GDPR
The General Data Protection Regulation (GDPR) is the EU's data-protection regulation, governing the processing of personal data of people in the EU and EEA.
What is GDPR?
GDPR sets out lawful bases for processing, data subject rights (access, rectification, erasure, portability, objection), accountability obligations (records of processing, DPIAs, DPO designation where applicable), security and breach notification, and cross-border transfer rules. Article 22 specifically restricts solely automated decisions with legal or similarly significant effects. AI systems trained on personal data, embedding personal data, or using personal data at inference are all within scope.
How does GDPR apply to enterprise AI?
Every enterprise AI deployment that touches personal data must map its processing to a lawful basis, run a DPIA where the risk warrants, document sub-processors, and design for data subject rights from the start.
Related terms
- EU AI Act - The EU AI Act (Regulation (EU) 2024/1689) is the European Union's horizontal regulation for AI, classifying systems by risk and imposing obligations on providers, deployers, importers, and distributors.
- Data Residency - Data residency is the requirement that personal or regulated data stays within a specified geographic region throughout processing, storage, and backup.
- Sub-processor - A sub-processor is a third party that processes personal data on behalf of a processor, typically an infrastructure or software vendor sitting beneath the primary service provider.
- Transparency Notice - A transparency notice is a clear disclosure to users that they are interacting with an AI system, what it is doing with their data, and what its limits are.
External references
Need help applying GDPR to your enterprise? Submit a short brief and we reply within one business day.