argument is right, all that is required is to introduce enough doubt, to highlight there is a chance of harm. After all:

“If everybody really understood probability, nobody would ever buy a lottery ticket”

Balance the field – breaking the lie machines

Professor Howard believes that whilst we are justified in our concern about the threats to democracy, the principles behind the lie machine can be harnessed for good – promoting topics that are in the public interest and generating democratic discourse:

“I am cynical, but not fatalistic”

He describes the steps we can take to break the lie machines:

  • Public policy oversight, founded in ongoing public data capture and analysis
  • Designing social media to highlight emerging consensus, rather than heated conflict – machine learning can amplify common ground
  • Setting election guidelines to create more opportunities for civic expression
  • Giving journalists, civic groups and researchers access to all the public opinion data that is currently in the hands of the technology firms
  • Ensuring that the big data collected by technology platforms is added to public archives

The answer is more social media, not less. But it needs to serve society much better.

IPIE – bringing down the lie machine

Professor Howard has recently launched a new program, creating an independent scientific body to foster global cooperation in safeguarding the online information environment. The International Panel for the Information Environment (IPIE) will assess the scope of the misinformation crisis, analyze its effects on our societies and the planet itself, and propose solutions. Featuring data scientists and engineers alongside neuroscientists and sociologists, IPIE hopes to be the beginning of a global effort to save our common information environment.

Watch the podcast for yourself below to hear more from Professor Philip Howard about the power of the lie machine, and crucially, to learn how we can use it for the collective good.

Professor Philip Howard is a social scientist with expertise in technology, public policy and international affairs. He is Director of Oxford University’s Programme on Democracy and Technology, a Statutory Professor at Balliol College, and he is affiliated with the Departments of Politics and Sociology. Currently, he is also a Visiting Fellow at the Carr Center for Human Rights at Harvard University’s Kennedy School.

<< PREVIOUS EPISODE
NEXT EPISODE >>

complex data

Making complex data available for the benefit of society

Written by Cynthia Hoza on . Posted in Beyond Data Podcast, Data Governance, Data Insights, Data Privacy, Data Privacy, Data Strategy, Data Visualization, Glossary, Machine Learning. No Comments on Making complex data available for the benefit of society

Listen on Spotify

In Calligo’s latest Beyond Data podcast, Tessa Jones (Chief Data Scientist) is joined by Dr Ellie Graeden, Research Professor (Center for Global Health Science and Security) at Georgetown University. Here we explore some of the episode’s highlights:

  • The inherent conflict of private data and the public good
  • Protecting individual rights within federated learning
  • The importance of effective communication and a common language
  • Designing systems and policies that work together
  • Focusing regulation on outcomes, not creating data siloes

At societal level, poor communication costs lives

Transitioning data across and between departments and data systems has historically been fraught with problems – who owns it? Who pays for it? Is it understandable and translatable into meaningful and actionable insights for the end user? 

Having worked extensively in disaster response, Dr Graeden has seen first-hand the potentially life-threatening issues that can arise when government departments’ data platforms produce incompatible outputs:

  • If 20,000 people need water, how many pallets need to be shipped?
  • If 10,000 electricity meters have been knocked out by a hurricane, how many people need feeding?

In such scenarios, identifying individuals amongst population-level data is crucial if the help provided is to be sufficient.

“We have to be able to really effectively move and communicate and share data that are relevant, in ways that they can get used by people all across the system”

Of course, any data system design should ensure privacy and protection for personal data. ‘Big data’ is still relatively new, and as such more powerful and widespread regulatory controls are now being introduced, although the US still does not have consistent requirements for how data should be handled. Fundamentally, meeting a population’s needs today, and planning for them tomorrow, requires the data of individual people to be analysed. Personal data must be shared quickly, effectively and all the while protecting individual rights. Data system design must therefore:

  • Include all players
  • Consider cultural constraints
  • Keep out bias
  • Ensure the right words and phrases are used
  • Focus on the ‘so what’, why does it matter?

