In brief

How do you use AI and generative AI in compliance with the GDPR?

The GDPR applies to any processing of personal data, including when carried out by an AI system. Using AI compliantly means six reflexes: identify a valid legal basis for training and for use; apply minimisation (use only strictly necessary data); run a data protection impact assessment (DPIA) where processing is likely to result in a high risk; guarantee data-subject rights (information, access, objection, automated decisions); govern transfers outside the EU and favour European hosting; and document all of it. Generative AI demands extra care: avoid sending personal data to unmanaged third-party models, and trace the sources of a RAG system. Because the GDPR and AI Act overlap heavily, they are documented efficiently together.

Definition

DPIA (data protection impact assessment) — A data protection impact assessment — required under the GDPR when processing is likely to result in a high risk to individuals' rights and freedoms, common for AI systems. It describes the processing, evaluates the risks and sets the mitigating measures.

EU 2016/679
Reference regulation (GDPR)
DPIA
Impact assessment for high-risk processing
EU hosting
No data leaves the Union
GDPR × AI Act
Documented in one pass

The typical frictions between AI and the GDPR

  • Training on personal data with no clear legal basis and no information to the individuals.
  • Sending sensitive data to a third-party generative-AI service, outside the EU, without controls.
  • Automated decisions (Article 22) with no human oversight and no right of appeal.
  • No impact assessment (DPIA) on processing that is, in fact, high-risk.

Compliance by design

The best compliance is not an after-the-fact audit: it is an architecture designed for it. We build minimisation, pseudonymisation, isolation and sovereign hosting into the design phase, so the system is compliant by construction. For generative AI, we favour EU-hosted models and RAG architectures where every answer is traceable to its source.

A single GDPR + AI Act pass

The two regimes share most of their substance: registers, impact assessments, governance, documentation. We handle them together to avoid producing the same deliverables twice and to keep them consistent. You get unified compliance, not two parallel workstreams.

What you get

  • Spotting personal-data processing by AI system
  • Help determining legal bases
  • Identifying where a data protection impact assessment (DPIA) is needed
  • Minimisation, pseudonymisation and isolation measures
  • Good practices for data-subject rights and human oversight
  • GDPR + AI Act points of attention built into the design
FAQ

Frequently asked

Answers to the most common questions — timelines, sectors, compliance, hosting, methodology.

Can I use ChatGPT or a public LLM with my company data?

Not without precautions. Sending personal or confidential data to an unmanaged third-party service creates a GDPR and leakage risk. We put alternatives in place: EU-hosted models, private deployment, or isolated RAG architectures where your data never leaves a controlled perimeter.

When is a DPIA mandatory?

When processing is likely to result in a high risk to individuals' rights — which is common with AI (profiling, automated decisions, sensitive data, monitoring). We determine whether a DPIA is required and, where it is, we run it.

Does the GDPR really stop me innovating with AI?

No. The GDPR frames; it does not forbid. Almost every AI use case can be designed compliantly provided you start at the design stage. Our role is precisely to make innovation possible within the framework.

Ready to unlock
your data?

Let’s discuss your transformation challenges. An initial conversation, no commitment, to frame your need and see how to move forward.