Working GDPR-proof with AI tools: a checklist for SMB owners
Many SMB owners use AI tools like ChatGPT, Claude, or Gemini every day but have never checked whether that use complies with GDPR. That's a bigger risk than it seems. Data protection authorities have AI applications explicitly on their radar, and fines for GDPR violations are no longer theoretical. This article gives you a concrete privacy AI checklist you can use today to assess whether your use of AI tools is GDPR-compliant, including data processing agreements, data minimization, and the data you should never enter into an AI tool.
Why GDPR and AI is a serious issue for SMBs
If you summarize a client meeting in ChatGPT, have a quote written based on customer details, or let an AI agent answer customer questions, you may be processing personal data. Under GDPR, you as the data controller are required to know where that data goes, how it's stored, and whether the party processing it offers sufficient guarantees.
The problem is that most AI tools are built by American companies: OpenAI, Anthropic, and Google. That means data can flow to servers outside the EU by default. That's not necessarily prohibited, but it does require you to have the right contractual and technical measures in place. For SMBs using AI under GDPR, ignorance is no excuse.
Step 1: Map out which personal data you're entering
Before you can fix anything, you need to know what you're actually doing. Find out which employees use AI tools, for which tasks, and what data gets entered in the process. This sounds simple, but in practice, teams of five to fifty people turn out to have developed dozens of different use cases, often without any policy.
Categorize the data you enter into three risk levels:
- No personal data: general texts, product descriptions, internal process documents without names or contact details.
- Regular personal data: names, email addresses, job titles, customer numbers.
- Special category personal data: health data, financial data, national ID numbers, data about religion or political preference.
Special category personal data should, as a rule, never simply be entered into an external AI tool. Regular personal data is only allowed if you've arranged the legal basis and signed the right agreements.
Step 2: Check the AI data processing agreement
A data processing agreement (also called a DPA) is mandatory when you have personal data processed by a third party. With AI tools, that third party is the tool's provider.
The major providers offer this, but you have to actively look for it:
- OpenAI (ChatGPT, GPT-4o): offers a DPA through the Enterprise or API environment. The free version of ChatGPT offers no DPA and uses input for model training by default.
- Anthropic (Claude): offers a DPA for business accounts via Claude.ai for Business or the API.
- Google (Gemini): offers a DPA through Google Workspace integrations and the API.
Check for every AI tool you use whether a valid data processing agreement has been signed. If not, you're not allowed to enter personal data, full stop. Also make sure the DPA includes standard contractual clauses (SCCs) for data transfers to countries outside the EU, because that's the legal basis for transfers to American servers.
What should a data processing agreement contain at minimum?
A valid DPA contains at least: the purpose of the processing, the categories of personal data, the retention periods, the processor's security measures, and the arrangements regarding sub-processors. Also check whether the provider can support your customers' rights to access, correct, and delete their data.
Step 3: Apply data minimization
Data minimization is a core principle of GDPR: you only process the data that's strictly necessary for the purpose. With AI tools, this means in practice that you learn to work with anonymized or pseudonymized input.
Instead of "Write a follow-up email for Jan de Vries of Bakkerij Koeman after yesterday's conversation about his cash flow problems", you write: "Write a follow-up email for an SMB client in the food sector after a conversation about liquidity challenges." The result is just as useful, but you haven't entered any personal data.
Make this a company-wide practice. Actively train your team on anonymizing prompts. This isn't a bureaucratic measure, it protects your business and your customers.
Step 4: Turn off model training
Many AI tools use your input by default to improve their models. That's a form of processing you must explicitly exclude if you're working with personal data.
In ChatGPT, you can disable this through your account's privacy settings. With Claude and Gemini Business accounts, training on your data is disabled by default. Verify this for each tool and document that you've checked the setting. Preferably use the business or enterprise version of a tool, since it usually offers stronger privacy guarantees than the free consumer version.
Step 5: Document your processing activities in the register
GDPR requires most organizations to maintain a register of processing activities. AI tools are a relatively new category that many business owners haven't yet added to this register.
For every AI tool you use for business, add an entry with: the name of the tool, the purpose of use, the categories of data processed, the retention period at the provider, and the legal basis. This takes an hour of work, one time, and if a data protection authority ever comes knocking, it gives you immediate proof that you handle AI GDPR compliance deliberately and in a structured way.
What you should never enter into an AI tool
For clarity: a hard list of data you should never enter into an external AI tool without extensive legal preparation:
- National ID numbers of employees or customers
- Medical or health data
- Bank account numbers or credit card details
- Passwords or login credentials
- Criminal record data
- Data about minors
Not sure about a specific case? Use this simple rule: if you wouldn't put it on a public website, don't enter it into an AI tool without having arranged the processing contractually.
GDPR-proof AI use can be sorted in a few weeks
The five steps in this checklist together take a few half-days: inventory your usage, sign data processing agreements, train data minimization, turn off model training, and update your processing register. After that, you can deploy AI tools with confidence across your entire company, without a regulator's audit or a customer question making you nervous.
Want help reviewing your AI stack, or want to see right away where automation saves you the most time? Book a free discovery call.
Ready to win back your time?
Book a free discovery call. We look at your business together and show you how much capacity you can win back with an AIOS.
Book a free call →