๐ŸŒŒ
Privacy Village Academy
Join The Community!AcademyAbout HGPE
  • Hitchhiker's Guide to Privacy Engineering
    • โ“What is HGPE?
      • โš–๏ธWho is this for?
      • ๐Ÿง™โ€โ™‚๏ธPrivacy Engineering
      • ๐ŸŽจCreative Privacy
      • ๐Ÿ”ฎGenerative AI
      • ๐Ÿง‘โ€๐Ÿ’ปAbout the Author
  • ๐Ÿง™โ€โ™‚๏ธThe Ethical AI Governance Playbook 2025 Edition
    • ๐Ÿค–Chapter 1 : AI Literacy
    • ๐ŸŒChapter 2 : AI Governance in the 21st Century
    • โŒ›Chapter 3 - Getting Started with AI Act Compliance
    • ๐Ÿš€Chapter 4 : Rise of AI Governance: Building Ethical & Compliant AI
    • Chapter 5 : Introduction to the Lifecycle of AI
  • ๐ŸŽ“Privacy Engineering Field Guide Season 1
    • โ“Decoding the Digital World: Exploring Everyday Technology
    • ๐Ÿ‘๏ธIntroduction: Why Privacy Matters?
      • Age of Mass Surveillance
      • Privacy & Democracy
      • Privacy & Government Surveillance
    • โšกChapter 1 : How Computers Work?
      • Electricity
      • Bits
      • Logic Gates
      • Central Processing Unit (CPU)
      • Graphic Processing Unit (GPU)
      • Motherboard
      • Data Storage
      • Databases
      • Operating System (OS)
      • Computer Code
      • Programming Languages
      • The File System
      • Bugs and Errors
      • Computer Virus
      • Internet of Things (IoT)
      • Cloud Computing
    • ๐Ÿ›ฐ๏ธChapter 2 : How the internet works?
      • Physical Infrastructure
      • Network and Protocols
      • Switch
      • Routers
      • IP Address
      • Domain Name System (DNS)
      • Mac Address
      • TCP / IP
      • OSI Model
      • Packets
      • The Client - Server Architecture
      • Secure Socket Shell (SSH)
      • Transport Layer Security (TLS)
      • Firewall
      • Tunnels and VPNs
      • Proxy Server
    • ๐Ÿ–ฅ๏ธChapter 3 : How Websites Work?
      • HTML
      • CSS
      • Javascript
      • Web Server
      • Browser
      • HTTP
      • Databases
      • Front End (Client Side)
      • Back End (Server Side)
      • Cookies
      • Local Storage
      • Session Storage
      • IndexedDB
      • XHR Requests
      • Web APIs
      • Webhooks
      • Email Server
      • HTTPS
      • Web Application Firewall
      • Single Sign-on (SS0)
      • OAuth 2.0
      • Pixels
      • Canvas Fingerprinting
      • Email Tracking
      • Containers
      • CI/CD
      • Kubernetes
      • Serverless Architecture
    • โš›๏ธChapter 4 : How Quantum Computers Work?
      • Quantum Properties
      • Quantum Bits (Qubits)
      • Decoherence
      • Quantum Circuits
      • Quantum Algorithms
      • Quantum Sensing
      • Post-Quantum Cryptography
    • ๐Ÿ“ณChapter 5 : Mobile Apps and Privacy
      • Battery
      • Processor
      • Mobile Operating Systems
      • Mobile Data Storage
      • Cellular Data
      • Mobile Device Sensors
      • Wireless Connectivity
      • Camera & Microphone
      • Mobile Apps
      • Software Development Kits (SDKs)
      • Mobile Device Identifiers
      • Bring Your Own Device (BYOD)
  • ๐Ÿ•ต๏ธโ€โ™‚๏ธPrivacy Engineering Field Guide Season 2
    • โ“Introduction to Privacy Engineering for Non-Techs
      • ๐ŸŽญChapter 1 : Digital Identities
        • What is identity?
        • Authentication Flows
        • Authentication vs. Authorization
        • OAuth 2.0
        • OpenID Connect (OIDC)
        • Self Sovereign Identities
        • Decentralized Identifiers
        • eIDAS
      • ๐Ÿ‘๏ธโ€๐Ÿ—จ๏ธChapter 2 : De-Identification
        • Introduction to De-Identification?
        • Input / Output Privacy
        • De-identification Strategies
        • K-Anonymity
        • Differential Privacy
        • Privacy Threat Modeling
  • ๐Ÿ“–HGPE Story and Lore
    • ๐ŸชฆChapter 1 : The Prologue
    • โ˜„๏ธChapter 2 : Battle for Earth
    • ๐Ÿฆ Chapter 3 : A Nightmare To Remember
    • ๐Ÿง™โ€โ™‚๏ธChapter 4 : The Academy
    • ๐ŸŒƒChapter 5: The Approaching Darkness
    • โš”๏ธChapter 6 : The Invasion
    • ๐ŸฐChapter 7 : The Fall of the Academy
    • ๐Ÿ›ฉ๏ธChapter 8 : The Escape
    • ๐ŸชChapter 9 : The Moon Cave
    • ๐Ÿฆ‡Chapter 10: Queen of Darkness
  • ๐Ÿ“บVideos, Audio Book and Soundtracks
    • ๐ŸŽงReading Episodes
    • ๐ŸŽนSoundtracks
  • ๐Ÿ‘พHGPE Privacy Games and Challenges
    • ๐ŸŽฎData Privacy Day'23 / Privacy Treasure Hunt Game
    • ๐ŸงฉPrivacy Quest
  • ๐Ÿ“ฌSubscribe Now!
Powered by GitBook
On this page
  • Foreword for Chapter 3 by Gรถrkem ร‡etin, CEO @VerifyWise
  • Chapter 3: Getting Started with AI Act Compliance
  • In the Beginning, There Was GDPR
  • The EU AI Act clearly ties AI systems that deal with personal data to GDPR compliance FIRST! ๐Ÿ‘‡
  • Understanding GDPR Requirements for AI Systems
  • Roles and Responsibilities โœ…
  • However, when it comes to AI systems, the roles can kind of shift.
  • Moving Beyond GDPR: Integrating AI Act Requirements
  • The Road Ahead
  • Stay tuned and go play some of our cool privacy games at ๐Ÿ‘‰ https://play.compliancedetective.com/

