Last Updated on December 22, 2025 by Narendra Sahoo
As AI adoption accelerates across business functions, December’s expert roundup focuses on a question many organizations are now confronting in practice rather than theory: how should companies prepare for AI related data processing under GDPR. Unlike traditional automation, AI systems often rely on large, dynamic datasets, continuous learning, and opaque decision logic.
This creates real tension with GDPR principles such as purpose limitation, data minimization, transparency, and accountability. What worked for conventional data processing models is no longer sufficient when algorithms infer, predict, and profile at scale. Organizations are beginning to realize that AI readiness under GDPR is not a legal checkbox, but a governance and risk management challenge that cuts across technology, compliance, and business leadership.
Across industries, experts consistently highlight the need to move from reactive compliance to proactive design. Preparing for AI under GDPR means embedding privacy and data protection considerations at the model design stage, clearly defining lawful bases for AI driven processing, and maintaining defensible documentation around training data, decision logic, and human oversight.
It also requires organizations to reassess DPIAs, vendor risk management, and explainability expectations in the context of AI systems that evolve over time. The insights shared below reflect practical, field tested perspectives from professionals working directly with GDPR, AI governance, and data protection challenges in real world environments.
Expert opinions and perspectives on preparing for AI related data processing under GDPR are shared below.
- Srijit Ramakrishnan : Global Information Technology Director at Exinity – Dubai
In my view, to prepare for AI-driven processing under GDPR, organisations must enforce purpose limitation, data minimisation, and transparent model behaviour. Conduct Data Protection Impact Assessments (DPIAs)early, maintain human-in-the-loop controls, and continuously monitor AI outcomes. Compliance must be built into the AI lifecycle, not bolted on.
2. Adv. Chetanya Pathak : Cyber Consultant @Deloitte – India
In my view, GDPR readiness for AI requires moving beyond policy statements to granular risk governance. Organisations should perform AI-specific DPIAs that assess re-identification probability, model inversion, discriminatory profiling and implications under Art. 22. In parallel, privacy-by-design must translate into engineering—provenance tracking, adversarial testing and controlled training datasets. This dual approach delivers both legal defensibility and technical assurance.
3. Rob Grealis : Founder & CEO @Secure Safeguards – USA
Companies preparing for AI-related data processing under GDPR should start with a clear understanding of what data their AI systems collect, generate, and store. Prioritizing data minimization, DPIAs, and strong access controls helps reduce risk while staying compliant. Organizations should also ensure meaningful human oversight for automated decisions, and demand transparency from any AI vendors they rely on. Strong vendor due diligence is critical. Far too many breaches stem from onboarding third-party tools without understanding their security posture. Companies should require clear evidence of controls, audits, and data-handling practices before integrating any vendor, including AI vendors, into their environment.
4. Dr.Raghava DY PhD : CDO & Head of Data Consulting, UK & Rplus Analytics – U.K
Organisations preparing for AI-driven data processing under GDPR must start with rigorous data-minimisation, clear purpose specification and strong governance over training data. In large public-sector programmes such as those I’ve supported for big UK Public Sector Customer , we ensure transparency, lawful bases, and DPIAs are established before any AI model development. Continuous monitoring for drift, bias and fairness, combined with human oversight and auditable decision pathways, is essential to maintain GDPR compliance while deploying AI responsibly.
5. Dale Gibler : CIO – Akamai University – USA
AI doesn’t just process data, it makes decisions about people, often at scale and in silence.
GDPR readiness means teaching machines restraint: purpose limitation, minimization, and accountability baked in before intelligence emerges.
The real compliance test isn’t whether AI can learn fast, but whether organizations choose to govern it thoughtfully.
6. Aynur Khacay : Leader & Mentor – IIA – USA
As AI systems increasingly process vast amounts of personal data, often in complex and less transparent ways, companies must take their GDPR responsibilities seriously. Preparing for AI-related data processing begins with a thorough understanding of what personal data is involved, its sources, and the purpose behind its use, including whether any sensitive information is being handled.
Establishing a clear legal basis for AI processing is essential, whether through obtaining explicit consent, relying on contractual necessity, or another lawful ground under the GDPR. For higher-risk AI applications, conducting a comprehensive Data Protection Impact Assessment (DPIA) is critical to identify, evaluate, and mitigate potential privacy risks.
Transparency towards individuals and partners is equally important. People should be informed when AI influences decisions about them, understand the rationale behind those decisions, and be aware of their rights concerning automated processing.
Furthermore, companies must ensure that AI training and operations align with data protection principles by minimizing the use of sensitive data and implementing safeguards such as pseudonymisation.
By embedding these practices, businesses can not only comply with GDPR requirements but also build trust and demonstrate accountability in the evolving landscape of AI.
Conclusion
Taken together, these expert perspectives make one point clear: preparing for AI related data processing under GDPR is not about predicting every regulatory outcome, but about building resilient governance foundations. Organizations that treat AI as an extension of existing data processing practices will struggle to meet GDPR expectations around transparency, accountability, and individual rights. Those that succeed are investing early in cross functional ownership, stronger documentation, and continuous risk assessment that evolves alongside their AI systems.
Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
