Many companies designated a Data Protection Officer (DPO) after the GDPR entered into force, to monitor their data compliance and act as a main point of contact for any questions on personal data. With the introduction of the AI Act, some companies could choose to designate an AI Officer – or acquire one “as-a-service”.
The General Data Protection Regulation or GDPR is without question one of the most influential data laws in history – both in Europe and even beyond, as many governments have used it as a blueprint for their own data protection laws. For some companies, the GDPR has arguably been a bit of a headache, as they had to comply with a range of new rules on the processing of personal data.
One of those rules is the designation of a data protection officer, or a person responsible for monitoring data compliance, collecting questions from data subjects, informing the organization and its employees on GDPR obligations, cooperating with the DPA, and performing data protection impact assessments (DPIAs). While not all companies use personal data to the same extent, some organizations use it in spades – making this quite a daunting list of tasks. After all, anyone whose personal data is used (a data subject) could ask questions that end up on the DPO’s desk.
While some companies find a DPO internally, others choose to take a more efficient route by outsourcing these responsibilities and get a “DPO-as-a-service”, where they use a consulting firm to immediately get extensive DPO expertise on board.
Similar to a DPO, some companies might choose to have the equivalent of a DPO for AI: an AI Officer (AIO). The AIO is a central point of contact for questions and comments on artificial intelligence, being both a source of knowledge and a stakeholder mobilizer, but also responsible for monitoring compliance with regulations like the EU’s AI Act, performing AI impact assessments, and cooperating with relevant AI authorities.
Since AI is fundamentally powered by data, the DPO and AIO roles can have some substantial overlap, especially if an AI system uses personal data. The AI Act also establishes specific requirements for data governance, such as proper data collection, preparation, and processing, but also, for instance, bias mitigation. That’s also where some problems might arise, because this might tempt companies to merge the DPO and AIO rules – in other words, simply dumping all AI responsibilities on the DPO. After all, DPOs have already proven themselves to be somewhat tech-savvy, and they are often well-connected among technical and legal teams within the organization.
However, having DPOs take point on AI can lead to a range of problems. For one, combining both sets of responsibilities can lead to overburdening: being the point of contact for personal data inquiries and everything related to artificial intelligence is likely to be too much for one person. Also, it could cause a conflict of interest: what if the AI Officer is leading an AI project that uses personal data and, in pushing through the project, turns a blind eye to possible GDPR infringements? This is also a breach of the GDPR itself, as DPO roles cannot be assigned if they result in a conflict of interest.
This is partly related to the fundamental difference between the purpose of a DPO and AIO. The former’s often meant to set the boundaries on what can or can’t be done with personal data – and may limit how fast data-driven projects can be executed or how high they can aim. An AI Officer, on the other hand, is not just an enforcer of rules to cap potential ideas, but also an enabler of innovation: someone who aligns stakeholders, drives projects forward, offers advice on next steps, and makes the extra push if a project is stalled. A DPO might not have enough experience with this “enabling” role to truly be successful.
The most efficient way of dealing with all of this is outsourcing AI Officer duties through Sparkle’s AI Officer-as-a-service offering. Get in touch with our team via Koen Mathijs or your local Sparkle office.
