Responsible automation using Make from a data protection perspective

Having recently completed an excellent bootcamp from AI Academy introducing me to AI agents and automation tools like Make.com and Zapier, I've gained a deeper appreciation for the power – and the responsibility – that comes with this technology. The bootcamp was very hands-on and allowed me to scope and develop my own projects that, by the end of the 6 weeks, I was quite proud of. What I particularly liked about the course was the heavy focus on testing which I feel is not mentioned enough when using these tools.

As we're well aware, the continued evolution of GenAI provides new ways for automating tasks and enhancing operations and learning how to use them allows a greater understanding of where they need to be constrained. Tools like Make.com now empower non-technical professionals to build sophisticated GenAI agents, connecting applications to create intelligent workflows - this is just what I did and I hope to be able to launch my product on this website in the coming months. However, as we know, innovation must be balanced with a clear understanding of legal obligations. Regulations like the EU AI Act and the GDPR impose constraints that must be addressed proactively, not as an afterthought.

Leveraging GenAI agents in Make.com for tangible results

Make.com’s visual platform allows you to design scenarios that automate processes. Integrating GenAI models with this automation engine unlocks significant potential. A couple of applications I did consider, but down-prioritised involved:

• Enhanced customer support: streamline support by analysing incoming tickets, summarising issues, and drafting personalised responses, escalating complex cases when human intervention is required.

• Data enrichment and analysis: efficiently extract insights from unstructured data sources like news articles and customer reviews, and integrate these findings into business intelligence dashboards.

The ability to prototype and deploy these solutions rapidly with Make.com makes them valuable for companies seeking practical results.

The regulatory landscape

The opportunities presented by GenAI must be addressed with a clear understanding of the regulatory environment. While the EU AI Act continues to evolve and its principles are well-defined:

• Risk-based approach: AI systems are categorised by risk level, with higher-risk systems subject to more stringent requirements. Even "low-risk" GenAI agents are subject to transparency and due diligence requirements.

• Transparency and explainability: users need to understand how AI systems function and make decisions. This is particularly important for GenAI, where outputs can be difficult to predict.

• Data governance: high-quality, unbiased data is essential for training and operating AI systems. Data security, privacy, and accuracy must be ensured.

• Human oversight: this is essential to prevent AI systems from making harmful or discriminatory decisions.

Beyond the EU AI Act, data protection laws like GDPR must be understood and formulated as requirements.

Integrating compliance as a fundamental requirement: Building "Data Protection by Design and by Default" into Make.com

Responsible GenAI agent development requires treating legal and ethical obligations as fundamental requirements, especially understanding data protection by design and by default into the context of the Make.com scenarios such as these considerations to name a few:

1. Dataflow mapping and purpose limitation:

   • Map dataflows: document the complete dataflow of your GenAI agent, identifying data sources, processing steps, and destinations. What type of data is being processed, where is it stored, and for how long?

   • Define purpose: if the solution involves processing personal data, clearly define the various purposes for processing personal data. The purposes should be specific, limited, and communicated to users.

2. Data minimisation:

   • Minimise collection: collect only the personal data necessary for the defined purpose. Avoid collecting excessive or irrelevant data by using Make.com’s modules to minimise the data shared with GenAI models – provide only essential information.

3. Transparency and notice:

   • Provide clear notices: inform users how their personal data is being processed by the GenAI agent, including the purpose of processing, types of data, and their rights under GDPR.

   • Explainable AI: strive to make the GenAI agent's decisions as transparent as possible to build trust and allow users to understand the agent’s decisions.

4. Security and access control:

   • Implement security measures: protect personal data from unauthorised access by implementing strong encryption, access controls, and security monitoring.

   • Control model access: restrict access to GenAI models to authorised personnel using role-based access control.

5. Human oversight and intervention:

   • Implement human-in-the-loop: design your GenAI agent to include human oversight, allowing operators to review decisions, intervene when necessary, and prevent harmful outcomes.

   • Establish escalation procedures: define clear procedures for escalating cases requiring human intervention to ensure complex issues are handled by qualified personnel. This is where Make.com’s routing modules can direct cases to human operators based on predefined criteria.

6. Data retention and deletion:

   • Establish retention policies: define how long personal data will be retained, complying with GDPR and other applicable laws.

   • Implement deletion procedures: establish procedures for securely deleting personal data when it is no longer needed, using Make.com’s scheduling modules to automate data deletion tasks.

Example: creating a centralised Event Hub with Make.com

My own bootcamp project involved building a system with Make.com that consolidated information about events (conferences, webinars, meetings, etc.) covering data protection, AI governance, and infosec. It extracts data from emails, RSS feeds, and websites, with the following aspects:

• Data sources: The agent collects event information from various sources.

  • Email parsing: when parsing event emails, the focus is on extracting event details: title, date, description, URL.

  • RSS feeds/websites: ensure compliance with website terms of service. Extract similar event details.

• Purpose limitation: limited extracted data to essential event information to avoid processing personal data.

• GenAI enhancement: the GenAI model summarises event descriptions and categorise events by topic.

• Data storage: store extracted event information in Airtable.

• User interface: display the consolidated event information on the Purpose and Means website

  • Transparency: provide a clear data processing notice specifically for this solution explaining the sources of event information and how it’s being used, and also update the overall website notice.

• Automation: schedule Make.com to regularly check data sources for new events.

• Data deletion: schedule Make.com to automatically delete event information after a defined period

Conclusion: promoting responsible AI implementation

Building GenAI agents with Make.com offers opportunities to automate processes and improve efficiency, but this requires a commitment to responsible implementation. By treating legal and ethical obligations as core requirements and integrating data protection by design and by default into your Make.com scenarios, you can develop effective and compliant GenAI solutions. With Make.com's visual overview, it's also easy to pinpoint where controls are required.

As mentioned above, the bootcamp may see light of day on this website sometime in the coming months.

Interested to know more? Feel free to get in touch to arrange a no obligation call to discuss how we can support you in your automation projects.