“Every single thing we experience can be captured as data”

Even the most mundane moments in our daily lives leave a digital footprint, we shed data everywhere. But when does ‘my’ data become public, or the property of the software developer or the service provider? VR headsets collect ephemeral data that is analysed and applied for that one end user, but if that data is assumed to fall under GDPR the potential to use it for positive outcomes is severely limited. For example, should authorities be notified if content viewed and generated is illegal or harmful? And what if that chip can detect if the user is having a stroke, is that data classified as ‘health’ data? Can it be used to alert the individual to their medical emergency without contravening legislation? What if your mouse clicks can detect the early stages of Parkinson’s? Should you, could you, be told?

“If you’re treating this data as health data, then they have a very different set of regulatory constraints. HIPAA isn’t going to regulate those because it’s not a health care provider or a health insurer”

Piercing the veil

The conflict between personal protection and public good is everywhere, and Dr Graeden believes that some new data laws will create problems for federated learning. Legislation has clear boundaries (speed limits, blood alcohol levels) whereas science deals in spectrums, probabilities and unknowns.

Deleting an individual’s personal data from the model breaks the system, contradicting what regulators are trying to achieve. The solution is to prioritize outcomes, not processes – it doesn’t matter whether you write the rules with a pen and paper, or with AI, as long as you write the rules. Expanding the framework by setting gradients of data availability affords protection for individuals, whilst making data available that informs better decision making for public bodies.

“Data is nothing more, nothing less, than an abstract description of our world. A useful and powerful language that can tell us things that other languages don’t”

Data can no longer exist in siloes if it’s to be useful to society

There is now a healthy global appetite for the discussion around data, thanks in the main to two recent developments:

  • Covid gave us huge amounts of data about mortality levels, vaccination rates, hospitalisation trends – all of which were in the public consciousness every day
  • AI and ChatGPT – articles and debates about the pros and cons are everywhere, discussion is not just in the scientific community

The key challenges now for data scientists are expectation management and communication – we need to be clear about aims and specific about context, as well as knowing what to leave out to avoid overwhelm and misunderstanding. Unfortunately, scientists are not always great communicators (using complex terminology and detail, rather than common parlance and generalization) as Covid demonstrated:

  • Did having a vaccine mean you wouldn’t get sick? Or just less sick?
  • ‘Everyone should wear a mask’ became ‘wear a mask if you can’. This was due to limited supply, but it appeared that the science was not clear

“The scientific approach means you never have an answer… we are trained as scientists to focus on the fact that we don’t know”

In fact, the only answer is that the right data, used consistently and communicated clearly, will always allow us to be prepared, not reactive. To make decisions for the public good that protect every individual.

You can find out more about the common language of privacy in our Rosetta Stone eBook.

You can also watch Tessa’s fascinating podcast with Dr Graeden below.

<< PREVIOUS EPISODE
NEXT EPISODE >>

Why data-ambitious organizations need more than a Chief Data Officer (CDO)

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy, Data Protection, Glossary. No Comments on Why data-ambitious organizations need more than a Chief Data Officer (CDO)

The rise of the CDO

The potential value of data – if used optimally – is unquestioned.

In recent years, there has been a clear acceleration in the number of organizations keen to not only better understand their data’s potential, but also govern it more rigorously, structure it more usefully and use it more creatively.

And so, they appoint a Chief Data Officer (CDO) to drive this change.

This person – the business hopes – will “take hold of the data problem”, pulling sources and siloes together to create clarity, drive automation, place data and insights into the hands of the front line, and improve business performance and customer satisfaction.

Discussing Client Ambition

When discussing these ambitions with our clients, the excitement and optimism is clear. But what is often missed, or at best over-simplified, is the need to execute safely.

Managing the security risk to the organization is a fundamental part of a CDO’s remit. Depending on the organizational structure, it is usually shared with or delegated to a dedicated CISO or equivalent.

Similarly, compliance with industry regulations and certifications such as ISO and SOC comes under the governance aspect of the CDO role (again, often shared with / delegated to the CISO)

But what about Data Privacy?

CDOs and data privacy

In the pursuit of these ambitious data goals, while the CDO and/or CISO handle security and compliance, who will manage the privacy-related risks to the organization? And the risk to the data subjects?

