GDPR and AI: what to sort out before you start

Why GDPR and AI aren't at odds - but do need planning

Plenty of mid-sized firms stall on AI implementation because of data protection worries. Understandable. Often overblown. GDPR and AI aren't mutually exclusive. What they need: knowing which data is processed where, and on what legal basis, before you start.

Five questions to answer before any AI implementation.

1. Are you processing personal data?

Names. Email addresses. Customer numbers. Communication history. The moment any of this runs through an AI system, GDPR applies in full. Check your legal basis, inform the data subjects, update your processing records. Cut corners here and you're not just risking fines. You're risking customer trust.

2. Do you have a data processing agreement (DPA)?

If an AI service handles your data, a DPA with the provider is mandatory. Applies to cloud services. Applies to locally-run models that call external APIs. Plenty of firms launch AI tools without checking whether the provider even offers a GDPR-compliant DPA. Some don't.

3. Where is the data processed - and stored?

US-based AI services fall under the Cloud Act. That means US authorities can reach the data under certain conditions, even when it sits on European servers. For customer records, contracts or internal chat, that's a real risk. Not every use case demands European hosting. But the choice should be a conscious one.

4. Is your data being used for training?

Many AI services feed user inputs straight into model training by default. Fine for personal notes. Not fine for customer data, proposals or contracts. Firms that set up AI usage properly read the privacy policies and switch to opt-out or enterprise access with training turned off where it counts.

5. Is your data protection officer involved?

Companies with more than 20 people handling personal data need a data protection officer. Bring them in early on any AI implementation. Not to slow things down. To document what's processed and why. That's what protects you when something goes wrong.

What this means for AI in practice

The answer isn't avoiding AI. It's making GDPR-compliant choices: pick European providers, get DPAs signed before you start, switch off training usage, keep processing records up to date. Sounds like hassle. In practice, it's a one-off structuring job that keeps day-to-day operations legally sound.

AI data protection isn't a blocker. It's a quality signal - for your business and for your customers.