Was this helpful?

  1. The Ethical AI Governance Playbook 2025 Edition

Chapter 3 - Getting Started with AI Act Compliance

Dear reader, this chapter dives into AI Act compliance, explaining how GDPR fits into the picture and how to ensure your AI systems follow privacy and data protection measures of your organization.

PreviousChapter 2 : AI Governance in the 21st CenturyNextChapter 4 : Rise of AI Governance: Building Ethical & Compliant AI

Last updated 2 months ago

Was this helpful?

Foreword for Chapter 3 by Gรถrkem ร‡etin, CEO @VerifyWise

"AI and data protection go hand in hand. If you're building AI systems, you can't ignore the rules around personal data. The EU has set clear guidelines with the EU AI Act, and it all started with the GDPR. But following these laws isnโ€™t just about avoiding fines. Itโ€™s also about building trust and doing things the right way.

Over time, the technology and the need for stronger rules evolved. The GDPR became the gold standard for personal data protection, giving individuals more control over their information. Now AI is playing a bigger role in our lives and the EU AI Act extends those protections to ensure AI systems handle personal data securely.

Mert's chapter breaks it all down in simple terms. Youโ€™ll learn who is responsible for what when it comes to handling personal data. You'll read how to design AI systems that respect privacy from the start. And you'll get practical steps to stay compliant without slowing down innovation.

AI compliance isnโ€™t a one-time task. Itโ€™s rather an ongoing process. With the right approach, you can build ethical AI." - Gรถrkem ร‡etin (Check him out on )

Chapter 3: Getting Started with AI Act Compliance

As we venture into the ever-changing and sometimes unpredictable world of AI, itโ€™s essential to remember that we arenโ€™t starting from scratch.

In the Beginning, There Was GDPR

But letโ€™s rewind even more. Back in 1980, Convention 108 laid the groundwork for privacy and data protection rules and principles.

From there, various regulations evolved, shaping how we treat personal data. Flash forward to today, and weโ€™ve got the AI Act and the GDPR. Yet there are several significant frameworks that we should also consider to fill in the gaps of these EU regulations to ethically handle personal information regarding AI and data protection compliance.

The EU AI Act clearly ties AI systems that deal with personal data to GDPR compliance FIRST! ๐Ÿ‘‡

Now, hereโ€™s the key takeaway: if your AI system uses personal data, it falls under GDPR. Full stop. Article 2 of the EU AI Act tells you that GDPR applies if your AI system is involved in personal data processing. Not a suggestion, not a guidelineโ€”mandatory.

Understanding GDPR Requirements for AI Systems

Hereโ€™s the basics to get you covered and make sure your AI doesnโ€™t get you into hot water:

Roles and Responsibilities โœ…

In the world of GDPR, youโ€™ll encounter two main roles: data controllers and data processors.

Data Controllers and Processors: In GDPR lingo, the controller (your startup) makes the calls on data use. The processor (hello, cloud vendors) simply carries out the instructions. If something goes sideways, the controller takes the heat.

Data Controller: This is your organizationโ€”the one determining what data is collected, how itโ€™s processed, and for what purpose. For example, if you're using a cloud service like Digital Ocean to host your app, you (the startup) are the data controller, and Digital Ocean is the processor.

Data Processor: This is the entity that processes data on behalf of the controller. In this case, Digital Ocean hosts your data, but it doesnโ€™t control it.


However, when it comes to AI systems, the roles can kind of shift.

