A European logistics company rolled out an AI-powered workforce scheduling tool in late 2024. Six months later, their Data Protection Officer discovered that the system was processing employee health data to predict absenteeism — without a valid legal basis, without a Data Protection Impact Assessment, and without anyone having informed the workers. The regulatory exposure ran into seven figures.
The DPO had not been consulted before procurement. The IT team had classified the tool as “operational software.” And the vendor’s privacy documentation was a single-page FAQ.
This is not an edge case. It is the default scenario in organisations where the DPO is not embedded in AI governance from the start. As AI adoption accelerates, the Data Protection Officer’s role is expanding from GDPR guardian to the central node in a web of overlapping regulations — the GDPR, the EU AI Act, and sector-specific rules that increasingly treat data protection and AI governance as inseparable.
À retenir
- Every AI system processing personal data requires a DPIA — and most AI systems process personal data
- The GDPR and the EU AI Act create overlapping obligations that the DPO is uniquely positioned to coordinate
- Vendor assessment for AI tools must go beyond standard data processing agreements to cover model training, data retention, and output accuracy
- Employee monitoring via AI is one of the highest-risk areas, requiring explicit legal bases and transparency obligations
- An AI inventory is the foundation of both data protection and AI Act compliance — build one before anything else
Why the DPO role is expanding
Data Protection Officers have always operated at the intersection of technology and regulation. But AI changes the calculus in three fundamental ways.
First, AI systems are inherently data-hungry. They process personal data at scale — often in ways that are opaque to both the organisation deploying them and the individuals whose data flows through them. This opacity directly challenges the GDPR’s transparency and accountability principles.
Second, the EU AI Act creates a parallel regulatory framework that overlaps significantly with the GDPR. High-risk AI systems require conformity assessments, documentation, and human oversight obligations that mirror — but do not duplicate — existing data protection requirements. Someone needs to coordinate these overlapping obligations. In most organisations, that person is the DPO.
Third, AI introduces novel data protection risks that existing compliance frameworks were not designed to address: training data contamination, model memorisation, inferential analytics that derive sensitive categories from innocuous data points.
78%
of DPOs report that AI governance has become a significant part of their workload, yet only 29% have received formal training on AI-specific data protection risks
Source : IAPP Privacy Governance Report, 2025
Conducting DPIAs for AI systems
The Data Protection Impact Assessment is the DPO’s most powerful tool for AI governance. Article 35 of the GDPR already requires a DPIA for processing that is likely to result in a high risk to individuals — and AI systems almost always meet this threshold.
When a DPIA is mandatory
A DPIA is required whenever an AI system involves systematic and extensive profiling with significant effects, large-scale processing of special category data, or systematic monitoring of publicly accessible areas. In practice, this covers most AI deployments: recruitment tools, customer scoring, fraud detection, content moderation, and workforce analytics all qualify.
The DPO’s role is not merely to sign off on the DPIA. It is to ensure the assessment is conducted before the system goes live, that it covers the full data lifecycle (including model training and fine-tuning), and that identified risks are mitigated to an acceptable level.
What AI-specific DPIAs must cover
A standard DPIA template will not suffice for AI systems. You need to assess the training data — its provenance, whether it contains personal data, and whether consent or another legal basis covers its use. You must evaluate the model’s decision-making logic, even if the vendor claims it is a “black box.” And you need to consider the outputs: does the system generate new personal data through inference? Does it make or inform decisions with legal or similarly significant effects?
Vendors often claim their AI tool “does not store personal data” while the model itself has been trained on personal data, or the system processes personal data transiently during inference. Always look beyond the vendor’s privacy FAQ. Request the technical architecture documentation and assess the full data flow.
The GDPR and AI Act intersection
The GDPR and the EU AI Act are not competing frameworks — they are complementary. But the overlap creates coordination challenges that the DPO must navigate carefully.
Legal basis and purpose limitation. The GDPR requires a valid legal basis for processing personal data. The AI Act requires documentation of the intended purpose of AI systems. Where an AI system is repurposed or its outputs are used beyond the original scope, both frameworks are potentially breached simultaneously. The DPO must ensure that AI governance frameworks include purpose-limitation controls.
Transparency obligations. The GDPR’s Articles 13-14 require informing data subjects about automated decision-making. The AI Act’s transparency obligations for certain AI systems add a further layer. The DPO should establish a single transparency register that satisfies both sets of requirements.