  • What data is personally-identifiable, and therefore subject to data privacy laws?
  • Where is this data received from and held?
  • How retrievable is it?
  • How is it used?
  • Will personal data be exposed to machine learning or automated decision-making?
  • When and how is personal data shared?
  • Or disposed of?

In tackling these questions, some organisations believe the CDO can also perform the Data Protection Officer (DPO) role, or have one report into them or the CISO. Others appoint a Chief Privacy Officer, thinking they are the same as a DPO, or a “DPO+”. Others ignore the need for privacy oversight altogether.

None of these answers are wise. Some are even illegal and can result in penalties.

The truth is, most data-ambitious organizations require all three roles. Without them, data safety is jeopardised and the company is at risk of non-compliance, breaches, inefficiency and missed opportunity.

But how the remits are best defined and structured is often a mystery.

Below is a guide to the three pertinent roles – Chief Data Officer (CDO), Chief Privacy Officer (CPO) and Data Protection Officer (DPO) – outlining why each role is essential for every data-ambitious organization, plus their differences, inter-relationships, boundaries and overlaps.

CDOs and data privacy

In the pursuit of these ambitious data goals, while the CDO and/or CISO handle security and compliance, who will manage the privacy-related risks to the organization? And the risk to the data subjects?

  • What data is personally-identifiable, and therefore subject to data privacy laws?
  • Where is this data received from and held?
  • How retrievable is it?
  • How is it used?
  • Will personal data be exposed to machine learning or automated decision-making?
  • When and how is personal data shared?
  • Or disposed of?

In tackling these questions, some organisations believe the CDO can also perform the Data Protection Officer (DPO) role, or have one report into them or the CISO. Others appoint a Chief Privacy Officer, thinking they are the same as a DPO, or a “DPO+”. Others ignore the need for privacy oversight altogether.

None of these answers are wise. Some are even illegal and can result in penalties.

The truth is, most data-ambitious organizations require all three roles. Without them, data safety is jeopardised and the company is at risk of non-compliance, breaches, inefficiency and missed opportunity.

But how the remits are best defined and structured is often a mystery.

Below is a guide to the three pertinent roles – Chief Data Officer (CDO), Chief Privacy Officer (CPO) and Data Protection Officer (DPO) – outlining why each role is essential for every data-ambitious organization, plus their differences, inter-relationships, boundaries and overlaps.

Who you need

The Chief Data Officer (CDO)

Responsible for using data to best effect. The basis of this is data governance – its stewardship, consolidation, structure, management and distribution, but also the security and compliance risk it presents. On top of this lies innovation and how it can be most profitably exploited, whether through automation, analysis or data science.

The Chief Privacy Officer (CPO)

This role sits within the overall CDO responsibility. This role adds the perspective of privacy compliance to the CDO function, specifically in terms of any action’s risk to the company. As such, they will lead on the construction of the privacy programme, its roll-out and training and any necessary assessments.

The Data Protection Officer (DPO)

Represents the data subject within the organization. They oversee activities from data processing, assessments and employee training to ensure that none of them conflict with data subjects’ privacy rights, and as such must maintain independence from activities and reporting lines. While perhaps not technically required within your organization (for instance if you are not a public body, do not systematically process personal data as a core activity, or are not processing ‘large volumes’ of sensitive data), it is nonetheless a firmly recommended role for any data-ambitious organization with any degree of use of personal data.

Can these roles be combined into single individuals?

The CDO and CPO can be the same person, and arguably should be to ensure that the entirety of data safety – security and privacy – are the foundations of all data use and governance, and reducing the risk of accidental non-compliance, or painful retrofitting of compliance requirements.

The DPO and CDO (and/or CPO) must never be the same person, as it would create a punishable conflict of interest. They should not even be in the same reporting structure. The DPO’s role is to independently monitor and question all activities, strategic policies and objectives, which means they need the platform to challenge every level of the organization.

The risk of getting this wrong

Risk of unethical / non-compliant data processing

Our data privacy experts have often seen overenthusiasm and ambition innocently leading to personal data being misused. Without anyone overseeing the privacy risk to the data subject (DPO) or even the business (CPO), and a focus only on security, then organizations can easily overstep.

