GDPR is your friend, craft ai is there to make sure of it!
Apr 28, 2018 |
These days, in the European AI ecosystem, the proportion of conversations
revolving around GDPR tends quickly towards 100%. As a matter of fact on the
25th of May the
General Data Protection Regulation will become enforceable in the European
Union. As an AI technology provider it is important that our product is fully
compatible with the regulation and that it enables our customers to simply &
fully follow it. So what is this regulation about and how craft ai makes it
easy to enforce?
Let’s start by stating the, maybe, obvious: craft ai is not in the business
of monetizing data. craft ai processes the data that is sent through its
API to produce predictive models. Only the data needed to compute those models
is kept and craft ai does not claim ownership over it.
By design, craft ai is about learning predictive models at the individual
level, be it a person, a household, a building or, …, a trash bin.
This means data that transit through craft ai is identified as being
related to a single unit, which can be a risk if such data can be used to
directly or indirectly identify the person. However, because craft ai
algorithms are designed to learn individual behaviors, they do not need
demographic data to work.
For example, to continuously learn a predictive model of a given building water
consumption there is no need to know its number of bathrooms, its address, the
socio professional categories of its occupants or even their ages, names or
social security numbers; only data relevant to the water consumption behavior
matters: metering, weather and maybe occupation schedule. This data can be
sensitive and should be treated with care but can’t be used to identify said
building, it can be argued these are not indeed personal data. The only
technical requirement is an identifier that can only be correlated by the API
user to what it identifies. In other words, data sent to craft ai are
Right to data
The most important philosophy behind GDPR is that anyone should be able to
manage their personal data. This translates into three principles: right to
access, right to be forgotten and data portability.
As an API, craft ai was designed to be symmetrical, everything that can be
sent, can be retrieved and deleted. Which means every piece of data you send
can be consulted and deleted if you so desire. Furthermore all the exchanged
data are structured in familiar and simple to understand
json (yes even the
learned predictive models, explainable ai for the win!). These properties
means any API customer can easily offer full control over their data to their
Some other aspects of the regulation are still debated. What are the effects of
the right to be forgotten on
machine learning techniques: do you need to retrain a model without the data of
the individual who’d like it to be erased? Does the regulation enforces a
right of explanation
of automated decision making? In either cases craft ai is ready for it, our
individual level machine learning means that the data of one user can be
destroyed without affecting the others and the key characteristic of our
algorithms is to be explainable.
Using data, but for what?
The last major aspect of GDPR is letting the user opt-in to the usage of its
data. We can’t help on this front at craft ai, however this is much aligned
with our core belief: obtaining the user opt-in is about providing value to
them. It is much easier to ask for, let’s say, the data generated by a Smart
Home if it’s about improving the security, the energy consumption or the
comfort of the occupants. In short, it’s not about the data, it’s about the
service! A production-ready AI solution such as craft ai is key to design
and deliver such service quickly.
GDPR does not have to be a source of anxiety for businesses, at craft ai we’ve
designed our product to help our customers easily enforce it.
- The craft ai API gives complete and direct access to the end-user data, it can be consulted and deleted without any impact on other end-users. Furthermore the data that is collected by craft ai is non-demographic.
- Any end-user data sent to craft ai is pseudonymized, only the API customer that sent it can correlate it to the actual end-user.
Now that this is settled, let’s continue our journey towards the cognitive automation of all processes!