Establishing AI Guidelines

The AI guideline sets the framework conditions for the use of AI within a company. It should therefore be drawn up in consultation with employees, works council, data protection officers, procurement, IP management, compliance, and management, and it needs constant development. Duplication of effort can be efficiently avoided by using tools and processes already established, for example, in the area of data protection:

• Tools for risk analysis and management, including criteria for assessing risks to the company (see data protection impact assessment)
   
• Reporting processes for security incidents (see GDPR reporting process)
   
• Tools for recording and documenting AI applications and use cases (see directory of processing activities)

Formulating Checklists and Whitelists

A checklist for examining and approving AI systems, including a whitelist of approved AI use cases: As the legal requirements for the use of AI stem from various laws, a multi-stage process is recommended, involving the relevant departments, such as legal, HR, IT, and data protection. Each department contributes its section to a comprehensive checklist that particularly addresses aspects such as data protection, IT and data security (see further: Cybersecure Online), compliance with the AI regulation, licensing law, copyright, protection of secrets, and specific confidentiality obligations (e.g., health data privacy, professional confidentiality for doctors, lawyers, tax advisers), as well as the company’s internal AI usage guidelines.

Assessment is carried out for a specific application case specified by the applicant. The same AI system may be approved for one use case (e.g., chatbot in customer service) and restricted for another (e.g., chatbot for candidate selection). The result is a whitelist of approved AI systems for individually described use cases.

Employees must have confidence in the use of AI. This requires regular training to keep AI competence current with new developments and clear work instructions for AI usage (derived from the comprehensive AI guideline). In addition, adapted data protection notices are necessary.