Rights of data subjects. The right to explanation under Article 22 GDPR, the right to erasure, and the right to object all become more complex when AI is involved. Can you meaningfully erase someone’s data from a trained model? Can you explain how an AI system reached a specific decision? These are questions the DPO must be prepared to answer — or to escalate when the answers are unsatisfactory.
Article 4 AI literacy. The AI Act requires organisations to ensure staff have sufficient AI literacy. For the DPO, this means ensuring that data protection training includes AI-specific modules and that staff understand when AI processing triggers data protection obligations.
Vendor assessment for AI tools
Procurement of AI tools demands a more rigorous assessment than standard software. The DPO should be involved from the earliest stages — not brought in after contracts are signed.
Model training and data provenance. Ask vendors explicitly: was the model trained on personal data? Whose data? Under what legal basis? If the vendor cannot answer these questions clearly, that is a red flag. The data privacy implications of model training are among the most significant and least understood risks in AI procurement.
Data retention and deletion. Standard data processing agreements address data deletion upon contract termination. But AI systems raise harder questions. If your organisation’s data was used to fine-tune a model, can that fine-tuning be reversed? What happens to outputs generated from your data?
Sub-processors and international transfers. AI vendors frequently rely on cloud infrastructure across multiple jurisdictions. Map the full data flow — including where inference occurs, where logs are stored, and whether any data is used for model improvement. Ensure Schengen and adequacy requirements are met throughout.
Accuracy and bias. The GDPR’s data accuracy principle applies to AI outputs that constitute personal data. If an AI system generates inaccurate profiles or scores, the organisation is responsible. Require vendors to provide accuracy metrics, bias testing results, and mechanisms for challenging outputs.
4 in 10
AI vendor contracts reviewed by DPOs contained no provisions for model retraining notifications or accuracy guarantees
Source : Fieldfisher AI Procurement Study, 2025
Employee monitoring and AI
AI-powered employee monitoring is one of the highest-risk areas for data protection — and one of the fastest-growing. Tools that analyse keystrokes, track productivity, monitor communications, or assess sentiment are proliferating, often marketed as “employee experience” or “workforce analytics” platforms.
The DPO must take a firm position here. Employee monitoring via AI requires a specific legal basis — legitimate interest alone is rarely sufficient given the power imbalance in the employment relationship. In most EU jurisdictions, works council consultation or employee consent is required. Transparency must be genuine, not buried in an HR policy handbook.
The risk of shadow AI compounds the problem. Managers may adopt AI tools for team monitoring without formal procurement, creating data protection breaches that the organisation does not even know about. Building an AI policy that explicitly addresses employee-facing AI is essential.
Create a specific review process for any AI tool that processes employee data. Require a DPIA, works council notification (where applicable), and a plain-language employee notice before deployment. No exceptions, regardless of how the tool is marketed.
Building your AI inventory
You cannot protect data you do not know is being processed. The AI inventory is the single most important deliverable for any DPO engaging with AI governance.
An AI inventory maps every AI system in the organisation — procured, built in-house, or adopted informally by employees. For each system, it records the data processed (including personal data categories), the legal basis, the risk classification under the AI Act, the vendor details, and the DPIA status.
This inventory serves dual purposes. It is the foundation for GDPR compliance — ensuring your records of processing activities are complete. And it is the starting point for AI Act compliance — enabling risk classification, conformity assessment planning, and Article 4 training scoping.
Start by surveying department heads and IT procurement records. But do not stop there. The most significant risks often come from tools adopted outside formal channels. A thorough AI risk assessment should include shadow AI discovery as a core activity.
Test your AI and data protection knowledge
Equip your data protection team with Brain
Brain is the AI readiness platform that helps Data Protection Officers and their teams build genuine competency in AI governance. Role-specific training covering the GDPR-AI Act intersection, DPIA methodology for AI systems, vendor assessment, and responsible AI use — designed to produce demonstrable expertise, not just compliance certificates.
With tracking dashboards that map team progress against regulatory obligations, Brain helps DPOs turn overlapping AI regulations from a coordination headache into a structured programme. Explore our plans to get started.
Related articles
GDPR + AI Act Compliance Software: How to Choose in 2026
Practical checklist to choose privacy-first AI tools that comply with GDPR and EU AI Act. Vendor questions, DPIA triggers, no-training-on-data APIs.
AI Compliance Automation: Cut Costs + Reduce Risk
Automate regulatory compliance with AI — cut costs, reduce manual errors and lower risk. Tools, frameworks and implementation strategies.
AI Compliance Monitoring: Automate Oversight (2026)
Automate regulatory oversight with AI compliance monitoring — tools, frameworks and implementation guide for enterprise teams.