PRIV- 34 – Automated Decision-Making

What is this control about?

Implementing the control for “Automated Decision-Making” is crucial in today’s data-driven and technology-driven business landscape. Automated decision-making refers to the process of using algorithms, machine learning, or artificial intelligence to make decisions without direct human intervention. While it offers numerous benefits, such as increased efficiency and scalability, it also introduces potential risks and challenges.

Available tools in the marketplace

Tools:

DataGrail TrustArc

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A no templates for this control

Control implementation

Here are some guidelines to implement an effective records of Automated decision making program:

• Inventory of Automated Decision-Making Systems: Identify and list all the automated decision-making systems used in the organization. This includes machine learning algorithms, AI-based systems, and any other tools that make decisions without human intervention.
• Assess Data Inputs: Review the data inputs used by each automated decision-making system. Ensure that the data being used is accurate, relevant, and up-to-date. Assess the quality and integrity of the data sources to prevent biased or unfair decision-making.
• Transparency and Explainability: Ensure that the automated decision-making process is transparent and explainable. Understand how decisions are made and whether the process is easily understandable to both technical and non-technical stakeholders.
• Risk Assessment: Conduct a risk assessment to identify potential risks associated with the automated decision-making systems. Evaluate the impact of incorrect decisions and potential harm to individuals or groups.
• Data Privacy and Security: Ensure that the data used in automated decision-making is protected and in compliance with data protection laws and regulations. Implement measures to safeguard the data from unauthorized access or breaches.
• Ethical Considerations: Evaluate the ethical implications of automated decision-making. Ensure that the decisions made by the systems align with the organization’s values and ethical principles.
• User Consent and Opt-out Mechanism: Implement mechanisms for obtaining user consent when personal data is used in automated decision-making. Provide users with the option to opt-out or request human intervention for critical decisions.
• Regular Audits and Monitoring: Conduct regular audits to assess the performance and accuracy of automated decision-making systems. Monitor the systems continuously to identify and address any issues promptly.
• Human Oversight and Review: Introduce a mechanism for human oversight and review of automated decisions. This can involve human intervention for certain decisions or establishing a review process for disputed decisions.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Inventory of Automated Decision-Making Systems: A detailed list of all the automated decision-making systems used within the organization, including their purpose, data sources, algorithms, and potential impact on individuals.
• Data Inputs Documentation: Documentation that demonstrates the organization’s process for assessing and validating the data used as inputs in the automated decision-making systems. This should include data quality assessments, data lineage, and data source evaluations.

Evidence example

For the suggested action, an example is provided below:

• Inventory of Automated Decision-Making Systems

This could be a list of tools that have been tagged as ‘automated decision makers’ systems within TrustCloud

• Data Inputs Documentation

Screenshot source