How do you use AI tools without breaking GDPR?
Under GDPR, entering personal data into an AI tool is processing it — so you need a lawful basis, a Data Processing Agreement (Art. 28) with the AI vendor, data minimization, and the ability to honor data-subject rights. Using a consumer AI account with no DPA to process customer or employee personal data is the most common GDPR failure.
Who it applies to
Any organization processing the personal data of people in the EU/UK, regardless of where the company is based. Pasting a customer email, name, or record into an AI tool counts as processing.
What it requires
- A lawful basis for processing personal data through the AI tool.
- A signed DPA (Art. 28) with the AI vendor before personal data is entered.
- Data minimization — don't paste more personal data than necessary.
- Model-training opt-out / zero-retention where the data is personal.
- A way to honor access, deletion, and objection rights for that data.
How to comply
- Stop personal data entering consumer/personal AI accounts.
- Move to enterprise tiers with a DPA and training disabled.
- Mask or tokenize personal data before it reaches the AI (e.g. PII Guardrail).
- Record your lawful basis and update your processing register.
- Train staff on what personal data must never be pasted.
See exactly where you stand
Run a free 2-minute AI Exposure assessment — your risk scored and mapped to the EU AI Act, GDPR, and HIPAA, with a remediation plan and a starter policy.
This guide is general information, not legal advice. Confirm specifics with your counsel or compliance team.