But when we talk about the EU AI Act, the game changes a bit. The system provider (say, your third-party platform) bears a bigger responsibility. Meanwhile, your startup, as the โ€œdeployer,โ€ has its own set of duties to ensure everythingโ€™s in line.

Example: As a deployer of AI (i.e., the one using an AI Assistant API like the one from OpenAI), your organization may now fall under the term "processor" while the cloud provider becomes more of a "controller" with higher compliance obligations this time on their end.

Itโ€™s essential to understand these shifts in roles and responsibilities as they affect your data protection strategy and obligations set out in your DPAs with AI providers.

2. Implement Privacy by Design and Default Strategies

  • Consent or Legal Bases: Users must know if their data is being used, and they need to consentโ€”or you need another valid reason to process it. No sneaky stuff.

  • Data Security: Data should be protected. Not just โ€œprotectedโ€โ€”properly secured. People expect that.

  • Monitoring: Inform YOUR users about the ML models they're interacting with and monitoring the system for unauthorized access or vulnerabilities (e.g., LLM attacks, data poisoning).

  • Data Minimization: Only collect what you actually need. No unnecessary data hoarding.

    • If possible, anonymize or mask sensitive data before feeding it into the AI model.

  • Transparency: Be clear with your users about what personal data you're collecting, for how long youโ€™ll keep it, and what rights they have. Be upfront about what data youโ€™re collecting and why. People respect clarity.

    • This includes informing them about who is responsible for their data and how to contact you.

  • Proportionality: Just because you can collect data, doesnโ€™t mean you should. Donโ€™t go overboard. Design your AI system to use only the data necessary to achieve the desired outcome.

    • Avoid over-collecting data or retaining it for longer than necessary.

  • Purpose Limitation: Use the data for what it was meant for, and donโ€™t hold on to it longer than necessary. Ensure that the data collected is used only for its intended purpose.

    • If you're processing data for training, be clear about that and make sure itโ€™s in line with fundamental GDPR principles.

  • Lawfulness, Fairness, and Transparency: Play by the rules. Itโ€™s the only way to avoid problems. Your AI use case should not breach any laws, and you should be clear and open about how data is processed.

  • Respect for Data Subject Rights: Give users control over their data, whether itโ€™s correcting it or deleting it. Make sure itโ€™s easy for them to do so.

    • Once you have consent, ensure you design workflows that allow users to exercise their rights (e.g., object, correct, or delete their data) within the specified timeframes.

3. Data Mapping and Third-Party Risk Management

Know your data. Where is it? Whoโ€™s using it? Howโ€™s it being used? Itโ€™s like tracking your socks. Know where they all are.

Itโ€™s vital to understand and map the personal data flow in and out of your app. Start by creating an inventory of the personal data you're collecting, where it resides, who has access, and whether sensitive data is included.

As part of your risk management strategy, ensure that third-party vendors and subprocessors have appropriate data protection measures in place and included in your data maps. Use Data Processing Agreements (DPAs) to establish the legal framework for data processing and monitor compliance throughout the contract.

If youโ€™re working with vendors like Deepseek, Stable Diffusion or OpenAI check their data policies. Get that Data Processing Agreement (DPA) signed, and ensure they follow it. If they mess up, youโ€™re the one who looks bad.

4. Automated Decision-Making and Explainability

Automated decision-making is a hot topic. If your AI system makes decisions without human intervention, tell your users. Transparency is key hereโ€”donโ€™t try to pull a fast one.

Article 22 of GDPR applies to AI systems involved in automated decision-making. This requires that individuals have meaningful information about the logic behind decisions made by AI models.

This is where explainable AI (XAI) becomes crucial. While still an emerging field, the ability to explain AI decisions is vital for protecting user rights.

Moving Beyond GDPR: Integrating AI Act Requirements

While GDPR provides a strong foundation for data protection, the EU AI Act introduces additional requirements that focus on the safe and ethical deployment of AI systems. As you begin to integrate these into your AI system, remember that the principles outlined in GDPR still apply, but now with added complexity due to the AI Actโ€™s scope.

Treat the following principles as guidelines during your planning:

  • Transparency: Be upfront about how your AI models operate, especially in cases where AI decisions affect individualsโ€™ lives.

  • Accountability: Be ready to take responsibility for the AI systems you deploy and the outcomes they produce.

  • Risk Management: Identifying, assessing, and mitigating AI risks at every lifecycle stage is key. This could involve continuous monitoring of AI models to ensure they comply with regulatory requirements.

The Road Ahead

As you embark on AI Act compliance, remember: this is a journey, not a destination. The principles may seem daunting at first, but think of them as a guiding light through the complexities of AI development. With careful planning, transparency, and accountability, youโ€™ll ensure that your AI system remains compliant and trustworthy.

Stay tuned and go play some of our cool privacy games at ๐Ÿ‘‰

๐Ÿง™โ€โ™‚๏ธ
โŒ›
https://play.compliancedetective.com/
Linkedin
An example of an everyday data flow. Patient is the data subject, hospital is the data controller, and the HMS vendor is the processor.