Welcome to “Law & Compliance in AI Security & Data Protection”! This training module has been designed to support privacy and data protection professionals in their approach to artificial intelligence (AI). Over approximately 15 hours of self-study, the materials below will present an overview of the various stages of the life cycle of applications powered by AI technologies, from the initial stages of their development to the end of their operation. At each stage, the training materials will identify issues that AI introduces and amplifies, as well as potential responses to them. By studying those materials, professionals will be better positioned to understand whether and how their organizations can use AI in accordance with legal requirements for privacy and data protection. 

To fully understand how AI matters for data protection and privacy, it is necessary to analyse what is unique about AI technologies and their production. This training module does not assume that learners have experience with the technical side of things. It introduces any technological concepts that are necessary for discussion and does so at an abstract level. The module’s goal is not to turn data protection and privacy professionals into computer scientists, but to ensure they have the concepts needed to understand the issues at hand and the vocabulary needed for effective communication with software developers and other technical actors.

The course assumes that the reader is familiar with the general concepts of the GDPR. Basic concepts—such as the notions of “data subject” and “processing”—are taken for granted so that the course can focus on what changes with AI. Contrastingly, the module offers a more thorough revision of specialized topics, such as the rules on automated decision-making and regulation by design, with an emphasis on their AI dimension. Furthermore, the course will introduce learners to the interplay between the GDPR and the EU’s new regulation on AI technologies, the AI Act (Regulation (EU) 2024/1689). It will not offer an in-depth treatment of national requirements or industry specific legal requirements. However, the conceptual tools developed throughout the module can also be applied to the study of such legal instruments and their implications for data protection.