While the white paper was published a short while ago, there are reports that because technology is changing so fast that the paper is already out of date.
The IAPP reports that although the proposed data protection bill includes a section on automated decision making, the UK government is proposing a second set of rules and regulations for AI and machine learning. Part of its national strategy on AI, the new AI proposals are meant to live alongside the data protection bill and involve regulators like Ofcom and the Competition and Markets Authority. Full IAPP Article: UK unveils data reform bill, proposes AI regulation.
The ICO updated its guidance: Guidance on AI and Data Protection. A new standalone chapter has been added which contains high-level recommendations on the UK GDPRs transparency principle as it applies to AI, including that, where data is collected directly from individuals, they must receive privacy information before data is used to train a model of application of the model on them.
There is also a new chapter on lawfulness in AI relating to influences, affinity groups and special category data.
There is a new chapter on fairness in AI.
Further reading about AI: The Alan Turing Institute: Common Regulatory Capacity for AI.
The Dark Side of AI
There is a dark side to the use of AI more recently reported in the use of sophisticated cyber attacks. There is an application called WormGPT which allows hackers to launch sophisticated phishing and business email compromise attacks - it is a black hat alternative to GPT models, designed specifically for malicious activities.
Further information about WormGPT can be found: Hacker News: WormGPT New AI Tool.
How to protect against an AI Cyber Attack?
If your current cyber resilience is multi layered then this should help to prevent or mitigate an attack. Use of the following is recommended:- Multi factor authentication, review: Contracts Register.
- Phishing training for staff, review: DPE Phishing Simulations.
- Good password management training for staff, review: . Training: Password Security.
- Good email hygiene, review: .
- If an email is suspicious then check directly with the source if you think they are pretending to be someone you know. These new types of emails may not be so easy to spot, they are less likely to have spelling and grammatical errors and have the ability to learn about how you work. Ensure that all business processes include an element of cyber security. Review: .
- Embed cyber security as a core part of organisational risk management :NCSC Cyber Resilience.
- Use of technology to implement cyber resilience. Review: Information and Cyber Security Best Practice Library.
- Secure systems and access control. Preventative security.
- Monitor Systems.
Review: DPE Business Continuity Template.
Start by checking through our Information/Cyber Security Checklist.
What to do in an attack:
Tell someone! Report to IT. Report to SLT.
Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.
If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss. Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.
Isolate the infected device and pass to IT
Always ensure there are backups you can restore from.
Little Guide to ACTION FRAUD
Remember – ‘Hackers don’t break in they login’!