Skip to main contentSkip to navigationSkip to contact

GDPR-Compliant AI Automation: A 10-Point Checklist

·Ali Amin

You can add GDPR-compliant AI automation to your UK business — but it requires deliberate choices at the design stage, not a retrospective legal review. The key steps are mapping your data flows before building, establishing a lawful basis for each processing activity, signing Data Processing Agreements with every vendor that touches personal data, and building human oversight into any automated decision that affects individuals. This 10-point checklist covers each requirement in plain English.

Why GDPR applies to AI automation

Most AI workflows process personal data — customer names, email addresses, call transcripts, or invoice details linked to a named individual. Under UK-GDPR (the UK's post-Brexit retained version of the EU regulation), processing that data through an automated system is lawful only when you have a valid legal basis and have implemented appropriate safeguards.

The ICO (Information Commissioner's Office) treats AI as a high-priority area and has published dedicated guidance on AI and data protection. Enforcement has increased year-on-year: businesses that deploy AI without a documented compliance approach face fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.

The practical upside: compliance is achievable without months of legal work. Most UK SMEs can reach a defensible position by working through the checklist below before a workflow goes live.

What counts as personal data in AI workflows

Personal data is any information that relates to an identified or identifiable individual. In a typical B2B AI automation context, this includes:

  • Customer names, email addresses, and phone numbers — standard contact data.
  • Call and meeting transcripts — even where names are not spoken, voice recordings can identify an individual.
  • Support tickets and chat logs — often contain names, account details, and descriptions of personal circumstances.
  • Invoice and payment records — linked to a named person in most B2B relationships.
  • Job titles and employer names — personal data when combined with a name or email address.

If your workflow reads from a CRM, inbox, helpdesk, or finance system, it almost certainly processes personal data and must be assessed before launch.

The 10-point checklist

1. Map your data flows

Before building anything, document what personal data your workflow processes, where it originates, where it is sent, and how long it is retained. A simple spreadsheet is sufficient at the outset. This mapping is the foundation for everything else — you cannot establish a lawful basis or assess risk for data you have not identified.

2. Identify a lawful basis for each processing activity

Under UK-GDPR, every processing activity requires a lawful basis. For B2B AI automation, the three most relevant are:

  • Legitimate interests — the processing is necessary for your business purposes and does not disproportionately override the individual's rights. You must document a Legitimate Interests Assessment to support this.
  • Contract performance — processing is necessary to deliver on a contract with the individual.
  • Legal obligation — required for statutory compliance, such as payroll or financial record-keeping.

Consent is rarely the right choice for internal automation workflows: it must be freely given, specific, and withdrawable, which is difficult to maintain at scale.

3. Conduct a DPIA when the processing is high-risk

A Data Protection Impact Assessment is mandatory before you begin any processing that is likely to result in high risk to individuals. AI automation crosses this threshold when it involves systematic profiling, special category data (health, ethnicity, religion, biometrics), or automated decisions with legal or similarly significant effects.

For routine automation — invoice extraction, lead routing, support triage — a DPIA is not always legally required, but completing one proactively demonstrates accountability and gives you a written record in the event of a complaint.

If you are unsure whether your workflow triggers the obligation, an AI strategy engagement can help you assess risk workflow by workflow before committing to a build.

4. Sign Data Processing Agreements with every vendor

If your workflow sends personal data to a third-party vendor — an LLM API, an automation platform, a CRM, a cloud storage provider — that vendor is acting as a data processor on your behalf. Article 28 of UK-GDPR requires a written Data Processing Agreement in place before processing begins.

Check that each DPA covers: the subject matter and duration of processing, the nature and purpose, the categories of data and data subjects, the processor's obligations to support your data subject rights, and instructions for deletion at contract end. Major LLM providers offer standard DPAs — request one from each vendor before going live.

5. Apply data minimisation

Only collect and transmit the personal data your workflow genuinely needs. If a support-triage workflow can categorise a ticket without sending the customer's full account history to the LLM, send only the ticket body. Minimising input data reduces breach surface area, lowers AI API costs, and makes privacy notices simpler to write.

6. Set and enforce data retention limits

Decide how long your workflow retains its outputs — AI-generated summaries, classification labels, intermediate logs — and build that limit into the system. Retaining personal data beyond what is necessary breaches UK-GDPR's storage limitation principle. A written retention schedule, reviewed annually, satisfies the ICO's documentation expectations.

