Governance

GDPR

What it is, why it matters for businesses, and key questions to ask.

What it is

The General Data Protection Regulation (GDPR) is EU law that governs how personal data is collected, processed, stored, and shared. It applies to any business that handles EU residents' data, regardless of where the business is based.

Why it matters for businesses

When you use AI (especially cloud AI), you may be sending personal data to third parties. You need a lawful basis for processing, a Data Processing Agreement (DPA) with providers, and processes for data subject rights (access, erasure, portability). Non-compliance can mean fines up to 4% of global turnover.

Example workframe

Best practice

Document a lawful basis for each AI use case before go-live
Sign DPAs with all AI providers before sending personal data
Map data flows: what goes where, who processes it
Keep a record of processing activities (ROPA) for AI use cases
Update privacy notices when you add new AI processing

Areas to explore

Data inventory: which systems feed the AI and what personal data do they hold?
Provider contracts: do DPAs cover sub-processors and model training?
Retention: how long does the AI provider keep data? Can you enforce deletion?
Cross-border transfers: if data leaves UK/EU, what safeguards apply?
Subject rights: can you extract, correct, or delete data the AI has seen?

Suggestions

Run a Data Protection Impact Assessment (DPIA) for high-risk AI use cases
Assign a data protection lead for AI procurement decisions
Build a checklist for new AI tools: DPA, lawful basis, notice update

Key questions to ask

What personal data does our AI use case process?
Do we have a lawful basis for processing?
Have we signed a DPA with our AI provider?
Where is data stored? Does it meet residency requirements?
Can we respond to data subject requests (access, erasure)?
Is our privacy notice up to date?