Missed opportunity

DPOs and CPOs are often mistaken for naysayers, as they too often focus on limiting what can be done with data and curtailing the ambition of the CDO. In fact, the best DPOs and CPOs will support the CDO’s objectives, by suggesting innovative approaches to data use that balance ambition with risk.

Delays

If privacy is not a foundation on which data ambitions are built, then it will either be forgotten or retrofitted. The former creates risk of breaches, while the latter creates delays. Projects that lay privacy on top, rather than being designed with it in mind from the outset, risk needing costly redesign and rebuilding.

Conflict of interest

A DPO has to be independent of the day-to-day processes of data management, including its receipt, use, treatment and security. This rules out those job titles that are classically given this second role, such as CIOs and Heads of Compliance, and that regulators are now punishing.

The Chief Data Officer (CDO)

Remit unique to this position:

Data governance

Ranging from data’s structure and architecture to its management and ongoing quality assurance. Accurate and efficient data governance is the foundation stone of all data initiatives. Data siloes, untidy or incomplete data and inconsistent data structures are the principle barriers to data ambitions.

Security-related risk to company

Clearly overlapping with the above, the CDO is required to identify where the ambitions for data’s structure, storage and use will create security and regulatory compliance risk. Working with the CISO – who may be alongside or within the CDO’s team – these risks then need to be mitigated comprehensively, and without obstructing operations.

Innovation / Data Science & Insights

This is the principal reason for the appointment of a CDO: using data creatively to further the aims of the organization as a whole. Building on the groundwork of data governance and security, this may be through automation, analytics, visualizations, machine learning or other forms of AI. Projects may be intended for internal efficiency, or the development of new products and services, but one truth remains at every initiative’s core: using data more intelligently.

The Chief Privacy Officer (CPO)

Remit unique to this position:

Privacy-related risk to company

While the CDO handles the security-related risk, the CPO looks specifically at personally-identifiable data, how well protected it is and how ethically / compliantly it is used. This will include determining how all the organization’s activities affect the regulations whose scope they fall under, and ensuring the various obligations are all addressed.

Clearly, this responsibility overlaps with the CDO’s security-related remit, and requires the cooperation of the CISO, as a lot (though not all) of a privacy-focused risk assessment is based in typical security technical and organizational measures (TOMs). As such, the CPO role may well be part of the CDO’s, if the individual has the relevant privacy skills.

Devise & deploy the privacy programme

This is the tactical implementation of the above. It involves the creation of policies and processes that will protect personal data in every department, by every user and with every data interaction, and specifically on an ongoing basis.

Unlike many other areas of compliance, data privacy requires continuous management and oversight. A breach of ISO compliance requirements on a given day is unlikely to jeopardise completing the next audit’s requirements and maintaining certification. In contrast, a single breach of data privacy requirements could result in customer dissatisfaction, being reported to regulators and potentially fines and irreparable brand damage. As such, the deployment of the privacy programme must ensure continuous protection.

Data Protection Officer

Remit unique to this position:

Privacy-related risk to data subjects

This is the crux of the DPO role. A Data Protection Officer is one of few senior roles who categorically do not serve the interests of the organization, but of third parties – arguably the only one. It is this unusual perspective that requires them to be independent of the mechanics of the organization, and that underpins all other responsibilities.

Oversight

The DPO is responsible for continuously monitoring all data processing activities and independently assessing their adherence to the GDPR and any other relevant legislation. Any faults or risks found are then the responsibility of the CPO and/or CDO to remedy, working alongside any relevant departmental head.

Internal audit

Part of the Oversight role above will include regular internal audits of data processing activities. An initial GAP Analysis will show a baseline of compliance, while subsequent periodic audits will showcase the evolving privacy maturity of the organization, plus any persistent weaknesses.

Liaison with authorities and data subjects

DPOs also act as a conduit for all communications with supervisory authorities and data subjects. They may do this proactively, for example securing approval from authorities on the legitimacy of any new and unusual data processing initiatives. DPOs will also handle the communications with any data subjects in the case of Data Subject Requests.

