While the demand for data is growing, processing of personal data increasingly requires compliance with more stringent, multi-jurisdiction, and sometimes overlapping laws and regulations. Standardizing interpretation and enforcement are essential among the 27 EU states and their neighbors to ensure that AI technology can continue to evolve while protecting personal data. The European General Data Protection Regulation (GDPR) is the strictest data protection regulation out there right now, and to say it can be difficult to interpret would be an understatement.
The essence of GDPR is that personal information has to be used in a way that protects the privacy of the person/data subject and keeps that person fully informed of how their data is to be used both now and in the future (if at all). Each person has the right to decide how his or her personal data is utilized, including the ability to not have their data used at all.
In summary, GDPR requires:
- Full control of personal data, and clarity about what the data is going to be used for. At the moment of data collection, the company must explain clearly this use of personal data to the subject, so the person can make an informed choice on whether or not to consent to the data collection.
- A limit on the amount of data collection to the minimum necessary for achieving the goal for which the data is going to be collected and processed.
- Data subjects to be informed about who is the data controller, how to contact the data controller, the legal basis for processing the data, and what categories of personal data are going to be processed. The data subject’s rights also must be made explicitly clear in plain language (non-technical, no jargon).
- The company to document how the data protection requirements are met.
GDPR compliance requires expert legal advice in the area and potentially outsourcing the data collection and annotation to GDPR-compliant companies, such as Sigma, which have specialized personnel to undertake personal data projects.
A company that is GDPR compliant is also well positioned to be compliant with the California Consumer Privacy Act (CCPA).