The UK’s Information Commissioner’s Office shares its thoughts on the complexity of producing or deleting data used to train machine learning algorithms in data subject requests under GDPR.

Key points:

  • It can be be much harder to link to a particular individual but this is not the same as anonymization.
  • It may still be considered personal data, because it can be used to ‘single out’ the individual it relates to, on its own or in combination with other data.

For data access:

  • You’re required to respond (and produce the data) assuming you have taken reasonable measures to verify the identity of the data subject, and no other exceptions apply.

For erasure:

  • If the data subject has appropriate grounds, you must respond unless a relevant exemption applies.
  • Where the development of the system is ongoing and data is necessary for the purposes of re-training, refining and evaluating an AI system – take a case-by-case approach regarding the request.
  • You only have to delete the ML models if they contain training data.
  • Rectification requests re: ML model output are possible.

Details from the UK ICO.