AI agents can process a lot of personal data quickly — which is exactly why European SMEs need to get the data-protection basics right before an agent goes live, not after. This is a practical, plain-language checklist. It isn’t legal advice, but it will help you ask the right questions.
This article is general information, not legal advice. Confirm your specific obligations with a qualified adviser and your Data Protection Officer where you have one.
1 · Know your role: controller or processor
Under the GDPR, the controller decides why and how personal data is processed; a processor acts on the controller’s instructions. For most agents you build for your own business, you are the controller. If a vendor builds and runs the agent for you, they are usually your processor — and you need a written Data Processing Agreement (Article 28) with them.
2 · Map what the agent will touch
Before building, write down: what personal data the agent will read, where it comes from, what it will do with it, where it’s stored, and who can see the outputs. You can’t protect data you haven’t mapped, and this record feeds directly into your Article 30 records of processing.
3 · Identify a lawful basis
Every processing purpose needs a lawful basis under Article 6 — commonly performance of a contract, legitimate interests, or consent. “We wanted to try AI” is not a lawful basis. If you rely on legitimate interests, do (and keep) a balancing assessment.
4 · Apply data minimisation
Give the agent the least data it needs to do its job. Don’t pipe an entire CRM into a model when the task needs three fields. Minimisation reduces both your risk and your blast radius if something goes wrong.
A good test: if a colleague asked “why does the agent have access to this?”, could you answer in one sentence? If not, it probably shouldn’t.
5 · Decide on a DPIA
A Data Protection Impact Assessment is required where processing is likely to result in high risk to individuals — for example, large-scale or systematic processing. New AI workflows often warrant one. Even when not strictly required, a lightweight DPIA is a useful way to surface risks early.
6 · Watch for automated decisions
Article 22 gives people rights around decisions made solely by automated means that have legal or similarly significant effects. Keeping a human meaningfully in the loop for consequential decisions is both good practice and a way to stay on the right side of this rule.
7 · Control international transfers
If your model provider or hosting sits outside the EEA, you need a valid transfer mechanism — typically Standard Contractual Clauses — and a transfer assessment. Many teams prefer EU-hosted options specifically to keep this simple.
8 · Don’t let your data train someone else’s model
Check the terms of any model or tool you use. Make sure your inputs and outputs are not used to train shared models unless you have explicitly decided that’s acceptable. Enterprise and API tiers usually offer this; consumer tiers often don’t.
9 · Plan retention and deletion
Decide how long the agent’s inputs, outputs and logs are kept, and make sure you can delete personal data on request. Logs are easy to forget — they often contain exactly the personal data a deletion request is about.
10 · Be ready for data-subject rights
People can ask to access, correct or erase their data, and to object to processing. Make sure your agent’s data is discoverable and editable enough to honour those requests within the GDPR’s timelines.
The one-page version
- Know your role and sign a DPA where needed.
- Map the data; pick a lawful basis.
- Minimise access; DPIA the risky stuff.
- Keep a human on consequential decisions.
- Handle transfers; block model training on your data.
- Set retention; support access, correction and erasure.
None of this needs to slow you down. Designed in from the start, data protection is mostly a set of sensible defaults — and it’s far cheaper than retrofitting compliance onto an agent that’s already live. We cover how we build these controls into every engagement on our Security & governance page.