The Shared Remits

Shared remit: CDO & DPO

Automated decision-making

This is a crucial overlap. For many data-ambitious organizations, especially those in consumer services such as banking, telecoms or utilities, there will be a drive to use automation or machine learning to systematize interactions with customers based on the data on them as individuals. These may include the pricing and terms offered to them, which would mean that automated decisions are being made that have a legal or similarly significant effect – which is specifically limited by the GDPR and many other privacy regulations that followed in its footsteps.

This is therefore a classic example of a situation where the CDO and the DPO would have to work together to ensure that the project is legitimately designed and executed, and is highly indicative of why the DPO cannot be the same person or even be in the same reporting structure as the CDO. The CDO’s project needs to be able to be objectively critiqued and perhaps stopped by an independent DPO.

Shared remit: CDO & CPO

Ethical Data Impact Assessments (EDIAs)

EDIAs are modern supplements to the pre-existing Data Protection Impact Assessment (DPIA), and are effectively documented evidence of the scrutiny required above in instances of Automated Decision-making.

While not specifically required by privacy legislation or guidance – as a DPIA is – the sort of rigour they encompass is. As mentioned above, references are found in the GDPR and many other pursuant regulations. The extra scrutiny is recommended because of the deliberate removal of human oversight from processes, and therefore the risk of the inadvertent removal of understanding, proportionality, fairness and even values.

For a DPIA, a DPO and a CPO (see below) will collaborate on mitigating the risks to data subjects – hence the DPO’s involvement.

An EDIA’s extra considerations beyond a DPIA focus on accountability, transparency, necessity and sustainability. These are more technical, strategic and concerned with personal rights including but also beyond privacy, such as the right to not be discriminated against.

The CDO’s input will therefore cover the technical and strategic sides, while the CPO is best placed to review the technology’s ethical use. In truth, this is not a perfect fit. But there are few alternatives. A DPO’s role is to monitor activity through a strict lens of protecting data subjects’ privacy rights – and arguably their independence means their role can never be to perform assessments, only to review. Legal counsel is concerned with the application of the codified law, not the wider topic of ethics. Compliance roles are similarly used to implement specific rules and standards.

Upholding ethics is different by its nature, and not typically a nominated role within organizations, but a CPO is arguably the closest fit, not least because they lead the completion of DPIAs, on which EDIAs are based.

Shared remit: CPO & DPO

Training employees

This is part of the CPO’s deployment of the overall privacy programme, but requires the involvement of the DPO because of their responsibility for monitoring internal compliance. Acting on behalf of data subjects, the DPO will check the suitability and comprehensiveness of the training programme, in essence confirming that should the training be satisfactorily completed (the CPO’s responsibility to ensure), then data subjects’ rights are protected

Data Protection Impact Assessments (DPIAs)

These tools identify any potential risks that may arise from processing personal data, allowing the organization to minimise and negate them in advance. They are a key requirement for demonstrating adherence to GDPR and most other privacy regulations, and should be completed for every way in which an organization processes data.

They are the CPO’s responsibility to perform, though as with the Training above, the DPO is required to provide an oversight role to ensure data subjects’ rights are protected. They will advise the CPO on whether a DPIA is necessary in any given situation, how it should be performed, what measures can be legitimately put in place to negate any risks identified, and whether the ultimate decision that process is permitted or not is correct.

This process and shared responsibility applies equally to other privacy adherence tools such as Legitimate Interest Assessments (LIAs), where the CPO is responsible for performing the duty, while the DPO ensures their completion and verifies their outcomes.

Data Subject Access Requests (DSARs)

Some of the most common instances of CPOs and DPOs having to collaborate are on DSARs. In some industries, these are rather common, especially those with high volumes of consumer interaction such as retail, utilities, telecoms and retail banking. A CPO will be responsible for the performance of the DSAR – for example, verifying the identity of the data subject and collecting relevant data – while the DPO will be responsible for overseeing the process, approving the data to be shared, ensuring deadlines are met and handling communications with the data subject.

