From privacy and a data protection perspective, GANs (Generative Adversarial Networks) can be quite a blessing. Unfortunately, as suggested already in my previous post, this popular model for machine learning (ML) can just as easily turn into a curse. Here then are four important steps to take in order to guarantee GDPR and data protection compliance when using GANs.
If not deployed in a correct and compliant manner, GANs can sincerely harm individual rights, notably in the field of privacy and data protection. To avoid running that risk, I recommend taking the following four steps on your road to GDPR and data protection compliance:
Step 1: Identify the applicable legislation
If your business uses or plans to use GANs, the first step towards ensuring legal compliance is to identify the applicable legal framework. Since there is currently no legislation targeting GANs in particular, we have to consider the closest legal instruments. Here we speak, in principle, about the Charter of Fundamental Rights of the European Union and the General Data Protection Regulation (GDPR).
Step 2: Apply the GDPR
To ensure compliance with the data protection law, is to establish whether or not the GDPR is applicable. The GDPR does not apply, in principle, to synthetic data (the end result of GANs), nor to images of non-existent people. However, it most likely does apply:
when collecting the real data of real people (their image, health data, voice data, etc.) and using them to train or develop the model, or to generate synthetic data;
whenever the re-identification of a natural person is possible.
Step 3: Categorise the data
If we conclude that the GDPR is applicable, the next step is to perform data categorisation. What does this mean? It means to identify all the data types that are processed, such as biometric data (facial image, voice), health data, etc. Also, it is important to identify who the data subjects are and if these include vulnerable subjects, such as children. As an example, apps such as Bitmoji or FaceApp can easily be used by children without any age restriction or control. Data categorisation and data subject identification are important to accurately identify the applicable requirements, since special categories of data have additional requirements under the GDPR, as does the processing of children’s data, for instance.
Step 4: Ensure compliance
As a last step towards compliance you need to implement the appropriate measures in order to comply with the following GDPR requirements:
Each processing activity has to have a legal basis, such as consent of the data subject.
The principles of the GDPR have to be respected.
A Data Protection Impact Assessment (DPIA) needs to be conducted, because the processing of personal data in the context of GANs may pose a high risk for the rights of the data subject, since:
the processing involves biometric data;
GANs are a new technology;
the processing may concern vulnerable subjects, such as children;
in some cases, the processing may imply combining or matching different datasets.
I realise this four-step approach may come across as intimidating at first. Conducting a DPIA in particular is not an easy task. But don’t let that stop you from deploying this technology full of potential.
We can help!
Our experts can help you leverage that potential while ensuring that your GANs deployment is compliant with all the legal requirements. Thanks to our experience in conducting DPIAs for various different clients, we can guarantee a responsible and lawful digital transformation. Also, we can help you accurately identify the risks that this new technology might pose, both for your business and your data subjects, by conducting a risk analysis in this regard.
Has the potential of GANs made you curious but don’t you have a clue where to even start with such a project? Don’t worry: we got you covered since on top of all our legal expertise we can also help you out with the technical solution. All you have to do is contact us!