What Everyone Must Know About the Common Future of AI and GDPR
The General Data Protection Regulation (GDPR) is designed to protect the privacy of individuals by regulating the collection, use, and storage of their personal data by organizations and the free movement of personal data within EU. This is what GDPR states in his 1st article.
The role of the EDPB is to ensure that the GDPR is applied consistently across the EU, and to provide guidance and clarification on various aspects of the regulations (https://edpb.europa.eu/about-edpb/about-edpb/who-we-are_en).
The EDPB is composed of representatives from the data protection authorities of each EU member state, as well as the European Data Protection Supervisor (EDPS).
Some of the specific tasks of the EDPB include:
• Providing guidance on the interpretation and application of the GDPR
• Monitoring the application of the GDPR across the EU
• Providing an opinion on draft legislation that may impact the GDPR
• Resolving disputes between data protection authorities of different countries
• Issuing binding decisions and fines for non-compliance with the GDPR

It is not possible to predict exactly how the EDPB or other legislative bodies will amend the GDPR in the future, as it will depend on the evolving needs and concerns of EU citizens and the changing landscape of data protection. A fortiori we cannot know how the EDPB will behave towards AI systems. However, the EDPB is likely to continue to play a central role in ensuring that the GDPR effectively protects the privacy of individuals and promotes the responsible handling of personal data by organizations.
The European Data Protection Board (EDPB) has recognized the potential benefits and risks of artificial intelligence (AI) in several of its documents, that could be found here, and has provided the following principles for a lawful use of AI systems:
• Organizations using AI should be transparent about their data collection and usage practices, and should ensure that individuals are aware of and can control how their personal data is used.
• Organizations using AI should implement appropriate safeguards to protect personal data and to prevent discrimination or other negative impacts on individuals.
• AI systems should be designed and implemented in a way that respects the rights and freedoms of individuals, and that minimizes any negative impacts on those rights.
• Organizations using AI should be accountable for their use of the technology, and should be able to demonstrate compliance with the GDPR.

Today, many companies are late in their GDPR compliance journey and still struggle to determine where their data actually resides in the cloud. How will they be able to know what happens to their data when it will be fed to AIs to be chewed and digested ?

The advices that we feel like giving in order to map and inventory the ai systems in use in our company, are actually the same regarding the mapping of cloud services:
1. Review all contracts and agreements with vendors and partners to identify any AI systems that have been purchased or implemented.
2. Conduct a thorough inventory of all the software and technology used by the company, including any AI-powered tools or systems. This can be done through a combination of manual assessments and automated discovery tools.
3. Check with the IT department or other relevant teams to see if they are aware of any AI systems being used within the company (being aware that all departments, not only IT should be involved in this task)
4. Look for any documentation or information provided by the vendor or manufacturer of the AI system, which may include information on the specific algorithms or techniques being used.
5. Test the system to see how it performs and what types of outputs it generates. This can help to identify the underlying AI technology and algorithms being used.

We are curious to see if the legislator will be able to develop exhaustive guidelines on the behavior to be followed by companies towards these disruptive technologies, in the meantime, as susual, everything is up to Data Controllers.