GDPR for AI Systems Checklist

GDPR compliance checklist tailored to AI/ML data processing

A specialised GDPR checklist focused on AI-specific requirements — lawful basis for training data, automated decision-making rights under Article 22, data minimisation in prompts, and retention inside AI provider logs. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How is GDPR different for AI systems?

The principles are the same, but AI stresses them in specific ways — training data needs a lawful basis, prompts can leak personal data to processors, automated decisions trigger Article 22 rights, and provider logs create hidden retention you must account for.

GDPR, but for how AI actually processes data

GDPR did not change when AI arrived, but AI changed how organisations process personal data — and where the risks hide. Training pipelines ingest data at scale, prompts quietly ship customer details to third-party processors, model outputs can reconstruct sensitive attributes, and provider logs retain your inputs long after you have forgotten them. This checklist isolates the AI-specific obligations from the generic GDPR boilerplate so you can focus on the parts that genuinely apply to machine-learning systems.

How the AI angles map to GDPR principles

Each classic GDPR principle has an AI-shaped failure mode:

  • Lawful basis (Art. 6) — every use of personal data needs a basis. For training this is often the hardest part; legitimate interest needs a balancing test, and scraped web data rarely satisfies it cleanly.
  • Purpose limitation (Art. 5) — reusing data collected for one purpose to train a model is a new purpose that needs its own justification.
  • Data minimisation (Art. 5) — prompts are notorious for over-sharing. Sending an entire customer record when the task needs one field is a minimisation failure.
  • Storage limitation (Art. 5) — AI providers log inputs and outputs. Retention you do not control is still retention you are accountable for.
  • Automated decision-making (Art. 22) — solely automated decisions with significant effects trigger extra rights: information about the logic and a human-review route.

Notes and tips

  • Treat any external LLM API as a processor: get a data-processing agreement, confirm sub-processors, and check whether data leaves the EEA.
  • Run a DPIA before launch for any large-scale profiling or automated decision — it is both a legal requirement and the cleanest place to document the choices this checklist forces you to make.
  • Confirm the provider’s training opt-out and retention window; pair this tool with the AI Provider Data Retention Reference to fill those in.
  • This is an educational tool, not legal advice. Where a decision turns on special-category data or cross-border transfers, involve your DPO or counsel.