Data Privacy and AI: G7 Hiroshima AI Process (HAIP) Transparency Report

Organization identify and differentiate the risks of AI systems based on the risk classification pursuant EU-AI-Act. The first step is to find out if the AI Systems provide a forbidden practice while using and interaction with us humans. Second step is to identify if it´s a high-risk AI system pursuant Art. 6 EU-AI-Act. If no, then identify if its an AI system with or without a systemic risk pursuant Art. 50 EU-AI-Act. Based on this results derivate the regulatory requirements the AI-System has to follow and to fulfill. Additional to this we have to identify the possible user group of the AI-System and to find out specific risks we have to handle and to mitigate with this group, especially if its a vulnerable user group. In this context we have to check, the way of access to the AI-System. The other risks are from the use case, the purpose, physical product in which the AI-System will work, possible interactions with other AI systems and the area of operation, e.g. autonomous driving, health case. Finally we have to check, what will happen, when the AI-System doesn´t work, when data processings are interrupted or the automated decision making make mistakes - what would be the consequences for provider, deployer and user groups. Based on this results we can create a risk register including probability, risk score and extent of damage.

We are using technical tools to identify and evaluate risks.

My organization is a consulting company to guide through EU-AI-Act, ISO/IEC42001 and additional norms and standards from ISO/IEC, IEEE etc. For testing we refer to tools like "Orthrus" from AI & Partners.

Yes

At the moment only if a data breach pursuant GDPR is happened. Currently we are in the beginning with the understanding of EU-AI-Act and how we can implement it. For future it would be great opportunity to help other organizations with incident reporting and to offer programs how responsible can solve problems and mitigate risks of their AI-Systems.

Yes, we are in the Network of Governance Experts from AI & Partners, IEEE.org. A global risk register would be helpful in the future to share experiences of AI Systems and their risks and tools/workflows to mitigate the risks.

Using of this standards, e.g. IEEE 7000-2021, ISO/IEC42001, ISO/IEC5259-1, NIST 2.0 Cybersecurity Framework

Particular, I recommend to my clients to install an ethic-board or an expert of AI-Ethics/AI-Risks in other advisory boards or steering committees and to create a risk register to have an overwiew about the mitigation status.

Creating of policy for risk management in context with AI based on HLC of ISO/IEC42001 and additional Norm ISO/IEC23894:2023 AI Guidance on risk management, Implementing a protection level concept including a threshold to trigger an approval procedure, if the risk level is to high. Implementing real-time-monitoring features as part of post-marked monitoring, Implementing Iteration to review and mitigate the risks asap.

I recommend to my clients to implement an internal auditing procedure (audit management) as a part of internal control system. Additional to record all AI-Assets in a digital inventory to know about AI-Tools an their risks. For Developers I recommend to have a procedure in the design and training process to eliminate forbidden practice during design process (supported by IEEE7000-2021). For purchasing departments I recommend to ask for information, if companies are purchasing AI as a Service - additional in the process of AI-Purchaising an check to eliminate forbidden practice is needed. Finally I recommend to implement ISO/IEC42001 - AI-Managementsystem to handle risks along whole AI-Lifecycle.

Testing is supported by technical tools they can address the risks and give developer some recommendations to mitigate the risks and to improve development.

not applicable, I´m not a developer. In general Testing should take place in the end of training procedures and when AI-System is leaving the test environment it needs a second test in real time environment with feedback loops.

I recommend to my clients to define the needed quality of data for corpora. Additional I recommend to have a clear process for training data including legal basis pursuant GDPR and fulfillment of all human rights. Furthermore it should be clear who will interact in real life with this AI. Based on this findings the set up for the corpora could be selected.

It´s part of "process for training data". In this procedure is to check, if intellectual property including copy-rights are fulfilled.

It does exist "terms of use" for AI-Systems. Data Privacy Teams has to check AI-Tools in view of data privacy topics before AI-Tools are in use.

I recommend to my clients to use ISO/IEC27001 ff. as standard and additional to implement an internal process to check the cyber security risk and to review them in a periodical routine.

I recommend to my clients to install a reporting point including reporting procedure. Part of this should be a workflow to analyze vulnerabilities, incidents and risks including solving procedure and due date.

I´m not a developer of AI, but in my recommendations I suggest the approach of information and to install an information procedure to all stakeholders along the whole AI-Life-Cycle. That points are good point to integrate it in the information procedure as minimum standard.

website, social media, newsletter of information

yes

yes, additional it´s part of the advice to other organizations to provide information about sources of data used for training, it´s part of ISO/IEC42001 we are use as basis

yes,

It´s embedded in Managementsystems for AI based on ISO/IEC42001, Risk Management is mandatory part of ISO/IEC42001 and requirement of EU-AI-Act. The updating follows the common routine for Management Systems, in circumstances of new recognitions and risk with impact a shorter up-date is needed, then it´s to do following of standardized review and approval procedure.

Yes, we created a webinar to understand the content and the need of the policies for governance and risk management. ISO/IEC42001 requires the understanding of the policies.

internal risk management communication

in progress, should adapted into other incident response procedures as we know from data privacy or security incidents.

I recommend to my clients to inform via website or an instruction guideline, as well as we have to publish based on EU-AI Act in accessible way.

not at the moment, no infrastructure to do this inside the country

I recommend to my clients to share it via website, social media or newsletter, speeches ...

Yes, I recommend to my clients to use ISO/IEC Standards, as 42001 and 42005, NIST-Framework or additional standards from IEEE, ETSI, CEN...

I´m not a developer, but I advice to my clients to publish Dataprotection Notice pursuant GDPR on website and AI-System should be a kind of label, that´s clear for the users that they are interacting with an AI-Tool or got a response message from AI-Assistant.

no, not yet. How can we find the standards?

knowledge transfer, trainings to the named topics, use of testing-tools and riskmanagement software, implementing feedback loops and iteration procedures based on CIP, self assessments

not applicable

curently in children's shoes, should be more

Implementing ESG as management approach, implementing human-centered design approach based on ISO/IEC9241-210:2019, training to understand "principles of trustworthy and ethical AI" based on EU-AI-Act recital 27, CIP

Implementing ESG as management approach, implementing human-centered design approach based on ISO/IEC9241-210:2019, training to understand "principles of trustworthy and ethical AI" based on EU-AI-Act recital 27, CIP

Yes, I´m a Lecturer on a university of Applied Science for "digital product management" and I impart knowledge about AI-Ethics, human-centered design approach, ISO42001:2023, conformity checks, requirements of EU-AI Act, GDPR, Data Act etc. for privacy by design, safety by design, compliance by design etc. Additional I´m a trainer on DIHK (Deutsche Industrie und Handelskammer) and train the AI-Managers. I write articles to "AI-Literacy", "Protection of AI-Training data", "AI and AI Regulation – a driver for digital and sustainable change?", "ESG and human-centered design in AI as a new leadership approach – a synergy for more humanity and sustainability with and through AI?" and I´m a contributor by AI&Partners to reflect their reports.

yes, in my advice and support based on requirements of EU-AI Act it´s mandatory for me to priorize named projects, e.g. bliro.io. Further more in my role as auditor it´s unacceptable to focus revers projects.

yes, I´m member of the "Innovethic advisory board", Member in KI-Park Berlin and KImpact Switzerland, Member and Voice in AIGN - AI-Governance Network, Contributor by AI&Partners, Member in working groups for digital transformation by GPM Germany