The advent of the GDPR will certainly end the Wild West era of big data, but if organisations are rigorous in following compliance requirements, the development and deployment of artificial intelligence solutions should not be a problem.

Understandably, the GDPR gives rise to questions about collecting review feedback. AI applications are, for example, increasingly deployed to enhance advanced online review systems, providing users with more personalised and rapid access to what most interests them. From hundreds of reviews, consumers rapidly get to the nub of what they want, while businesses can spot trends and analyse results with great speed and precision.

Customers will not need to be asked permission before they can be sent a feedback request, since customer feedback is considered to be market research, which allows a business to contact a customer about a specific sale or service without consent as long as it is directly linked to that transaction. Being open and honest about how an individual’s data will be used is vital in the deployment of AI to provide hyper-personalised services or experiences. Consumers who trust that their data will be used to benefit them are more willing to share personal information.

Businesses relying on customer feedback will nonetheless still have to ensure that their data processors are compliant with GDPR. A reviews provider will need to maintain a record of their processing operation and disclose any breaches.

AI is essential to the future of business after all. According to recent Feefo research, two-thirds of senior IT-decision-makers said that failure to adopt AI will have a catastrophic effect on competitiveness.

Yet despite the new regulation, businesses will still be able to use feedback to improve services and enhance the customer experience.

The real value of AI, especially in the B2C realm, is how it can help create a truly personalised experience for people.  To do that, however, AI implementations generally depend on access to customers and their data.  If not properly implemented, companies may run the risk of exposing potentially sensitive data through a variety of venues.

As we look to the upcoming in-force deadline for the GDPR, it probably isn’t much of a surprise that these regulations will present challenges to companies providing AI products and services. But these challenges are not insurmountable. Successful integration of AI and machine learning are based on two fundamental privacy principals—transparency and the ethically sound use of personal data. Data scientists and AI/ML implementers can avoid complex issues by anonymising or pseudonymising the data — separating personal data from actual AI models in independent tables and indexes. By keeping the PII separate, data subject rights can be realised without affecting the integrity of the model.

It becomes a little more complex in the case of profiling which, in general, is a commonly accepted practice for delivering personalisation in customer experience, but does have limits of what is acceptable. Under GDPR, an individual has the right to not be subject to a decision determined solely on automated decision-based processing, when such a decision could have a legal or an otherwise significant impact on the individual. As a result, using automated profiling for activities such as setting insurance rates or determining credit card eligibility will generally be subject to certain mitigating factors and require a valid exception such as ‘explicit consent’. 

Ultimately, GDPR will affect AI in similar ways to other technologies. It’s important for a vendor to know what data they can use and how they can use it at the outset of any AI project to ensure compliance with GDPR and to gain longstanding.

Whilst the obligations of GDPR fall similarly on most industries that use personally identifiable data, there is a specific impact on AI and machine learning technologies as a result of the legislation coming into effect. In fact, certain applications might find that they face considerable hurdles. The regulation states that individuals ‘shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’.

So, an AI solution that uses solely automated processing comes under scrutiny, but a solution with meaningful human oversight of the machine’s output is acceptable. There are exceptions that allow automated decision making where they are provided by law, as in the case of fraud prevention or money laundering checks, or where it is necessary for the performance of or for entering into a contract, or of course, in line with the general spirit of GDPR, it is based on the individual’s prior consent.

The situation is relatively clear-cut for the use of AI in marketing for example, as customers will of course be required to grant educated and explicit consent for any data use and profiling by automation. A problem arises when automated decision systems are used to process special categories of personal data, like health. It may be difficult to allow users to withhold consent and still receive any service, for example, in insurance.

To comply with the GDPR businesses who provide AI products, services and applications must bear in mind that under the regulation, individuals must be allowed to secure human intervention or to object to an automated decision made using their data. In complex cases, the logic followed by the machine must be explainable and detailed enough to justify answers to complaints raised by individuals or regulatory bodies.”

The introduction of the GDPR is very specifically targeted towards data privacy, the storage of personal information, and identity data within IT systems. This is an interesting focus, as this convergence of IT systems and personal information is also an area where dramatic accelerations in the field of AI are transforming the IT industry.

In very simple terms, new AI initiatives and capabilities enable the processing of very large data sets in order to achieve conclusions that previously could not be reached either by a computer or human. Although some very large data sets are person-independent—such as processing anonymous large scale medical data, or machine telemetry across monitoring tools—many of the applications coming from AI innovations are directly relevant to individual identity data.

