What additional steps does the employer have to take?

[page 30]

As explained on page 18, an employer must complete a DPIA if it intends to carry out any processing that is likely to result in a high risk to individuals’ rights and freedoms. The ICO acknowledges that not all uses of AI will require a DPIA, but it is likely to be needed where:

• AI is used to make decisions based on “systematic and extensive evaluation of personal aspects” that have legal or other significant effects;

• large-scale processing of special categories of personal data; or

• systematic monitoring of publicly-accessible areas on a large scale.

When an employer introduces new AI technology to established systems of monitoring workers, the ICO guidance recommends that they should consider whether this changes the effect on individuals’ rights and freedoms. It points out that responsibility for decisions made by, or with the help of, AI, is not always clear and employers should be transparent about the process so that workers know how to challenge them.

It is also important that management understands their own AI processes and can explain them to their workers. As the ICO explains, compliance with data protection law is a risk-based process that involves organisations assessing their own practices.