Home » AI » Step by step » Checklists
Checklist: business understanding

☐ The controllers have assessed the amount of data that will be needed to develop the AI solution or the nature of that data and ensured that they work well with the minimization principle.

☐ The controllers have fixed acceptable thresholds of false positives/negatives or ranges, depending on the use case and then have performed a utility balance.

☐ The controllers have adequately balanced the level of accuracy needed and the range of personal data required to reach it.

☐ The controllers have provided for the development of more understandable algorithms over less understandable ones whenever possible

☐ The controllers have ensured an optimal training for all subjects involved in the project or an adequate internal or external assessment on ethical and legal issues.

☐ The controllers have carefully designed the tools that will legitimate data processing. To this purpose, they have checked if the intervention of an ethics committee is needed or whether any kind of soft regulation is applicable.

☐ The controllers have adopted a risk-based approach (including technical and organizational security measures) that minimizes the risks to data subjects’ rights, interests, and freedoms.

☐ The controllers have implemented tools and policies aimed at assessing and evaluating the effectiveness of technical and organizational measures regularly.

☐ The controllers have considered whether the regulatory framework regarding scientific research applies

☐ The storage policies keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

☐ The controllers have considered the appointment of a DPO

Checklist: data understanding

☐ The controllers have implemented appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed.

☐ The controllers have introduced policies that minimize the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Such measures ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

☐ The controllers do not to collect unnecessary data. If data is already stored, they have taken actions aimed at deleting unnecessary data elements.

☐ The controllers have limited the resolution of the data to what is minimally necessary for the purposes pursued by the processing.

☐ The controllers have selected the legal basis that most closely reflects the true nature of their relationship with the individual and the purpose of the processing.

☐ The controllers have carefully analyzed whether processing involves de-anonymizing anonymized data and creating new personal information that was not contained in the original data set and take adequate measures to face these challenges.

☐ The controllers have made sure that merging datasets does not create ethical or legal issues regarding data subjects’ rights and freedoms.

Checklist: Data preparation

☐ The controllers have ensured that data are accurate, that is, correct and up to date data.

☐ If profiling or automated decision-making is foreseen:

☐ The controllers have sent individuals a link to their privacy statement when they have obtained their personal data indirectly.

☐ The controllers have explained how people can access details of the information that they used to create their profile.

☐ The controllers have communicated the data subjects who provide them with their personal data and how they can object to profiling.

☐ The controllers have introduced procedures for customers to access the personal data input into their profiles, so they can review and edit for any accuracy issues.

☐ The controllers have implemented additional checks in place for their profiling/automated decision-making systems to protect any vulnerable groups (including children).

☐ The controllers have ensured that they only collect the minimum amount of data needed and have a clear retention policy for the profiles that they create.

☐ The controllers have carried out a DPIA to consider and address the risks when they start any new automated decision-making or profiling.

☐ The controllers have involved the corresponding DPO in these activities.

☐ The controllers have considered the system requirements necessary to support a meaningful human review from the design phase. Particularly, the interpretability requirements and effective user-interface design to support human reviews and interventions.

☐ The controllers have designed and delivered appropriate training and support for human reviewers.

☐ The controllers have given the staff involved in the processing the appropriate authority, incentives and support to address or escalate individuals’ concerns and, if necessary, override the AI system’s decision.

☐ The controllers have ensured that the teams in charge of selecting the data to be integrated in the datasets are composed of people that ensure the diversity that the AI development is expected to show.

☐ The controllers have ensured that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimized.

☐ The controllers have implemented tools aimed at preventing discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect.

Checklist: Modeling (training)

☐ The controllers have determined the purpose of the AI system’s use at the outset of its training or deployment, and performed a re-assessment of this determination if the system’s processing threw up unexpected results.

☐ The controllers have purged the data used during the training phase of all information not strictly necessary for training of the model.

☐ The controllers have considered implementing technical tools that might serve well to detect biases, such as the Algorithmic Impact Assessment.

☐ The controllers have considered conducting a DPIA at this stage.

☐ The controllers have ensured that they are able to respond to data subjects’ requests to exceptions to the right to access apply.

☐ The controllers can guarantee the right of rectification of the data, especially those generated by the inferences and profiles drawn up by the AI development.

☐ The controllers are able to respond to requests for erasure, unless a relevant exemption applies and provided the data subject has appropriate grounds.

Checklist: evaluation (validation)

☐ The controllers have made sure that validation reflects the conditions in which the algorithm has been validated accurately.

☐ The controllers have informed data subjects about additional processing at this stage.

☐ The controllers have ensured the removal of the dataset used for validation purposes, unless there is a lawful need to maintain them for the purpose of refining or evaluating the system, or for other purposes compatible with those for which they were collected

☐ The controllers have considered conducting a DPIA at this stage

☐ If the data subjects request the deletion of their data, the controller have adopted a case-by-case approach taking into account any limitations to this right provided by the Regulation).

☐ The controllers have considered an audit of the system by an independent third party

Checklist: deployment

☐ The controllers have deleted all unnecessary personal data or, on the contrary, justified the impossibility of doing so.

☐ The controllers have informed data subjects about additional processing at this stage.

☐ The controllers have determined the adequate legal basis for carrying out the communication of personal data to third parties, especially if special categories of data are involved.

☐ The controllers have considered conducting a DPIA.

☐ The controllers have made sure that the algorithm does not include personal data in a hidden way (or taken necessary measures if this is unavoidable).

☐ The AI developers have implemented tools aimed at communicating the results of the validation and monitoring system employed and offered their collaboration to continue

☐ The AI developers have a commitment to offer real time information to the end users about the values of accuracy and/or quality of the inferred information at each stage.


Skip to content