The Article 11 of the EU AI act states that there shall be a “Technical Documentation” of high risk AI system before that system is placed on the market or put into service and shall be kept up to date.
This is a document that a “Deployer” should obtain from the developer or supplier of the AI algorithm as part of the compliance requirements.
Under DGPSI*, which considers the AI algorithm supplier as a Joint Data Fiduciary of the deploying company, the deployer needs to obtain an undertaking from the supplier a conformity statement as part of the Contract and also assume liability for any non compliance of DPDP 2023.
EU AI act prescribes the format for documentation which requires the following format of documentation (Annex IV) which is also relevant for DGPSI compliance.
1.A general description of the AI system (including the purpose of usage)
2.Detailed description of the elements of the AI system and the process for its development (Applicable to the developers and including documented test process)
3.Detailed information about monitoring, functioning and control of the AI system
4.description of the appropriateness of the performance metrics for the specific AI system
5.Description of the relevant changes made by the provider to the system through its lifecycle
6.List of harmonized standards applied in full or in part.#
7. A Copy of the EU declaration of Conformity##
8. A detailed description of the system in place to evaluate the AI system performance in the post market monitoring plan.###
#List of Union harmonization legislation as per Annex II includes GDPR and other industry regulations where AI may be used as part of the system. In the Indian context this includes the ITA 2000 and the AI advisory.
# #DPDPA Declaration of Compliance
###In EU AI act, providers need to establish and document a post-market monitoring system in a manner that is proportionate to the nature of the artificial intelligence technologies and the risks of the high-risk AI system. (Ref Article 61).
US has called this “Process Controller” as Chief AI officer which is mandatory for federal agencies.
In the Indian context this is included in the AI policy managed by the DPO with the “Process Controller” under the distributed responsibility policy.
Under DGPSI the highlighted points are key to compliance with a modification that point no 5,6 ,and 7 should refer to DPDPA Compliance and point number 8 to the measures undertaken by the deploying Data Fiduciary. Points 2 and 3 are more relevant for compliance in the developer eco system.
*PS: DGPSI or Digital Governance and Protection Standard of India is the indigenous framework developed by FDPPI/Naavi for compliance of DPDPA along with ITA 2000 and BIS draft standard of Data Protection.
(…to be continued)
Naavi