The Universal Responsibilities

Data Quality

All three Data Officers have a responsibility – or at least a vested interest – in maintaining the continuous quality of all the organisation’s data.

  • For a CDO, this is of course a principal strategic objective. Better use of data relies on data sources being cleansed for interrogation, and probably integrated under common data models to allow for deeper insights. But without continuous data governance – the process by which data quality is preserved – then interrogation becomes impossible, and integrations fall apart.
  • Data quality requires common rules – defined and upheld ultimately by the CDO – for how data is collected and stored; agreed responsibilities for how it is maintained and kept complete, credible, useful and clean,; and a clear vision for how it may be used.
  • The CPO and DPO will also have involvement in this, and vested interests in its performance. How and where the CDO decides to store data will need to adhere to data residency and sovereignty requirements. Data privacy regulations routinely give data subjects a Right to Accuracy, where every reasonable step must be taken to rectify data inaccuracies or erase data if no longer correct. And of course, without complete, clean and credible data, then DSARs cannot be accurately performed, and DPIAs and other typical processes cannot be conducted or verified easily.

DPIAs in fact even have a specific question of:

“Are you satisfied that the personal data processed is of good enough quality for the purposes proposed? If not, why not?”

Of course, the easiest way for Data Quality to serve all three Data Officers needs is to base the organization’s Data Quality framework on the principles of Privacy by Design & Default.

Contracts

While the above is a strategic imperative that requires all three Data Officers’ involvement, this is a tactical overlap.

  • Contracts with new suppliers, partners, and potentially customers that inherently involve the processing of personal data create responsibilities for CDOs, DPOs and CPOs alike.
  • A CDO needs to ensure that the contract and the mechanics of the engagement will not undermine or contradict any element of data governance. For example, if the new contract is with a new cloud services provider, can the provider support any ISO, SOC or PCI obligations? If the contract is with a new CRM, is the data structure consistent with any pre-existing common data model and how will data quality and accuracy be maintained? And in all cases, what security measures are in place to protect data from internal and external threats?
  • Meanwhile, a CPO will be concerned with whether the contract is in line with the organization’s privacy obligations. To use the example of the new cloud provider again, will data residency obligations be met? Or for new SaaS platforms, where will data be stored and are the correct cross-border data transfer mechanisms such as Standard Contractual Clauses (SCCs) in place?
  • Finally, a DPO’s role in a contract scenario is to review the legitimacy of the decisions made above, and verify that the privacy of data subjects’ personal data will not be jeopardised – regardless of whether the organization is a controller or a processor in the given scenario.

The Core Lessons

  • All three roles – CDO, CPO, DPO – are probably required in your organization, even if a DPO is not strictly required it is nonetheless advisable.
  • The CDO can also be the CPO, but the DPO must be independent.
  • The CDO defines the strategy and is responsible for the vision of what is to be accomplished with your organization’s data. This will include its structure, security, governance, maintenance and creation of value.
  • The CPO is responsible for ensuring that the implementation of this strategy will not put the organization at any privacy-related risk, and is tasked with mitigating any risk with a defined and well-executed privacy programme.
  • The DPO is the representative of the data subject within the organization, and is primarily responsible for overseeing the activities and ensuring no rights are or could be infringed.
  • The more fundamental or complex the operation (such as data quality or intelligent data use), the more likely it is to require all three roles.
  • Putting privacy – and better yet, total data safety – at the heart of every data initiative and interaction will make it more likely that every role’s agendas are equally met.

Does your DPO have a Conflict of Interest?

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy, Data Protection, Glossary. No Comments on Does your DPO have a Conflict of Interest?

What is a DPO?

Unlike many other areas of compliance, data privacy adherence is not something that can be audited once and then presumed to continue for the foreseeable future.

Data is the most voluminous, mobile, essential and potentially dangerous asset any business owns. It is created, deleted and interacted with constantly, often in new ways by new individuals.

A point in time audit is simply not suitable for continuous oversight of how data is treated.

It is this unavoidable truth that led the GDPR legislators to require organizations that process the most data, and/or the most sensitive data, to ensure that the interests of the data subject are continually and adequately represented in any and all data processing. Hence, the mandated requirement for the Data Protection Officer (DPO).

