AI consulting

GDPR and AI: keeping your models on the right side of EU data rules

Vincent Wahidi
Vincent Wahidi · 5 min read
GDPR and AI: keeping your models on the right side of EU data rules

There is a common assumption that AI is a new enough thing to sit outside the old data rules. It is not. If a model touches personal data, whether in training, in a prompt, or in an output, GDPR applies exactly as it always did. The EU AI Act adds a second layer on top, but the first questions a European business has to answer about its AI are still GDPR questions, and a few of them are sharper in an AI context than they were before.

The principles have not changed, but AI stresses them

GDPR is built on a handful of principles, and AI puts pressure on the same few every time. Lawful basis: you need a reason the law recognises to process personal data, and "we wanted to train a model" is not automatically one of them. Purpose limitation: data gathered to run a service cannot quietly become training data for something else without a fresh basis. Data minimisation: feeding a model everything because it might help is the opposite of what the rule asks. None of this is new. What is new is how easily an AI project bulldozes through all three without noticing.

Automated decisions are where it gets serious

Article 22 gives people a right not to be subject to purely automated decisions that produce legal or similarly significant effects, with narrow exceptions. An AI system that decides on credit, employment, or eligibility on its own walks straight into that provision. This is a large part of why keeping a human in the loop is not just good practice but often a legal requirement, and why the design question "does the model decide, or does it assist a person who decides" has consequences well beyond good taste.

The rights that are awkward with a trained model

GDPR gives people rights over their data, and some of them sit uncomfortably with the way models work. The right to erasure is straightforward for a database row and genuinely hard for a model that has already learned from the data. Transparency means being able to explain, in human terms, what is happening to someone's data. Neither is a reason not to build; both are reasons to design with them in mind from the start rather than discovering them at audit. Part of that is simply knowing where your data goes when you use AI in the first place.

GDPR and the AI Act stack

For a European business the two regimes work together. GDPR governs the personal data; the EU AI Act governs the risk of the system itself, with heavier obligations for higher-risk uses. Data residency runs through both: keeping data and processing inside the EU is often the cleanest way to satisfy the questions each regime asks. A firm that treats them as one combined design constraint, rather than two compliance projects, moves faster and with less risk.

The questions your DPO will ask, answered before they ask them

A practical way to pressure-test an AI project is to answer the data-protection questions before the project starts, because they are predictable. What personal data does the system touch, at training time and at inference time, and could it do its job with less? What is the lawful basis for each of those uses, written down, not assumed? Where does the data physically go, including through any third-party model API, and is there a data-processing agreement that covers it? If the system contributes to decisions about people, where exactly does the human decide, and can you show it? And if someone exercises their rights, access, objection, erasure, what actually happens, step by step?

An illustrative example makes the habit concrete: a company wants a support assistant that answers customer emails. The tempting build feeds whole mailboxes into a hosted model. The compliant build asks the questions first and lands somewhere better: strip or mask identifiers the assistant does not need, keep processing in an EU region under a proper agreement, log which sources each answer drew on, and keep a person on anything that changes a customer's account. The second system is not just legally safer. It is easier to explain, easier to audit, and no worse at the job.

What good looks like

Know what personal data flows into your models and why, hold a lawful basis for it, keep a person accountable for decisions that affect people, and be able to explain what you do in plain language. Do that and GDPR stops being a blocker and becomes a design brief. If you are deploying AI on European personal data and want to get the compliance foundation right before it becomes an audit finding, tell us what you are building, and see how we approach this under AI consulting.

Vincent Wahidi

Author

Vincent Wahidi is the director of Encelyte, a computer engineer who builds production AI, automation, and custom software for enterprises across Cyprus and the wider region. He writes the strategy, cost and decision-maker pieces himself; the practical how-to guides are curated under the five mission-cat bylines below.

Read next

Predictive maintenance for shipping and logistics fleets

Have a problem worth solving?

Tell us what you're building or fixing. We'll reply within one business day with a clear next step.