Blog: Risk
Posted: 27 Jul. 2023 5 min. read

Navigating the EU AI Act: a guide for Chief Data Officers

Aravind Prakash Oscar Lowe

The European Union (EU) Artificial Intelligence (AI) Act is the first legislation in the world that will have an extraterritorial impact on AI providers and users in non-EU jurisdictions, if their AI systems affect individuals in the EU. It uses a risk-based approach and classifies AI systems as either prohibited, high-risk, or low-risk based on their potential for impacts to society and individuals’ health, safety, or fundamental rights.

The EU AI legislation is currently under negotiation, and the proposal of the EU AI Act will become law once both the Council (representing the 27 EU Member States) and the European Parliament agree on a common version of the text, which is expected to be finalised this year, and could come to action in Q1 2024.

This act could become a global standard (if not a regulation outside the EU), similar to the EU's General Data Protection Regulation (GDPR).

The act calls out high data quality as being essential for the safe performance of many AI systems, and highlights that achieving high quality data requires the implementation of appropriate data governance and management practices.

Data governance and management has been at the forefront of Chief Data Officer (CDO) activities for the last decade, as organisations have matured their data related capabilities. This is often in response to regulatory drivers, for example, BCBS239 PERDARR (Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation and Risk Reporting), GDPR, etc. We envisage the EU AI Act will have a substantial impact on how organisations create, manage, control, and maintain their data related to AI systems.

What does the EU AI Act specify with regards to data governance and management?

The act states that training, validation, and testing data sets for high-risk AI systems shall be subject to appropriate data governance and management practices, which cover:

  • Data collection and data preparation processing operations (annotation, labelling, cleaning, enrichment, and aggregation)
  • Metadata (assumptions, interpretations, and definitions)
  • Data quality assessment, including possible biases, and addressing data issues

In addition, it states that the technical documentation of a high-risk AI system shall include:

  • The data requirements (nature, limitations, etc.)
  • Training data sets used and their provenance, scope, and main characteristics
  • Data cleaning methodologies (e.g., outlier detection)

How do the Act’s data governance and management requirements impact across typical CDO capabilities?

The data governance and management requirements outlined in the Act impact across a broad set of capabilities that typically fall under the remit of the CDO.

Table: EU AI Act’s impact across common CDO capabilities

How should CDOs prepare?

As we approach the finalisation of the Act, CDOs should conduct a current state assessment of the various CDO capabilities and frameworks to gauge the organisation’s ability to comply with the asks of the EU AI Act.

This is something we can support with. Our experts have devised a high-level questionnaire that can help you understand your organisation’s readiness for the EU AI Act. We offer an initial assessment, where we will measure your organisation’s maturity across data strategy, governance frameworks, infrastructure, and processes. From here, we can work with you to identify data constructs that require an uplift to ensure you are compliant when the EU AI Act comes into regulation. Get in touch with our contacts below to organise your assessment.

Related articles:

May’23: EU AI Act adopted by the Parliament: What's the impact for financial institutions? | Deloitte Luxembourg | News

May’23: Regulating AI: can the UK’s proposed approach achieve both flexibility and clarity?, Valeria Gallo, Suchitra Nair, Joanna Conway, Nick Seeber, Aurora Pack, Lewis Keating (deloitte.com)

May’23: Webinar: A New Era for AI Regulation | Deloitte UK

Jan’23: Key developments proposed for the EU AI Act as it moves to latter stages | Deloitte UK

Apr’22: Understanding the proposed EU AI Act | Deloitte UK

May’21: The new EU AI Act | What do financial services firms need to know?, Valeria Gallo (deloitte.com)

May’21: https://www2.deloitte.com/content/dam/Deloitte/de/Documents/Innovation/Deloitte-TAI-DE-Artificial-Intelligence-Act.pdf

Mar’21: How to spot unintended biases in machine learning, Michelle Lee (deloitte.com)

Key Contacts

Aravind Prakash

Aravind Prakash

Senior Manager
+44 (0)77 9591 0529

Aravind is a Senior Manager in the Risk Analytics Information Management team and a CDO strategy and proposition lead for the practice. Specialising in the delivery of data transformation initiatives, he has 18 years’ experience working with data and risk in the financial services sector across the UK, USA, and India. He supports clients realise business outcomes through the creation and uplift of data strategy, data management, data risk and control, regulatory data remediation and data analytics.

Read full bio
Oscar Lowe

Oscar Lowe

Director
+44 (0)20 7303 0506

Oscar helps financial services organisations build trust in data and respond to evolving regulation through modernising data management.

Read full bio
James Hodge

James Hodge

Associate Director
07785 608019

James is a Media and Entertainment industry and Analytics SME, specialising in design and delivery of analytics solutions and process automation, with additional experience in telecommunications, technology, public sector and consumer goods. He works with data to inform operational and strategic decision making relating to consumers/customers/audiences, products, networks, workforce and risk.

Read full bio