¿Por qué es relevante llevar a cabo evaluaciones Evaluación de Impacto a la Privacidad (PIA por su siglas en inglés) en Sistemas de IA Generativa o Conversacional?

The implementation of generative or conversational artificial intelligence systems poses unique privacy challenges. These systems, by interacting with users and processing large amounts of data, can collect sensitive personal information and generate privacy risks. Therefore, conducting a Privacy Impact Assessment (PIA) beforehand is crucial to identify potential risks associated with personal data processing and ensure regulatory compliance and protection of individual rights.

A PIA strengthens user trust because it reflects that the generative AI system adopts an approach to comply with its legal obligations, which becomes more relevant due to the large amount of data processed and the possibility of privacy impact.

Aspects to consider in a PIA for generative or conversational AI systems:

Data collection and use:

Personal data: Identify input data, i.e., what personal data is collected (name, address, search history, etc.), how it's used, and what data will be generated.
Sensitive data: Evaluate if sensitive data is collected (biometric data, political opinions, health, etc.) and justify its necessity.
Consent: Verify if informed consent is obtained from users for data processing.
Purpose: Ensure that the purpose of data processing is legitimate and clearly communicated to users.
Proportionality: Evaluate if data collection and processing is truly necessary to fulfill the purpose.
Minimization: Use only strictly necessary data to achieve objectives.
Adequate safeguards: Analyze if it's possible to anonymize or pseudonymize data to protect fundamental rights and freedoms.

Algorithms and models

Transparency: Understand and evaluate algorithm structure to know how they are built and function, to identify possible biases and how to mitigate them.
Explainability: Determine a system's ability to explain clearly and comprehensibly how a result is reached.
Fairness: Ensure algorithms don't discriminate against certain groups of people.

Storage and security:

Security measures: Evaluate technical and organizational measures implemented to protect personal data from unauthorized access, loss, alteration, or destruction.
Data retention: Establish clear policies on data retention periods and secure deletion procedures.

Data transfers:

International transfers: If data is transferred to third countries, ensure legal requirements are met and individual rights are guaranteed.

Data subject rights:

Access: Guarantee users' right to access their personal data and obtain a copy.
Rectification: Allow users to request correction of inaccurate or incomplete data.
Erasure: Facilitate users' right to request data deletion.
Opposition: Respect users' right to oppose data processing.
Portability: Guarantee data subjects' ability to obtain and reuse their personal data, allowing them to move, copy, or transfer data from one environment to another securely.

Third-party collaboration:

Data processing contracts: Establish clear contracts with service providers processing personal data on behalf of the organization.
Subcontracting: Ensure subcontractors comply with the same data protection standards.

PIA Stages:

Planning: Define assessment scope and assign responsibilities.
Information gathering: Collect information about the AI system, data used, and processes involved.
Risk identification: Identify privacy risks associated with the system.
Risk assessment: Evaluate probability and impact of each risk.
Mitigation measures: Design and implement measures to mitigate identified risks.
Documentation: Document assessment results and adopted measures.
Monitoring and review: Continuously monitor security measures' effectiveness and update PIA as needed.

Useful tools:
Various tools and methodologies exist for conducting a PIA, such as guides and templates provided by regulators, as well as specialized software. When selecting a tool, it's important to consider the organization's size and complexity, as well as the type of AI system being evaluated.

In summary, a PIA is an essential tool to ensure generative and conversational AI systems are developed and used responsibly and ethically, protecting individual rights.

This publication was prepared considering the Mexican regulatory framework.