Classify data, choose the right model, maintain an audit trail. Easier than you think.

In short

Using AI without violating GDPR (General Data Protection Regulation — the European regulation on personal data protection) means: classifying data before anything else (personal/sensitive/public), using self-hosted or private cloud models within the EU for personal data, anonymizing when sending input to public models, maintaining an immutable audit log, and natively implementing GDPR rights (access, rectification, erasure). It's not magic — it's discipline.

• Classify data before any AI integration
• Self-hosted/private EU cloud for personal data
• Anonymization for calls to public models
• Audit log + native GDPR rights implementation

The 5 basic rules

We apply them in every project:

• Data classification: personal / sensitive / business / public
• Personal data → self-hosted or private EU cloud models
• Anonymization/pseudonymization for public models (OpenAI, Anthropic)
• Immutable audit log for any AI action on personal data
• Native GDPR rights (access, rectification, erasure) in the solution

What you need to do, in parallel

Three minimum things on your part: update your privacy policy with AI usage, conduct a DPIA (Data Protection Impact Assessment) when dealing with sensitive data or automated decisions with impact, and inform users when AI generates content or makes decisions. We'll help you with templates for all three.

Common mistakes — and how to avoid them

The most common: sending CVs/contracts directly to public ChatGPT, lack of an internal AI usage policy, lack of an audit log for automated decisions. All avoidable with correct architecture from the start.