The adoption of the EU AI Act will force many companies to make choices: who will be included in AI teams from now on? Will your Data Protection Officer take on a second additional role, as AI Officer? Are you creating an ethical board? Will technical teams have to reskill? Today, there are more questions than answers.
As we’ve discussed at length in previous insights, the European Union’s landmark AI Act (AIA) – the world’s first horizontal AI legislation – will affect everyone in different ways. Many companies will have to adapt their AI strategy in the face of the AIA’s risk-based regulations. Some might even be forced to outright stop using their AI systems if they’re deemed to pose unacceptable risks to citizens’ rights and contravene EU values.
However, even within companies, the AIA will affect people in different ways. The AIA is not just another piece of legislation that’s the sole purview of the legal and compliance team – true, compliance officers will undoubtedly have to sift through the 250+ pages of EU legal lingo, but they’ll have to translate its actual contents and obligations into action plans that will also affect other roles and teams.
Technical teams
Technical teams will have to work closely with the compliance team to help write the proper technical documentation for high-risk AI systems (including details on training, data governance, testing…) and set up logging systems , which is absolutely essential for complying with the AIA’s requirements. It requires such a specific combination of skills that, ideally, it’s not left to just one team or the other. Instead, getting the technical aspects of AI compliance right is the product of continuous collaboration.
This also means that the most effective approach is not just to train technical profiles in writing documentation, generating the right data, and responding to requests for documents from the compliance team. In addition, it could be a good idea to work with a compliance liaison in the technical team, who’d function as the first point of contact in case of, for instance, a documentation request.
DPOs
Data Protection Officers, who ensure that the personal data of everyone involved in an organization (employees, stakeholders, users…) is processed safely, might also have to get involved in the process. After all, AI depends fundamentally on the datasets used to power it, and the AIA explicitly mentions that the right to privacy and data protection should be protected throughout any AI system’s lifecycle. The Confederation of European Data Protection Organizations (CEDPO) previously outlined the impact of the AIA on DPOs in a position paper, arguing that there may be some dual or conflicting obligations under the AIA and the GDPR. For instance, if a system log contains personal data, it should be kept for “for a period appropriate in light of the intended purpose of the high-risk AI system” – but that could bring conflicts with the GDPR’s storage limitation principle.
CEDPO also warns that DPOs may be expected to take on the role of an AI Officer in addition to their existing obligations, which might become overly burdensome as well as force them to do tasks that go beyond their expertise. After all, being well-versed in data protection doesn’t necessarily mean that you’re an expert in artificial intelligence. Moreover, CEDPO notes that having a designated AI Officer could be beneficial, but combining DPO and AIO roles may result in a conflict of interest: an AIO could have a vested interest in the success of an AI system that depends on personal data processing, and might therefore not adequately fulfill their duties as DPO.
Legal & compliance officers
DPOs often have a legal background themselves and might be most likely to step into a combined DPO-AIO role. However, in high-risk cases other legal and compliance officers might also get involved. If the DPO-AIO is overburdened with questions and cases, other employees in the legal team may have to step in and serve as a point of contact for issues related to the AIA. Also, it’s a great idea to include at least one legal officer on your main AI team, even when you’re just researching and developing an AI tool. That allows you to nip potential ethical issues in the bud.
Managers
For managers overseeing AI projects or business processes more generally, the AIA will be more than just another layer of rules to take into account. While managers will certainly have to ensure that the EU’s new rulebook is followed as best as possible, the AIA is also a chance to revise business processes and policies to work more effectively and better align with your organizational goals. Its principles of accuracy, transparency, fairness, and safety will lead to higher-quality AI systems even in high-risk contexts.
The AIA invites managers to create (or act as) links between different teams to ensure proper compliance. Managers will have to find new, more transparent structures and processes to bring people in different roles together. They will also have to decide whether to designate an AI Officer or not, and then whether to merge that role with the DPO or not.
Everyone else
In the end, everyone within an organization can contribute to responsible and safe AI. If an employee suspects algorithmic discrimination, mishandling of personal data, or sees other ethical issues, it’s of key importance to speak up on these issues; Some companies may also choose to create an ethical board that brings people together to evaluate AI risks and ethical issues.
In sum, to avoid being caught off-guard by the Act, companies should start thinking about how to compose and position their AI teams, and who exactly will be working on AI teams. Are you creating a separate innovation team where people plucked from different divisions meet? Or are you creating liaisons integrated in those divisions? Will you be creating an ethical board?
We can help with all of those questions. Get in touch with our EU AI Act Manager Koen Mathijs or contact your local Sparkle office.