7. Build human review into automated decisions

Article 22 of UK-GDPR gives individuals the right not to be subject to solely automated decisions that produce legal or similarly significant effects — including decisions about credit, employment, or service access. For most internal B2B workflows this right is not triggered, but if your AI makes a final decision about a named individual without human review, you must either bring the processing within a valid Article 22 exception or introduce a meaningful human sign-off step before the decision is enacted.

8. Maintain an Article 30 record of processing activities

Article 30 of UK-GDPR requires organisations with 250 or more employees — or any organisation that processes personal data regularly and in ways that could risk individuals' rights — to maintain a written record of processing activities. Even below that threshold, maintaining such a record is ICO best practice.

Add each AI automation workflow to the record: purpose, data categories, data subject categories, retention periods, third-party processors involved, and security measures applied.

9. Secure every data transit point

Personal data transmitted to an external API must be encrypted in transit (TLS 1.2 minimum). Restrict API key permissions to the minimum needed for the workflow. Avoid writing raw personal data to application logs — log identifiers or redacted references instead. Where the workflow writes outputs back to a CRM or inbox, apply least-privilege access controls to the integration credentials.

10. Brief the staff who interact with AI outputs

GDPR compliance is a team responsibility. Any staff member who reviews AI outputs, acts on AI recommendations, or handles escalated cases should understand that personal data is involved, how to respond to a data subject access request, and how to report a suspected breach. A short internal briefing — 20 minutes and a one-page reference sheet — is sufficient for most teams.

Common mistakes to avoid

The most frequent GDPR gaps in AI automation projects:

  • No DPA signed with the LLM provider before the workflow goes live.
  • Logs retaining full personal data without a retention policy or automatic deletion.
  • Legitimate interests assumed as a lawful basis without a documented LIA.
  • No DPIA completed for a workflow that scores or profiles individuals.
  • Privacy notice not updated to reflect the new AI processing activity.

All of these are straightforward to fix before launch. They become expensive after a data subject complaint or an ICO inquiry.

What to ask an AI automation vendor before signing

Five questions worth putting in writing:

  1. Will you sign a DPA, or do you require us to sign yours — and can we review it before committing?
  2. In which regions does your infrastructure run? (Data transfer rules apply outside the UK and EEA.)
  3. Does your platform retain copies of input data after processing? If so, for how long?
  4. Can all personal data associated with our account be deleted on request?
  5. Do you hold ISO 27001 or SOC 2 certification?

A vendor who cannot answer these clearly before contract is a compliance risk, not just a commercial one.

Frequently asked questions

Is GDPR compliance required for AI automation in the UK?

Yes. UK-GDPR applies to any processing of personal data by a UK-based business, including automated workflows. The ICO enforces it and can issue fines up to £17.5 million or 4% of global annual turnover. Compliance is achievable for SMEs without months of legal work — the main requirements are a lawful basis, a DPA with each vendor, and documented data flows.

What personal data does AI automation typically process?

Contact details, call transcripts, support tickets, invoice records, and CRM entries commonly contain personal data. If your workflow reads from a CRM, inbox, or helpdesk, it almost certainly processes personal data and must be assessed under UK-GDPR before going live.

Do I need a Data Processing Agreement with my AI vendor?

Yes. UK-GDPR Article 28 requires a written Data Processing Agreement before a third-party vendor processes personal data on your behalf. This applies to LLM APIs and automation platforms. Major providers — OpenAI, Anthropic, Google — offer standard DPAs; request one before launch.

When does AI automation require a Data Protection Impact Assessment?

A DPIA is mandatory when processing is likely to result in high risk to individuals — for example, systematic profiling, special category data, or automated decisions with legal effects. For routine automation such as invoice extraction or support triage, a DPIA is good practice but not always legally required.

Can AI make automated decisions about people under UK-GDPR?

Article 22 of UK-GDPR restricts solely automated decisions with legal or significant effects on individuals. If your workflow makes a final decision about a person — rejecting a job application or suspending an account — you either need a valid Article 22 exception or must build in meaningful human review before the decision is enacted.

Want to build GDPR-compliant AI workflows from the start? Book a free 30-minute discovery call — we will map your data flows, identify compliance gaps, and scope a compliant build.