Module 5: Existing Laws & AI · BoK III.A

The GDPR and AI

In effect since 2018, the GDPR is the global baseline for data protection, deliberately technology-agnostic so it can evolve alongside AI. Three provisions intersect most with AI: Article 22 (automated decisions), Article 35 (DPIAs) and Recital 26 (anonymisation).

In effect since 2018, the GDPR is the global baseline for data protection, deliberately technology-agnostic so it can evolve alongside AI.

Why it reaches AI

AI systems consume extensive data, so when that includes personal data they fall within the GDPR's scope → collection, use, protection and control duties, including supporting the right to delete. The underpinning principles → lawfulness, fairness and transparency · purpose limitation · data minimisation · accuracy · storage limitation · integrity and confidentiality · accountability.

The three provisions that intersect with AI:

Article 22 (automated decision-making) → requires a review process for decisions with adverse or material impacts on individuals.
Article 35 (DPIAs) → mandates data protection impact assessments for high-risk or significant processing activities.
Recital 26 (anonymisation) → emphasises pseudonymisation and anonymisation techniques to safeguard personal data in AI development.

Key terms - quick answers

What is “GDPR”?

The EU General Data Protection Regulation, in effect since 2018; technology-agnostic global baseline for data protection.

What is “Article 22”?

GDPR provision: a general prohibition (with three exceptions) on decisions based solely on automated processing with legal/significant effects.

What is “Article 35 (DPIA)”?

GDPR provision mandating data protection impact assessments for high-risk or significant processing.

What is “Recital 26”?

GDPR recital emphasising pseudonymisation and anonymisation to safeguard personal data.

← Privacy Principles That Govern AI Article 22 and Automated Decision-Making →