Data is typically needed to train and fine-tune modern artificial intelligence models. AI can use data – including personal information – in order to recognize patterns and predict results.
Companies that utilize personal information to train an AI may either be acting as a controller or a processor depending on the degree of discretion they exercise in deciding how the AI will function, the type of personal information that will be used to train the AI, how the AI will be allowed to process the training data, and the conditions by which the AI will be allowed to retain or share the training data.
Whether a company is a controller or a processor, the GDPR requires the company to create a record of processing activities. The record of processing activities can take many forms, and many companies choose to satisfy the requirement through a data inventory (i.e., a list of all the systems that collect and process personal information). What must be included in that record of processing activities or data inventory differs, however, based upon the company’s controller or processor designation. The following summarizes the information that must be included depending on whether the company is a controller or a processor.