2026-05-28

GDPR and the AI Act: compliant AI projects without the paralysis

European AI regulation worries many business leaders — including outside Europe, because as soon as you serve European customers, it concerns you. In practice, a project framed properly from the start absorbs most requirements at little extra cost. It's the project retrofitted at the end that gets expensive: architecture overhauls, contract renegotiations, sometimes outright shutdown.

Compliance: risk classification and control points

GDPR: the fundamentals already apply

As soon as your AI system processes personal data — job applications, customer emails, purchase history, call recordings — GDPR applies, as it does to any processing:

  • Legal basis and purpose: define why you process this data, and document it. AI processing is no exception.
  • Minimization: send the model only the data the task requires. Anonymizing or pseudonymizing upstream drastically reduces risk — often with no quality loss.
  • Individual rights: access, rectification, erasure. Your architecture must be able to find and delete a person's data, including in indexes and logs.
  • Processors: if a third-party service processes your data, you need a compliant contract (art. 28) and localization guarantees. AI hosted on your premises removes that link entirely and simplifies the file considerably.

For Moroccan companies: law 09-08 sets similar requirements (CNDP declaration, purpose, security), and GDPR applies on top as soon as you process data of European residents.

AI Act: a risk-tier logic

The European regulation classifies AI systems by risk level, with proportionate obligations:

TierExamplesMain obligations
Minimal riskDocument sorting, internal assistants, content generationVoluntary good practice
Limited riskPublic-facing chatbots, generated contentTransparency: users must know they're talking to an AI
High riskRecruitment, credit scoring, significant HR decisionsTechnical documentation, human oversight, logging, risk management
UnacceptableSocial scoring, manipulationProhibited

Most SME business uses stay in the first two tiers: obligations are light and mostly common sense. The point of vigilance: the same tool can change tier depending on usage. A model that summarizes CVs is an assistant; the same model rejecting candidates becomes a high-risk system.

Three reflexes that cover most of it

  1. Map your systems. Which AI systems, which data, which decisions? A maintained table is enough to start — and it's also the first document requested in an audit.
  2. Keep a human in the loop for any decision affecting a person. Good business practice as much as a regulatory requirement: AI proposes, the human decides and stays accountable.
  3. Document as you go: model choice, training or context data, known limitations, escalation procedures, test results. Thirty minutes per sprint beats a catch-up audit.

Example: an HR assistant compliant by design

A company wants to help its recruiters process applications. Risky version: a tool that automatically ranks and rejects candidates — high risk, heavy obligations. Well-designed version: an assistant that summarizes files, extracts skills and prepares interview questions, with shortlisting kept human. Same time savings, radically different regulatory exposure. Compliance is often decided in how you define the AI's role, not in the technology.

Compliance as a commercial argument

Your customers — especially large accounts — now ask these questions in their RFPs: where is the data hosted? Who supervises the system? Can you document your processing? Compliance built in from day one stops being a cost: it becomes a differentiator that reassures and wins contracts.

Blog