GDPR

What it is, why it matters for businesses, and key questions to ask.

What it is

The General Data Protection Regulation (GDPR) is EU law that governs how personal data is collected, processed, stored, and shared. It applies to any business that handles EU residents' data, regardless of where the business is based.

Why it matters for businesses

When you use AI (especially cloud AI), you may be sending personal data to third parties. You need a lawful basis for processing, a Data Processing Agreement (DPA) with providers, and processes for data subject rights (access, erasure, portability). Non-compliance can mean fines up to 4% of global turnover.

Example framework

Best practice

  • Document a lawful basis for each AI use case before go-live
  • Sign DPAs with all AI providers before sending personal data
  • Map data flows: what goes where, who processes it
  • Keep a record of processing activities (ROPA) for AI use cases
  • Update privacy notices when you add new AI processing

Areas to explore

  • Data inventory: which systems feed the AI and what personal data do they hold?
  • Provider contracts: do DPAs cover sub-processors and model training?
  • Retention: how long does the AI provider keep data? Can you enforce deletion?
  • Cross-border transfers: if data leaves UK/EU, what safeguards apply?
  • Subject rights: can you extract, correct, or delete data the AI has seen?

Suggestions

  • Run a Data Protection Impact Assessment (DPIA) for high-risk AI use cases
  • Assign a data protection lead for AI procurement decisions
  • Build a checklist for new AI tools: DPA, lawful basis, notice update

Key questions to ask

  • What personal data does our AI use case process?
  • Do we have a lawful basis for processing?
  • Have we signed a DPA with our AI provider?
  • Where is data stored? Does it meet residency requirements?
  • Can we respond to data subject requests (access, erasure)?
  • Is our privacy notice up to date?

Further reading

← All governance topics All resources Estimate AI costs