Compliance and Governance

Adhere to relevant regulatory governance and technical standards compliance

  • List legal compliance with territorial-specific regulation of relevant data/privacy  e.g. GDPR). 

    • Consolidated compliance documentation shared across teams (eg legal, devs, marketing)

  • Identify multi-territorial legal compliance (when applicable).

    • Data retention across jurisdictions

    • User profiling and user-data access

    • Content moderation (when applicable) for jurisdiction with enhanced legal compliance (ie. Germany)

  • Select standards and compliance monitoring.to be used

    • Document decisions behind the selection of technical standards

    • Circulate normative conditions for compliance with selected technical standards

This also might include ensuring compliance specs with your 3rd party suppliers and vendors, as well as with your downstream customers.

  1. For regulators / policy makers 

    1. Rights Based Compliance 

      1. Do your civic tech tenders have established algorithmic governance norms built into contract?

      2. Do your vendors adhere to documented rights-based assessments?

      3. Further Reading

        1. Mandating Human Rights Impacts Assessments in the AI Act (EU)

          1. Data & Society; and ​​the European Center for Not-for-Profit Law. 2021

    2. Resource availability

      1. Regulators can create easy-to-use resources for various application domains. For instance, what laws apply to emotion recognition and detection algorithms? This might include data retention laws, consent statues, protections on camera and/or sensors in public spaces, etc.

        1. PDF-format fact sheets should include a URL that directs to the latest version of legal resources so devs and standards authors are able to access the latest version of the doc. 

      2. Information commissioners

      3. Data commissioners 

      4. Court rulings

      5. Sample resources

        1. Background resource on the UK’s The Data Protection Act https://www.gov.uk/data-protection

    3. Compliance, documentation & enforcement

      1. Project authorization for publicly tendered projects

        1. Documentation 

          1. Formal intake mechanisms for SBOM for AI applications approval

          2. Public repositories for approved SBOM for AI applications

        2. Compliance

          1. Adherence to legal safeguards

          2. Incident response 

          3. Access management 

          4. Data privacy 

          5. Operational security

        3. Enforcement 

          1. Delegated parties to oversee documentation, compliance 

          2. Proper training and tooling for parties responsible for enforcement 

    4. Fit for purpose ADM

      1. Further reading:

        1. The Dutch Tax Authority Was Felled by AI—What Comes Next? European regulation hopes to rein in ill-behaving algorithms Rahul Rao, May 2022, IEEE Spectrum

    5. Risk Mapping

      1. Industry engagement to inform real-world threat assessments 

      2. Documented threat vectors

      3. Elaborating on vulnerability pen testing best-practices

    6. Whitelist of of Recommended Standards

  2. Further reading:

    1. UK Information Commissioners Office: AI and data protection risk toolkit