GDPR and AI: What the Intersection Actually Means for You

Sofia: GDPR has been around since 2018, but AI is creating new questions it wasn't designed for. What are the most pressing ones right now?

Sofia: The most pressing is what happens when AI makes decisions about people. GDPR Article 22 gives individuals the right not to be subject to solely automated decisions that significantly affect them — hiring, credit, insurance. But what counts as "solely automated"? If a human rubber-stamps an AI decision, is that sufficient human oversight? The courts and regulators are still working this out, and different EU countries are interpreting it differently.

Sofia: What about training data? Is it GDPR-compliant to train an AI on publicly available data that includes personal information?

Sofia: This is the question that's keeping AI lawyers employed. The short answer is: it's complicated and jurisdiction-dependent. The Italian data protection authority blocked ChatGPT on exactly this basis in 2023. The working assumption in most of the EU now is that you need a lawful basis for processing personal data in training — legitimate interest is commonly used, but it's not a blank cheque. If you're scraping personal data from the web to train a model, you should be talking to a lawyer.

Sofia: For a small startup, what's the practical minimum GDPR compliance posture for an AI product?

Sofia: Privacy by design, a data processing record, and honest privacy notices. That gets you 80% of the way there. The remaining 20% depends on your specific use case.