Conformity assessments 

Of these risk levels, high-risk systems will pose the highest compliance burden on organizations, as they’ll have to continue to meet obligations for conformity assessments. Conformity assessments (CA) require companies to ensure that their “high-risk” systems meet the following: 

• The quality of data sets used to train, validate and test the AI systems; the data sets must be “relevant, representative, free of errors and complete.”
   
• Detailed technical documentation.
  
  
• Record-keeping in the form of automatic recording of events.
  
  
• Transparency and the provision of information to users.
  
  
• Human oversight.

This assessment is mandatory before a high-risk AI system is made available or used in the EU market. It ensures that AI systems comply with EU standards, particularly if there are significant modifications or changes in intended use. The main responsible party for CA is the “provider” –the entity putting the system on the market. However, under certain circumstances, the responsibility can shift to the manufacturer, distributor, or importer, especially when they modify the system or its purpose. 
 

Who performs a CA? 

The CA can be done internally or by an external “notified body.” Internal CAs are common as providers are expected to have the necessary expertise. Notified bodies come into play particularly when an AI system is used for sensitive applications like real-time biometric identification and does not adhere to pre-defined standards. 

During an internal CA, the provider checks compliance with quality management standards, assesses technical documentation, and ensures the AI system's design and monitoring are consistent with requirements. Success results in an EU declaration of conformity and a CE marking, signaling compliance, which must be kept for ten years and provided to national authorities if requested. 

For third-party CAs, notified bodies review the system and its documentation. If compliant, they issue a certificate; otherwise, they require the provider to take corrective action. 
 

How often should you perform a CA? 

Conformity assessment isn't a one-off process; providers must continually monitor their AI systems post-market to ensure they remain compliant with the evolving draft EU AI Act. In cases where a notified body is involved, they will conduct regular audits to verify adherence to the quality management system. 
 

Engaging all players in the AI game 

The EU AI Act is not just handing out responsibilities to AI providers; it’s casting its net wider to include various actors in the AI lifecycle, from users to deployers. And its reach is not just limited to the EU; it has global ambitions, affecting entities even outside the EU, thus having implications that are worldwide. 
 

Fines: A significant deterrent 

With the European Commission defining law enforcement penalties for the EU AI Act, the fines for non-compliance now stand at a maximum of 30 million euros or 6% of global turnover. For context, these fines are 50% greater than that of the GDPR, which has maximum fines of $20M or 4% of global turnover, underlining the EU’s commitment to ensuring strict adherence to the EU AI Act. 
 

Charting the course towards regulated AI 

The EU AI Act is a bold statement by the EU, meticulously balancing the act of fostering AI innovation while ensuring that the core values and rights of society are not compromised. With the Act inching closer to its final stages of approval, it’s crucial for everyone in the AI space to keep an eye on its development.  

Whether you’re a provider, user, or someone involved in the deployment of AI, preparing for a future where AI is not just a technological marvel but also a subject of defined legal boundaries and responsibilities is imperative. This introduction offers a glimpse into the EU AI Act’s journey and potential impact, setting the stage for the deeper analysis that unfolds in the subsequent sections. So, buckle up and let’s dive deeper into understanding the nuances and implications of the EU AI Act together. 
 

AI frameworks: A global perspective 

A landscape in flux: The global heat map of AI frameworks 

The global AI framework landscape underscores the imperative need for more cohesive international rules and standards pertaining to AI. The proliferation of AI frameworks is undeniable, calling for enhanced international collaboration to at least align on crucial aspects, such as arriving at a universally accepted definition of AI. 
 

AI ethics policy: A critical element 

The establishment of AI Ethics Policies, informed by ethical impact assessments, is essential in navigating challenges and making informed, ethical decisions regarding AI use. For example, instead of outright blocking certain AI applications, ethical impact assessments can guide organizations in implementing nuanced, responsible use policies, especially for sensitive data. Ethical considerations should inform every step of AI application, from inception and development to deployment and monitoring. 
 

