AI Adherence to GDPR: Guiding blueprint for Design Compliance - Episode 2: The Designing Stage
In the rapidly evolving world of artificial intelligence (AI), ensuring compliance with the General Data Protection Regulation (GDPR) is paramount. The European Data Protection Board (EDPB) has outlined several considerations for AI developers to adhere to during the design phase of the AI development life cycle.
First and foremost, a data strategy should prioritise data minimisation and the exclusion of inappropriate or irrelevant personal data sources. This strategy should follow guidance from the EDPB on source suitability and relevance. By doing so, organisations can convert raw data into valuable information while anonymising or pseudonymising data to reduce privacy risks.
Privacy-enhancing technologies should be integrated into the AI system architecture, ensuring that personal data processing is limited to what is necessary for the AI's purpose. This proactive approach to privacy protection is essential, as AI models must be tested to prevent unintentional data memorisation and reduce the risk of accidentally disclosing personal data.
Organisations must also maintain documentation of data processing activities and decisions related to data to support accountability and compliance auditing. Furthermore, human oversight and mechanisms for review and appeal of AI-driven automated decisions should be planned, respecting data subjects' rights.
Cross-functional teams—technical, legal, and compliance—should be educated to embed GDPR requirements throughout the AI design and development process. This education ensures that personal data is accurate and, where necessary, kept up to date.
Pseudonymisation is a good way to mitigate GDPR compliance risks and is one of the measures identified in the data protection by design approach. However, the standard for anonymisation is high and subject to complex case law. Synthetic data can be an alternative to collecting and anonymising personal data, as it avoids the complexities associated with meeting the legal standard for anonymisation.
Under the upcoming AI Act, high-risk AI systems must be designed and developed in such a way that they can be effectively overseen by humans to prevent or minimise the risks to health, safety, or fundamental rights. Additionally, GDPR and automated individual decision-making require human intervention to comply with the provision, and individuals must be provided with meaningful information about the logic involved in the automated individual decision-making.
In conclusion, by following these guidelines, organisations can ensure that AI systems are built with data protection as a foundational element, aligning with the GDPR’s core principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.
References:
- JDSupra, "AI and GDPR: A Road Map to Compliance by Design," 2025
- UGent Onderzoektips, "How to develop or use GDPR-compliant AI," 2025
- Pulsion, "AI and GDPR Compliance Guide," 2025
- In the context of AI development and business, ongoing education and self-development for cross-functional teams, including legal, technical, and compliance professionals, are crucial in embedding GDPR requirements.
- To efficiently manage data in finance, education, and various other sectors that utilize data-and-cloud-computing technology, it's essential to prioritize data strategies that emphasize data minimization, leveraging privacy-enhancing technologies, and the use of anonymization or pseudonymization.
