AI and Privacy: GDPR Compliance Guide for AI Product Teams

Why AI Creates Unique Privacy Challenges

Traditional software privacy: store data, use it as specified, delete on request. Clear data flows.

AI privacy: more complex.

Training data: what did you train on? Can you audit it? Can you forget a specific person's data?

Model memorization: LLMs can reproduce training data verbatim, potentially exposing PII

Inference: AI infers sensitive attributes (health conditions, political views, sexual orientation) from non-sensitive inputs

Automated decisions: consequential decisions made by algorithms with limited human review

Each of these creates distinct legal and ethical challenges.

GDPR Requirements for AI Systems

Lawful Basis for Processing

Every use of personal data in AI requires a lawful basis:

Consent: freely given, specific, informed, unambiguous. For AI: hard to satisfy for training data (retroactive consent for historical data). Strong basis for clearly defined, opt-in use cases.

Legitimate interests: organization's interest outweighs individual's interest. Must pass three-part test: identify legitimate interest, necessity of processing, balancing test (fundamental rights and freedoms). Can support many AI use cases with proper assessment.

Contract performance: necessary to fulfill contract. Limited application for AI (your AI recommendation engine likely isn't necessary to deliver the service you contracted).

Legal obligation: complying with law. Limited application.

Public task: government functions. Government AI may rely on this basis.

Vital interests: life-or-death. Narrow application.

Practice: conduct lawful basis assessment for each AI use case before deployment. Document the assessment. Do not default to consent—it's harder to implement correctly than alternatives.

Data Minimization in AI Training

GDPR Article 5: "personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes." Applies to training data.

Implications: you should not train on more personal data than necessary for the AI's purpose. Audit training datasets: is all included data necessary? Can you achieve equivalent model quality with less personal data?

Hard question for LLMs: what data is "necessary" to train a general language model? Regulators are still working through this. Current interpretations suggest: legitimate public data is generally acceptable; private or confidential data requires justification.

Individual Rights in AI Systems

Right to information (Articles 13-14): individuals must be told when AI is used to make decisions about them, including: that automated processing occurs, the logic involved, the significance and envisaged consequences.

Right not to be subject to solely automated decisions (Article 22): individuals have a right to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Exceptions: contract performance, explicit consent, law. This doesn't prohibit AI—it requires meaningful human involvement or explicit consent for consequential decisions.

Right of access (Article 15): individuals can request access to their personal data, including in training datasets if identifiable. For AI: can you respond to a DSAR for your training data? Most organizations cannot. Build this capability or document why training data DSARs can be declined.

Right to erasure (Article 17): "right to be forgotten." For AI: if someone requests erasure, can you remove their data from a trained model? Currently technically very difficult. Options: exclude from future training, use machine unlearning techniques, retrain model without their data (expensive). Regulators are still determining what's required.

Data Protection Impact Assessments (DPIAs)

Required when AI processing is "likely to result in a high risk to rights and freedoms." DPIA is mandatory for:

Systematic evaluation of personal aspects based on automated processing (profiling)

Large-scale processing of special category data

Systematic monitoring of publicly accessible areas

DPIA process: describe processing, assess necessity and proportionality, assess risks to rights and freedoms, identify measures to address risks.

For high-risk AI systems, DPIAs are required before deployment. Regulators may request them during investigations.

Privacy-Preserving ML Techniques

Differential Privacy

Mathematical guarantee: the addition or removal of a single person's data doesn't significantly change the model's outputs. Provides provable privacy guarantee for training data.

Implementation: add carefully calibrated noise to training process (DP-SGD: differentially private stochastic gradient descent). Libraries: Google's TensorFlow Privacy, PyTorch Opacus.

Tradeoff: privacy and accuracy are in tension. Higher privacy (more noise) = lower model accuracy. Choose epsilon (privacy budget) based on sensitivity of data.

Applications: training on health data, financial data, government data where individual privacy is critical.

Federated Learning

Train model without centralizing data: model updates go to central server, not raw data.

How it works: central server sends model to clients → clients train on local data → clients send model updates (gradients) → server aggregates updates → updated global model. Raw data never leaves clients.

Applications: mobile keyboard prediction (Apple, Google), healthcare networks (hospitals contribute to model without sharing patient records), financial institution risk models.

Limitations: not a complete privacy solution. Gradient inversion attacks can partially reconstruct training data from gradients. Often combined with differential privacy.

Synthetic Data Generation

Train on synthetic data that statistically mirrors real data without containing real records.

Generation methods: GANs (Generative Adversarial Networks), diffusion models, statistical simulation.

Benefits: completely avoids privacy risk of real data, enables data sharing for research.

Limitations: synthetic data quality rarely matches real data. Downstream model quality typically suffers. Better for augmentation than complete replacement.

Practical GDPR AI Compliance Checklist

Pre-deployment: □ Identify all personal data in training sets □ Assess lawful basis for training data □ Complete DPIA if required □ Implement Article 22 human oversight for consequential automated decisions □ Create privacy notice describing AI processing □ Establish individual rights procedures (access, erasure) □ Data minimization review of training data □ Vendor DPAs in place for AI tools

Ongoing: □ Annual review of AI processing activities □ Monitor regulatory guidance (AI Act, data protection authority decisions) □ Training data audit for new training runs □ DSAR response process for AI systems □ Incident response plan for AI data breach

Documentation: □ Records of processing activities (Article 30) □ DPIA documentation □ Lawful basis assessments □ Data flows documentation for AI systems

Note: this guide is for general information. AI privacy compliance requires legal counsel familiar with your specific jurisdiction and use cases.