Inclusive AI governance: A size-agnostic imperative 

Importantly, AI governance is not an exclusive domain of large corporations with extensive resources. With AI use cases proliferating across various sectors, companies of all sizes will inevitably engage with AI, necessitating AI governance frameworks tailored to their specific needs and capacities. 

A few universal principles apply regardless of the company’s size. First, securing executive buy-in and adopting a multidisciplinary approach is imperative for successful AI governance implementation.  

Second, organizations should commence with high-level principles as a starting point, even if they are small or merely purchasing ready-made AI models. Training and upskilling employees across various functions, including procurement and technology, is also vital to understand and mitigate the risks associated with AI tools and applications. 
 

Embedding core governance principles 

Six core governance principles need to be embedded into AI governance programs: 

1. Governance and Accountability: Establishing a structure for accountability, possibly through AI oversight committees or ethics review boards, is essential. Governance should be enforced throughout AI’s lifecycle, from inception to operation.
   
   
2. Human Oversight: Adopting a human-centric approach, with trained human reviewers at various stages, is crucial for ethical AI application. 
   
   
3. Fairness and Ethics Alignment: AI outputs should align with fairness and ethical standards, reflecting an organization’s culture and values. 
   
   
4. Data Management: Implementing robust data management processes, tracking modifications to datasets and mapping data sources, is key for reliable AI systems. 
   
   
5. Transparency Enhancement: Ensuring that AI decision-making processes are transparent and understandable is necessary for building trust and compliance. 
   
   
6. Privacy and Cybersecurity: Addressing legal data processing requirements, conducting privacy impact assessments, and mitigating AI-specific cyber risks are imperative for secure and compliant AI applications. 

Given the pace at which AI is evolving and its profound implications, organizations must proactively develop and implement AI governance programs. By adopting a set of core governance principles and practices, organizations can navigate the AI landscape responsibly, ethically, and effectively. These principles, informed by ethical considerations, legal compliance, and a commitment to transparency and accountability, will guide organizations in harnessing AI’s benefits while mitigating its risks, ultimately fostering trust and success in the AI-driven future. 
 

Value-driven AI governance 

As organizations delve deeper into the realm of AI, developing and implementing AI governance programs aligned with their values is paramount. These governance frameworks should not only ensure compliance with legal standards but also reflect the ethical commitments and values of the organizations.  

Whether it's about making tough trade-offs between transparency and security or deciding on the ethical use of data, a values-driven approach to AI governance provides a reliable compass guiding organizations through the intricate landscape of AI applications and ethics. 
 

Final thoughts and tips on AI governance 

AI, GDPR, and data privacy 

When considering the interaction between AI, the draft of the EU AI Act, and GDPR, it’s crucial to acknowledge existing guidance on utilizing AI in line with GDPR. Noteworthy resources include the toolkit provided by the UK’s Information Commissioner's Office (ICO) and the comprehensive guidance and self-assessment guide offered by France's CNIL. These tools offer valuable controls and checklists, assisting organizations in ensuring compliance of their AI use with GDPR requirements. 

A starting point for aligning data usage within AI frameworks with GDPR principles is to conduct diligent Data Protection Impact Assessments (DPIAs) to ensure that all these processes remain compliant.  

AI governance start point: Privacy professionals are well-positioned to serve as orchestrators, bringing together various functions and skill sets within organizations to address AI governance comprehensively. This collaborative approach not only ensures compliance but also functions as a business enabler, fostering a proactive and informed approach to emerging challenges and opportunities in the AI landscape. 

Keep calm and AI: Embrace technological developments with a sense of calm and curiosity. Engaging with the fast-paced and continually evolving field of AI requires a willingness to learn and adapt, acknowledging that understanding and addressing the risks and potentials of AI is a journey rather than a destination. 

Evolution of Professional Roles: With the continuous changes in technology and data processing, the roles of data protection officers are evolving, potentially transitioning towards “data trust officers”. It’s imperative for professionals in the field to be open to assuming new roles and responsibilities as the technology and regulatory landscape transforms.