GDPR does not set specific rules for AI as such, but the general principles apply in full. Purpose limitation: you may only use personal data for the purpose for which it was collected. Data minimisation: do not use more data than strictly necessary. Storage limitation: do not retain data longer than needed. Integrity and confidentiality: protect the data adequately.

If your AI system processes personal data, all those principles must be complied with. That starts at the moment of training the model, not just at deployment.

A specific article in GDPR, Article 22, is particularly relevant for AI: the right not to be subject to automated individual decision-making that produces legal effects or similarly significantly affects the individual.

Concretely, this means you cannot automatically reject or assess people without human intervention when that decision has significant consequences. Think of rejecting a credit application, screening job applicants or determining an insurance premium purely on the basis of algorithms.

If your AI system makes these kinds of decisions, you need a legal basis, you must inform the data subject and there must be the possibility of human intervention and objection.

Every use of personal data requires a legal basis. The most common grounds for AI applications are consent from the data subject, necessity for the performance of a contract and the legitimate interest of the controller.

Consent sounds straightforward but is strict in practice: it must be freely given, specific, informed and unambiguous. Pre-ticked boxes do not count. Legitimate interest requires a balancing test where your interest outweighs the interests of the data subject.

GDPR provides extra protection for special categories of personal data: health data, biometric data, data about racial or ethnic origin, political opinions, sexual orientation and other sensitive categories. Processing these is in principle prohibited unless a specific exception applies.

AI systems that work with facial recognition, voice analysis or medical records almost always process special categories. The compliance bar here is considerably higher.

In addition to GDPR, the European AI Act is entering into force in phases. This legislation introduces risk categories for AI systems and sets additional requirements, particularly for high-risk applications such as AI in recruitment, credit assessment, education and critical infrastructure.

Organisations building AI systems now are wise to take the AI Act into account, even if not all requirements are yet in effect. Retrofitting is more costly than designing correctly from the outset.

Conduct a DPIA (Data Protection Impact Assessment) for AI systems that may pose risks to data subjects. This is legally required for high-risk processing and prudent for virtually all AI applications involving personal data.

Maintain a processing register that also covers AI applications. Ensure a data processing agreement is in place with every vendor that processes personal data on your behalf, including providers of AI models and platforms.

Not every AI application is problematic from a privacy perspective. AI that works with anonymised or synthetic data, AI that optimises internal processes without processing personal data and AI that generates content based on business documents without personal information all fall outside the scope of GDPR.

Mach8 helps organisations design AI applications that are privacy-compliant from the outset, not as an afterthought.

AI and privacy are compatible, but it requires deliberate choices and thorough knowledge of GDPR. Those who handle this well can use AI safely and responsibly without unnecessary legal risks.

Want to know how Mach8 can help you use AI in a privacy-compliant way? Get in touch or view our AI agents service.