Under Article 37, DPOs are a mandated requirement if:

  • You are a public authority or body
  • You are an organisation whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale (e.g. online behaviour tracking)
  • You engage in the processing of large volumes of special category data, or data related to criminal offences and convictions

The DPO’s tasks are outlined in Article 39 of the GDPR as:

  • To inform and advise the business and its employees of their GDPR obligations.
  • To monitor and audit compliance with the GDPR and the business’ data processing policies, including the assignment of responsibilities, awareness-raising and training of staff.
  • To manage data protection impact assessments, and monitor their outcomes.
  • To cooperate with and serve as the contact point for Supervisory Authorities.

Appointing a DPO internally

Many mandated businesses have dutifully appointed their DPO. They have consciously sought to avoid the expense, time and difficulty of hiring a new head, and distilled the requirements and responsibilities to their raw essences and found a person internally who:

  • Understands the way the company ingests and uses data
  • Has the standing and breadth of involvement in the business to appreciate every data workflow
  • Is experienced in the administrative, legalistic and monitoring sides of compliance
  • Is senior and credible enough – as the GDPR requires – to interact with, advise and perhaps argue with the highest levels of the business

This seems suitable. The rights and interests of the data subjects appear to be best protected by a person who has this experience and background, and who can monitor the organization’s activities and ensure their adherence to the rules and the sentiment of GDPR, such as the CIO, CISO, Head of Compliance, Head of Legal, even the CEO.

These organizations seem to be acting in totally good faith. After all, Article 38(6) even allows the DPO role to be secondary role on top of day-to-day operations.

But they have forgotten an underlying principle of the GDPR: the DPO must be independent.

By expecting someone who also has responsibility for the management, oversight, strategy or security of data and how it is processed (i.e. a data controller), to also scrutinise, critique and object to those same processes on behalf of data subjects is creating a conflict of interest.

It is like asking students to mark their own homework. As much as they may be obliged to remain impartial, they have their own obligations, objectives and interests that prevent them from being completely and undeniably impartial.

No matter how ethically they may think they act, it represents a compliance failure.

The danger

And legislators are hot on this. Most Supervisory Authorities, including the UK’s Information Commissioner’s Office (ICO), have issued specific guidance on how to avoid conflict of interest. While this proactive support shows that the SAs intend to help businesses avoid making this error, the flipside is that it also means they will not tolerate failure.

Indeed, fines have started to be handed to firms who overstep, intentionally or otherwise. A prime example is a E50,000 penalty for a Belgian telecoms operator whose DPO was also their Head of Compliance, responsible for the compliance, risk management and audit functions. Dispassionate and independent review of their data protection processes from a data subject’s perspective versus the business’ was deemed impossible.

Some examples of roles often asked to also take on the DPO role

  • CIOs
    who define the IT strategy, including where data resides, how it is accessed and who by, and on which platforms.
  • CISOs
    who build security strategies that prioritize certain measures or defending against certain cybersecurity threats.
  • COOs and CEOs
    who have responsibility and/or influence over how data is processed, for what purpose and through what tools.
  • Heads of legal
    who balance the interests of the organization against what is permissible or possible under the law.
  • Heads of compliance
    who balance the organization’s needs and operations with the requirements of various regulatory frameworks.
  • Heads of departments
    E.g. marketing and HR, who determine how data is processed within their teams in order to meet their objectives.

The whole point of the DPO is to stand apart from the interests of the business and be the voice of the data subject.

How can any of these roles – all of which put the interests of the business first – be compatible with a second role that expects them to demand the business undertakes specific actions that will protect the interests of the data subject? Or even to spot the need for additional actions. External perspective is often key.

Should you outsource your DPO?

A company must appoint a DPO who is free to operate independently. There should be no pressure from management, or risk of insufficient perspective on data-centric processes or strategies that may jeopardize the continuous privacy of personal data.

If you suspect your current internal DPO appointment is putting your GDPR adherence at risk, then you should consider making a change soon.

