top of page
Gary Hibberd

The AI Act requires Action




I don't know if anybody has mentioned this to you, but there’s something called ‘Artificial Intelligence’ or ‘AI’, which has become pretty popular over the last few years!


Ok. I’m obviously joking.


Even remote tribes in deepest, darkest jungles, untouched by man – are getting tired of hearing about AI! So why am I adding to this topic? Because there’s an aspect of AI that we’re not talking about enough.


There’s an aspect to AI that I think will become increasingly important over

the coming years and may even change the way you approach the topic.

What it is, I’ll come to shortly. But before we get to there, let’s take a look at a couple of developments that everyone needs to be aware of and considering when thinking about AI.


AI is everywhere.


Seriously. Even the latest vacuum cleaners are claiming they are equipped with AI, so if your product or service isn’t looking at AI, then you may already be falling behind your competitors.


What does this mean?


Well, it means there’s no escaping AI. It might not come in the form

that movies of the 80’s and 90’s promised us, but in time, that may come. But the fact that devices and systems are using AI means that you need to be aware of it.


How was the AI developed? How is it being used?


Moving anyway from AI-equipped vacuums and TVs, is AI being used in your organisations without your knowledge? Are users using tools like ChatGPT without any sense of control or restraint?


“When I spoke to a sales person last week they let it slip that a call with one of their team and I, had been transcribed, using an AI tool. I wasn’t aware it was being recorded. I wasn’t aware that my words were now being shared by their team.


You might not see an issue with the above real-world situation. But what if that call had been with a therapist? Or between two people involved in a dispute?


Recording calls without a persons knowledge is a pretty sleazy (if not illegal) thing to do. But this sales person didn’t see any issue, because “That’s what the software allows us to do.”


It’s time to Act on AI


I’ll be honest and say we need more laws that govern Cybersecurity and Data, like we need another hole in the head! We already have laws that don’t work, so why do we need another?


In the case of AI, I’m of a different mindset. This is why I am pleased to see the EU has created the ‘Artificial Intelligence Act’. It came into force in August 2024, and its purpose is to improve the market by laying down a uniform, legal framework for the development, placing on the market, putting into service, and the use of AI systems.


Ultimately, its purpose is to promote the uptake of human centric and trustworthy AI, while protecting health, safety and fundamental rights of data subjects.


Clearly, AI has the potential to revolutionise a large number of sectors, including health, finance and security. If we’re going to let AI ‘loose’ in our homes, offices, hospitals, and our lives, the need for robust regulation has never been more important.


The AI Act and GDPR


Of course the AI Act is a European Act, and therefore it won’t come as a shock to know that there are some aspects that relate directly to GDPR. But this is because life doesn’t operate in a vacuum, and GDPR is a brilliant piece of legislation that knew AI was coming.


For example, consider that the AI Act focuses on a number of key principles, including;


  • Data Quality and Governance – Requiring AI systems to use ensure they only use high-quality of data, and ensure it is accurate and fair.

  • Transparency and Accountability – The Act mandates the transparency in AI operations and it is clear how AI tools make their decisions.

  • User Rights are maintained – Users must be aware when they are interacting with an AI system, and have the right to objective to decisions made by AI.

  • Human oversight – AI systems must include human oversight to prevent harm or abuse of compliance or human rights.


Of course this all depends on the nature of the AI, and the risk to data subjects. But anyone who understands GDPR and Data Protection will recognise the AI requirements above in current legislation.


The Future of AI


There’s no escaping AI. It’s everywhere already. There’s no escaping it even if you wanted to.


But what should you be doing about it? The first step is to be aware of this fact, and ask where and how this is being used in your organisation.


Here are some questions your organisation should be asking in relation to AI, to fully evaluate the risk to you and to data subjects that you work with;


  • Where is AI being used in our organisation?

  • Are any of the providers we use, using AI in their products or services?

  • Are we considering developing AI into our current products and services?

  • What are the specific goals we aim to achieve with AI?

  • How do we ensure the data used for AI is accurate, relevant, and unbiased?

  • How do we ensure the quality of data in our AI datasets.

  • What measures are in place to protect data privacy and comply with regulations like GDPR?

  • How transparent are our AI systems in their decision-making processes?

  • What are the potential risks and ethical implications of our AI applications?

  • How do we ensure human oversight and control over AI systems?

  • What is our plan for continuous monitoring and evaluation of AI performance?

  • How do we handle errors or biases detected in AI outputs?

  • What training and resources are available for employees to understand and work with AI?


Ethics and Empathy – What we’re not talking about, but should be.


There is a new Act for you to get to grips with, but there is also a new ISO standard to help you. ISO42001. This is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organisations.


If you’re considering implementing AI, you need to be aware of the Act. You should also be looking at ISO42001.


This is because you should be thinking about Data ethics and Data empathy. These are two concepts that will differentiate organisations in the future. Focusing on AI is relatively easy.


But doing it with ethics and empathy might be a big step for some organisations.

Data Ethics is something which is mentioned in the AI Act on several occasions, and refers to the way that data is used. Although the term Data empathy isn’t expressed directly in the AI Act, the need for ‘human centric’ approach to AI data is mentioned on several occasions.


Meaning that we need to put people first, when using AI systems.


I believe the terms, Data Ethics and Data Empathy will become increasingly used over the years. At least I certainly hope so.


More questions?


If you found this topic of interest and want to know how you can build AI into your services without falling foul of the AI Act, please get in touch. We utilise on ISO42001 to help build management systems that are aligned to ISO27001 and other standards. This means they are built with integrity, data protection, ethics and empathy. If this is something you need help with, then please get in touch.

11 views

Recent Posts

See All
bottom of page