Implications of GDPR on Commercial Machine Learning Models
The EU General Data Protection Regulation (GDPR) was introduced in 2018. GDPR places restrictions on what data about European Citizens can be collected, processed and used. It has a significant global impact on how ML teams can use all this data.
By introducing the GDPR, the EU aimed to harmonize data privacy laws across all its Member States, safeguard EU citizens’ data when being transferred abroad, and provide individuals with more control over their personal data. In short, the GDPR applies to data that, either alone or in combination with other data, can identify a person. Normally these include:
- Personally identifiable information (name, address, date of birth, etc.)
- Racial and ethnic data
- Web-based data (location, IP address, cookies, etc.)
- Political opinions
- Sexual orientation
- Health and genetic data
- Biometric data
What does this mean for Machine Learning and ML Models? It introduces the following imperatives:
- Data Transparency – The GDPR empowers citizens to decide which of their data is used by third-party controllers. This means you must be open and transparent about why you’re collecting data and what you intend to do with it. AI and ML are black boxes, and it is not always readily apparent how they make the decisions they do.
- Data Purpose – GDPR says that you can collect and use data only for a specific purpose and not collect data in an ad-hoc way. Consent from the subjects is needed for this data collection and only for that specific purpose. It is not always possible to predict this ahead of time.
- Minimal Data Collection – GDPR says that data collected must be minimal and relevant. Software developers must project ahead of time what data is needed and in what quantity. This is an ongoing process and not just a one-shot process.
- Removal of Bias – The GDPR says bias must be removed from the data collected and processed. The Data Controller needs to ensure this. Machine Learning models may be developed using past data that embodies human bias, conscious or unconscious. ML teams must remove these biases to be compliant with the GDPR.
A synthetic data tool can effectively address these concerns with GDPR with the following characteristics:
- Synthetic Data and Data Transparency – Synthetic data is arrived at using real production data. With the right Privacy Assurance approaches, reidentification risks can be addressed. Since we are dealing with fictitious people data, transparency requirements can be met easily.
- Usage Restrictions – Even internal sharing of real data is risky with GDPR regulations. However, if the real data is converted into synthetic data with privacy assurance protections, data processing risks become less and less of an issue.
- Removal of Bias – Synthetic data can ensure that training data contains enough of the features and demographic distributions needed to remove bias. For example, if males are overrepresented in the real training data for a Machine Learning model, synthetic data can make sure that there are enough females also in the training data set. It can extrapolate from columns that have some data in them to columns that have NULL values or blanks.
GDPR places significant restrictions on collecting, processing, and using data about European Citizens. Real production data may be too risky to be used. Synthetic data generation tools can bridge this gap easily. With the right privacy assurance algorithms, real data is converted into data about fictitious persons. If the reidentification risks are minimized and quantified, synthetic data becomes useful and can be shared internally, and freely. Whether the data is needed for internal software testing, or the marketing department for segmentation and strategy development, a synthetic data tool addresses GDPR regulations effectively and liberates all that data for processing and use.
With GDPR the responsibility has now shifted to the business owner and controller to make sure that they do everything they can to protect their data silos and databases for all business systems while giving individuals more rights ~ Alistair Dickinson, The Essential Business Guide to GDPR: A business owner’s perspective to understanding & implementing GDPR