Reasons for considering outsourcing the DPO role:

  • Guarantees impartiality
    Appointing an external party is specifically permitted under the GDPR, due to the ability for the person to avoid conflict of interest, act dispassionately and often challenge senior management easier.
  • Greater accuracy
    An external DPO is likely to perform better than an internally-appointed DPO who may be restricted by the working practices of the business or by not wishing to undermine wider objectives.
  • Wider skillsets
    The better tier of outsourced DPO services bring not only legal expertise, but also data security and technology, plus experience across numerous jurisdictions and data privacy frameworks.
  • A show of trust
    It shows data subjects and Supervisory Authorities that you take the privacy of data seriously, and are not willing to take dangerous short cuts to adherence.
  • Faster to appoint
    Some try to hire a dedicated DPO, but find they are in high demand and short supply – some reports say 1 candidate to 10 open roles, and many taking over a year to appoint.
  • Significant savings
    Because of how rare suitably qualified people are, they often command a premium salary. Outsourcing the role is far more cost-efficient, and tends to bring wider skillsets.

How Calligo can help

Calligo’s expert and highly-qualified data privacy consultants, who each have a unique mix of legal, technical and infosecurity expertise, are ideally suited to serve as your outsourced Data Protection Officer.

Our DPO as a Service clients range from SME to the largest enterprises, span every sector, multiple geographies and privacy regulations, and process some of the most sensitive categories of data.

Our experts provide ongoing monitoring and audits of the collection and processing of personal data, plus staff training to ensure our clients’ total and ongoing protection. They also represent your organization to both data subjects and Supervisory Authorities .

To find out more about our Data Protection Officer as a Service, click the button below and speak to our expert Data Privacy Consultants

Data Privacy Update: Virginia Consumer Data Protection Act (VCDPA)

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy, Glossary. No Comments on Data Privacy Update: Virginia Consumer Data Protection Act (VCDPA)

And so it continues. Last month, Virginia passed its own privacy law, the Virginia Consumer Data Protection Act (VCDPA), adding fuel to the fire over a US federal privacy law, and introducing new complexities for businesses operating in or addressing the US market.

It will take effect on January 1, 2023 (the same day as California’s CPRA which amends the current CCPA) and was passed in record-breaking time: less than two months, and by an overwhelming majority.

Such was its speed and simplicity that many other state bills are actively mimicking some of its propositions, including Colorado, Connecticut and Minnesota.

Theoretically, this active copycatting will limit the ongoing differences between state laws, but this of course remains to be seen.

Continue reading

The Data Privacy ‘To Do List’ for the new US administration

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy, Glossary. No Comments on The Data Privacy ‘To Do List’ for the new US administration

A new administrion is a federal privacy law.

It is a conversa

The US should learn from this. It has after all its own longstanding experience of how state by state commerce rules can at times create difficulties and additional expense. Law-making and enforcement is notoriously especially tricky. Imagine what happens with ddegree of protection and oversight.

This creates excessive regulatory burdens and hampers innovation.

But it is easily solved: recognise that the sensitivity of personal data can be classified not only by its technical category but also by its potency.

The US administration – as the government whose states are creating and debating the most privacy laws, and that oversees some of the largest technology organizations in the world – has an opportunity to address the proliferation of data-hungry organizations, control their appetites, while also appreciating the true variety of personal data beyond simple technical classifications.

To do so would not only earn the simultaneous approval of ‘big tech’ and small innovators, but also legislators, policymakers and privacy professionals who labour under this absurdity every day. And it would lay the foundations for the most modern and up to date privacy framework in the world.

A new administration in the most influential economy in the world triggers news hopes and expectations in every industry. But if major change were to be on the agenda, what would be the most beneficial, transformative, impactful or prudent new data privacy initiatives that the new US administration ought to introduce?

Continue reading

What is California Consumer Privacy Act (CCPA)?

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy. No Comments on What is California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a Californian data protection law that governs how businesses are allowed to collect, process and share the personal information of California residents. The CCPA was enacted on January 1st, 2020 and enforcement began on July 1st, 2020, and is the most recent law to set the standard for ensuring data privacy in the United States of America.

Continue reading