Data governance for new EU AI Act compliance

Artificial intelligence is reshaping the way businesses across industries work, interact, and innovate. From automating routine, time-consuming tasks and forecasting future trends to analyzing large volumes of data and delivering valuable insights at scale, AI has the potential to release new levels of efficiency, productivity, and innovation.

Today, the current AI environment is akin to the Wild West: A lawless time marked by the promise of unbridled opportunity and the threat of unforeseen risk. But with the introduction of the EU AI Act earlier this year, that’s all about to change.

What is the EU AI Act?

In March 2024, the European Union passed a first-of-its-kind regulation that provides “AI developers and deployers with clear requirements and obligations regarding specific uses of AI.” The new regulation assigns a risk category to AI applications with obligations related to the risk category ranging from little-to-no action required, compliance with regulatory mandates, or, in the case of an unacceptable rating, a full-on ban of the AI app. Further, the AI Act “seeks to reduce administrative and financial burdens for business, in particular small and medium-sized enterprises (SMEs).”

Similar to when the EU introduced the General Data Protection Regulation (GDPR) in 2016, the EU AI Act outlines timelines for compliance, giving the organizations that produce and use these applications a runway to ensure their applications meet the legal requirements. Prohibitions on unacceptable risk apps begin six months after entry into force, while high-risk apps have anywhere from 24 to 36 months to ensure they comply with the regulatory obligations.

Why do we need AI regulations?

While most artificial intelligence applications are designed to improve how we live and work, some AI apps introduce risks and biases, either intentionally or inadvertently. Applications classified as high-risk, for example, hold the potential of putting people at risk of unfair treatment or pose safety risks if not properly governed, and fall into categories including “critical infrastructure, education, and vocational training, employment, essential private and public services (e.g. healthcare, banking), certain systems in law enforcement, migration, and border management, justice and democratic processes (e.g. influencing elections).”

The purpose of the regulations is to flag applications that pose potential risks and put guardrails in place to govern their models and the data that feeds them. Remember, AI models learn from data, which means that the quality of the data drives the quality of the AI outputs. Use good, high-quality data to train your AI models and your results will generally be good. Put garbage data into the models, and outputs will be garbage, too.

Similar to how the GDPR put in place rules and requirements for the proper use and protection of an individual’s personal data, the EU AI Act outlines the obligations that AI apps, their providers, and organizations that use the apps need to follow. To comply, providers of high-risk apps, for example, must demonstrate that they fulfill several requirements ranging from establishing a risk management system and conducting data governance to providing technical documentation and implementing human oversight. These guardrails help protect the people who use AI apps from decisions that result in unfair disadvantages.

What role does data governance play in EU AI Act compliance?

Trustworthy AI requires high-quality, trustworthy data. That’s why having the proper data governance frameworks in place is key to ethical, reliable AI insights. Effective data governance provides the policies and frameworks that enable organizations to operationalize the regulatory, ethical, and reputational requirements of the EU AI Act. It helps to foster stronger collaboration between IT, the data team, and risk and compliance. It also improves the overall quality and integrity of the data by:

• Implementing policies and procedures that define how data should – and should not – be handled
• Clarifying roles and responsibilities so everyone – from data stewards to data owners – understands their role when it comes to managing and protecting data assets
• Establishing data quality metrics and monitoring to measure and report on the integrity of the data
• Defining data security protocols such as encryption and security audits to protect data from unauthorized access, data breaches, and theft
• Delivering training and education so that everyone across the organization is aware of and adheres to the policies, tools, and best practices related to data governance

Supported by tools like data lineage and a data catalog, strong data governance frameworks define clear guidelines, responsibilities, and practices that ensure the safe and responsible handling of data so that it aligns with the strategic objectives of the organization. That way, when an AI application ingests data to train its models, the organization can prove to regulators that the data is accurate, unbiased, and secure.

Further, data changes all the time. Strong data governance supports continuous data monitoring by ensuring that new data, including information from new sources, adheres to the frameworks established by the business. This is particularly important when complying with the EU AI Act as the addition of new data and new data sources could change the classification of the AI app, prompting the need to comply with different obligations.

How DataGalaxy helps organizations comply with the EU AI Act

Implementing data governance helps to ensure that an organization’s data is accurate, accessible, and secure. And doing so requires the right combination of people, processes, and technology. Defining the right roles and responsibilities (people) and developing the right data governance framework (process) are good first steps. However, having the right tools (technology) is essential for data governance to succeed.

DataGalaxy’s Data Knowledge Catalog gives business users, many of whom are not data experts, clarity on data definitions, data lineage, and essential business attributes so they can not only understand and use their data more effectively but also ensure it complies with regulatory mandates. Data catalogs show who owns the data, allowing for greater collaboration – and accountability – across the business. They also provide a self-service way for everyone in the organization to find the data they need and turn what used to be tribal knowledge into useful, accessible information that they can use to enhance AI model accuracy.

Data catalogs also reduce the risks associated with regulatory reporting and compliance. Using capabilities such as data lineage, users can understand not only the impact of the changes they are making today but also how the data has changed over time. The business can also show who can access the data, where it comes from, and how it is used to train AI models, all of which are critical when proving that their apps comply with the new regulations.

Further, data catalogs enable organizations to classify and flag sensitive data that should be used with caution, helping them to avoid risks and unintended biases that could result from the use of sensitive or restricted information when training AI models.

Conclusion

The EU AI Act represents the first of what will likely be numerous regulations aimed at ensuring the safe and responsible use of AI. For organizations that need to demonstrate compliance, implementing data governance and a data knowledge catalog is a good first step toward meeting regulatory obligations. Done right, data governance and a data knowledge catalog will ensure the data powering their AI apps remains clean, protected, and secure, which, in turn, will help aid compliance efforts.

To learn more about how DataGalaxy’s Data Knowledge Catalog can help your organization comply with the EU AI Act, please book a demo or pick a date that works best for you to discuss your organization’s data management strategy!