A data privacy officer is reviewing an AI system that processes personal data of EU residents to make automated credit decisions. Which two regulatory frameworks are most directly applicable, and what controls are required at their intersection?

Question

Accepted Answer

A. GDPR (automated decision-making rights under Article 22 requiring human review on request and explanation of decisions) and EU AI Act (high-risk classification requiring documentation and human oversight). Automated credit decisions using personal data of EU residents trigger GDPR Article 22 (individuals have rights regarding automated decisions with significant effects) and the EU AI Act (creditworthiness assessment is a named high-risk use case). Both require human oversight and explainability. The SecAI+ objectives include applying GDPR and NIST AI RMF and understanding global governance requirements. NIST CSF/SOC 2 and PCI DSS/HIPAA do not address EU personal data or AI-specific automated decision rights.

A data privacy officer is reviewing an AI system that processes personal data of EU residents to make automated credit decisions. Which two regulatory frameworks are most directly applicable, and what controls are required at their intersection?

Related Questions

Discussion