The interesting thing is that the GDPR at its most basic level requires all individual user-identifiable data to be accountable for and removable on request, known as the ‘right to be forgotten’. Any names, email addresses, phone numbers, or other personal data, must be known within an organisation, and removable on request.

For some AI networks this will not be a problem, as some AI will help us reach conclusions on non-individual data, including patterns and trends. As long as this analysis does not hold individual account names and other identifiable data, this is not a GDPR issue.

But, if that data either holds individual details, or can be re-identified to a specific individual, then the GDPR is applicable. Any interaction with Alexa, Siri, and even Google search results that are recorded from ‘John Smith’ need to track and remove all existence of John. Any AI conclusions that says John is likely to enjoy this movie, or that food, needs to track every recommendation along with every advert and must be able to remove any record of John from that data.

So, regardless of the GDPR, if AI is analysing anonymous data then this is fine. Where any AI work is applied to individual, non-anonymous data, a whole new layer of data security best practice and complexity is legally required. But that’s not a bad thing—that’s the point of GDPR. It brings the reassurance that our personal data is not being abused and misused. This process still isn’t perfect, but it is better than no regulation at all.

Mind you, the complexity of finding and extracting personal data from AI data lakes and cloud parallel processing algorithms is so complicated that there may now be a good need for an AI-centric GDPR system that can monitor AI and check that it is in line with the regulation.

High-quality customer data is the fuel that will enable AI features to deliver the next generation of experiences. Brands that aspire to differentiate in this way must build trust with customers, and provide frictionless ways for them to give (and remove) consent.

If this can be achieved, the data collected can be used to create highly tailored, and contextual experiences. These ‘new nudges’ will initially enhance recommendation engines before being used to craft fully rounded creative ideas that affect behaviour change.

Ensuring compliance with GDPR will catalyse many companies to use AI. Businesses are under huge pressure to maintain data across multiple disjointed IT systems. They are required to support customers who wish to exercise their right to withdrawal of consent, and the right to be forgotten. Many businesses simply won’t have the human resources to ensure the successful management of consent and compliance.

Robotic process automation (RPA) and intelligent AI systems have the potential to remove much of this headache. Compared to resource-intensive manual processing, systems of this nature are highly efficient and cost effective. And because they have access to customer data, they will be well placed to support the front end applications using this data to enhance customer experiences.

I don't think the GDPR is going to have a massive impact on this at all. I think everybody's got very focused on keeping personal data and using personal data, but I think what will become clear as the GDPR comes into force is that really it is coveting the use of data for marketing; the GDPR is fundamentally an anti-marketing initiative.

So yes, it covers the whole spectrum of data and yes it changes some of the parameters around holding data, but fundamentally if you are using personal data to deliver a service to your customers then the GDPR doesn't change anything at all.

When you look at where AI is being used it’s bang in that scope. Amazon, a big user of AI, gives customers a completely individualised homepage and every product that you're shown, every recommendation - all of that is done by AI.

That's not marketing, because you've gone to Amazon because you want to buy stuff and they're improving your experience of the sales journey. They're not using it to send you emails, they're not using it to push for services that you haven't asked for. If you want them to stop processing your data it's dead simple: close your Amazon account.

The only area where the GDPR adds something to the current legislation is the right to opt out of automated decision making, one of the fundamental GDPR rights. Some people interpret it as the right to object to any kind of automated decision making, such as the right to say to Amazon I don't want automated product recommendations.

However, if you read the regulations that is not actually true. You only have the right to object to automated decision making where the decision has a serious and fundamental impact, such as mortgage and insurance decisions. The GDPR isn't saying that your data can't be used for that because data has been used in those decisions for years. However, if a company makes a fully automated decision about whether you're going to get a mortgage or insurance policy, you have the right to ask. If you disagree with the decision you have the right to ask for a human to review that decision. That's fundamentally what GDPR says on AI.  

There are a wide range of products and services out there that use machine learning to help cluster or identify behaviours.

Whilst GDPR extends the definition of personal data and can potentially include things like IP addresses, machine learning and AI marketing technology is rarely interested in identifying people individually.

In most cases, the aim of this technology is to identify behaviours or market segments to create and target more relevant advertisements or content to consumers.

As long as businesses are clear in describing how they are using people’s data, and are getting the necessary consent to do so, AI and machine learning will be widely used in marketing and continue to transform the space.

Other technologies such as blockchain also offer businesses the opportunity to create transparent systems, which give consumers confidence about how their data is being used. In the future we will definitely see more businesses using technology like blockchain as they look to build trust with these transparent approaches.

As long as there’s a value exchange between business and consumers and evidence that businesses are handling personal data with care, consumers will continue to be happy with their data being used to offer them bespoke marketing content.