EU AI Act & GDPR - DIY Compliance Starter Kit

Purpose. This kit helps you understand and reduce AI-related regulatory risk under the EU AI Act and GDPR at a practical level. It is not legal advice and does not certify compliance.

Recommended path (60–120 minutes):

1. Classify AI risk (Section 02)
2. Map personal data flows (Section 03)
3. Document your AI system (Section 04)
4. Review basic controls (Section 05)

When to stop. Stop DIY and seek validation if (a) risk is medium/high, (b) outputs affect individuals materially, (c) sensitive data is involved, (d) enterprise procurement requires formal answers, or (e) you are unsure about any key decision.

The EU AI Act follows a risk-based approach. Obligations depend on how AI is used in your product, not on generic labels.

What increases risk most

• Use in regulated domains (employment, finance, healthcare, education, public services)
• Automated or hard-to-challenge outcomes
• Limited human oversight
• Use of personal or sensitive data
• Opaque or hard-to-explain outputs

Common misconception

“We use an LLM API, so compliance is the provider’s problem.” In practice, you remain responsible for how AI is used in your product and how data flows through vendors.

Answer the checklist below. If you have any “High” signal, treat your system as potentially high risk until validated.

Checklist

• Is AI a core function of the product?
• Does the system make or recommend decisions about individuals?
• Are outputs used without mandatory human review?
• Is the system used in employment, finance, healthcare, education, or public services?
• Can outputs materially affect access, eligibility, or opportunities?
• Does the system process personal data?
• Does it process sensitive data (health, biometrics, children, etc.)?
• Is the system difficult to explain to a non-technical audience?

Interpretation

• Mostly Low: low exposure; keep basic documentation.
• Mixed / Medium: expect documentation + controls; plan a structured review.
• Any High: stop DIY and validate with an audit.

GDPR typically applies at multiple stages: training data, prompts/inputs, inference, logs, feedback loops, and vendors.

Common blind spots

• Prompts containing personal data
• Logs stored indefinitely
• Unclear data sharing with LLM vendors
• No retention/deletion rules for AI-related data

Data flow mapping (10 minutes)

Create a simple table with columns: Data source, Personal data?, Stage, Vendor/System, Retention, Notes.

DPIA hint

A DPIA is more likely if AI evaluates individuals, decisions have significant effects, sensitive data is involved, or processing is large-scale. If unsure, assume “yes” until validated.

AI System Description (copy/paste)

Customer-facing AI FAQ (starter questions)

• Do you use AI in your product?
• Is decision-making automated?
• Is personal data processed?
• Which AI vendors are involved?
• Can users challenge or appeal AI outcomes?

Minimum controls checklist

• Access control (who can change prompts/models/settings)
• Logging of model outputs and key decisions
• Human override / escalation path
• Monitoring & periodic review (quality + safety)
• Incident handling (how you respond to failures)
• Vendor management (what data vendors see and retain)

Implementation priority

Prioritize high risk / low effort items first. Avoid over-engineering controls that do not reduce real risk drivers.

DIY is usually enough if risk is low, there are no automated decisions affecting individuals, sensitive data is not involved, and customers do not request formal validation.

Consider an audit if risk is medium/high, sales/procurement is blocked, you need external validation, or you want confidence instead of guesses.

Credit note: if you proceed with an AI Audit, the kit fee can be credited towards the audit.