General Data Protection Regulation (GDPR)

Why it matters

I am seeing teams treat the EU AI Act as if it replaced GDPR. It does not. The AI Act sits on top of GDPR; it adds product-style obligations while GDPR keeps governing every personal data point flowing through the system. Training corpora with personal data, prompts containing names, retrieval indexes memorising customer records, agent memory accumulating over months, scoring outputs deciding who gets credit: each step is a GDPR question first. Most of what gets reported as an “AI compliance failure” in 2026 is, on inspection, a GDPR failure (no lawful basis, no purpose limitation, no data subject rights process) in newer clothes.

Where you’ll encounter it

Three contexts recur. A Data Protection Impact Assessment opens the moment an AI system processes personal data at meaningful scale, and the DPIA is what the regulator asks for first. An Article 22 “right to explanation” objection lands after an algorithmic decision (a denied loan, a rejected application, a fraud flag), and engineers have to produce a plain-language account of what the model did. A vendor’s training data turns out to include PII scraped without lawful basis, and the liability does not stay with the vendor. The pitfall is treating GDPR as a one-time launch checkbox; it is an ongoing accountability surface, and the records have to be live.

Part of the 7wData AI Glossary. Tracking how concepts like this move in the expert conversation: daily signals at ins7ghts.com.