In this blog, we explore AI’s growing role in recruitment and examine where human judgment remains essential. Building on insights from our webinar Hiring or Backfiring: Employing AI in Recruitment, we share expert insights from David Smith (DPO and AI Sector Lead at The DPO Centre), Helen Armstrong (CEO at Silvercloud HR), Richard Bradshaw (Co-founder of PeopleRE), and Nicky Badenock (Co-founder of Genie). Together, they examine the benefits, limitations, and ethical considerations of AI in hiring. 

• Can AI recruitment outperform traditional methods? 
• Can AI recruitment streamline workflows? 
• Is AI a neutral hiring tool? 
• Will AI replace recruiters? 
• How to choose the right AI hiring tool 
• Three questions to ask AI vendors

Can AI recruitment outperform traditional methods? 

Resume screening

AI can enhance recruitment by efficiently screening large volumes of resumes based on predefined criteria. When trained correctly, it enables consistent, data-driven decisions that reduce reliance on human instinct and help eliminate bias. However, if the training data reflects existing inequalities, such as historical hiring patterns favoring certain demographics, AI may unintentionally reinforce those biases.  

Evaluating cultural fit

Human judgment is essential for evaluating cultural fit. While AI can assess qualifications, experience, and even communication style, it lacks the ability to understand the nuances of personality, emotional intelligence, and team dynamics. These interpersonal traits are key factors in driving long-term success.

AI-enhanced job applications 

Recruiters aren’t the only ones making use of intelligent technologies. Job seekers are increasingly using AI to polish resumes, optimize keywords, and auto-generate bespoke cover letters to pass automated screenings. Although effective, this can lead hiring managers to overestimate a candidate’s abilities, creating a gap between expectations and actual performance. 

Expert perspectives

Industry experts share their take on the opportunities and challenges that AI brings to recruitment: 

• David Smith from The DPO Centre warns that AI could widen the divide. Executive search roles may still see a personalized approach but at the high-volume end of the market, candidates risk being ‘massively disenfranchised’ by low personalisation. 
• Nicky Badenock at Genie sees opportunity as AI can go far beyond simple CV matching. While human instinct remains vital and should ‘never go away’, AI offers value in organising and surfacing the right talent form wider pools. 
• Richard Bradshaw at PeopleRE highlights the perception challenge. With many candidates believing AI screening removes the human element, it creates ‘real stigma in the candidate market.’ For recruiters, the hurdle is learning how to apply AI effectively in back-office processes. 
• Helen Armstrong at Silvercloud HR points out that candidates are already using tools like ChatGPT to optimise CVs for AI systems. Cultural fit remains important and ‘AI can’t ever replace that.’   

Can AI recruitment streamline workflows?

AI can significantly cut down recruitment time by automating repetitive tasks, such as resume screening, candidate assessments, and interview scheduling. But success depends on a structured approach: ensuring data quality, integrating AI with existing HR systems, and regularly monitoring performance to improve efficiency. 

David Smith, DPO at The DPO Centre believes that ‘To get an automated system to match and evaluate things better, we need to be clearer at describing what we want and what we need. The need for automation improves the entire process.’  

Is AI a neutral hiring tool?

AI aims to reduce human bias by evaluating candidates against data-driven criteria. But if the training data reflects existing inequalities, AI systems may replicate them, making regular audits critical to ensure fairness and accuracy. 

These tools can also misread career breaks as unexplained employment gaps, overlooking valid reasons like parental leave or caregiving. This can lead to unfair decisions that disadvantage qualified candidates. 

Richard Bradshaw, PeopleRE thinks ‘Many recruitment processes fail, not because a candidate lacks the skills, but because they ultimately don’t have a genuine desire for the specific role. While AI can efficiently match candidates based on qualifications and experience, it isn’t yet advanced enough to assess a candidate’s motivation, passion or long-term commitment, rather than just securing any job.’ 

Will AI replace recruiters?

AI can automate many administrative tasks, but human insight remains vital for success. A recruiter’s ability to assess cultural fit, build relationships, and make context-based decisions is something AI still can’t match. 

Helen Armstrong, Silvercloud HR reiterates that ‘Cultural fit is as relevant as having the right qualifications and experience. It’s about attitude and AI is never going to be able to assess that. AI has to be an assistant to the recruiter, not a replacement.’  

How to choose the right AI hiring tool

Selecting the right AI tool for recruitment requires careful evaluation of key factors: 

• Recruitment goals: Define what you need the system to do, such as resume screening, candidate matching, or interview scheduling 
• System compatibility: Ensure the system aligns with your hiring goals and seamlessly integrates with your existing HR tools 
• User experience: Choose a platform that’s intuitive for both recruiters and applicants 
• Transparency and bias controls: Prioritize systems with clear decision-making processes and built-in bias mitigation 
• Analytics and reporting: Choose tools that offer strong reporting features to monitor and improve outcomes 

Three questions to ask AI vendors 

To ensure you choose a responsible and compliant AI system, ask potential vendors these key questions: 

1. How is bias prevented? 
2. What security measures are in place? 
3. How is system performance monitored and maintained? 

Vendors should explain how they train, audit, and refine their algorithms to reduce bias in hiring. Robust cybersecurity protocols must be in place to protect candidate data and prevent breaches. And you need to confirm the vendor regularly audits the system to detect errors, track performance, and resolve issues efficiently. 

The future of recruitment: Human and AI 

AI brings clear benefits to recruitment: greater efficiency, scalability, and data-driven insights. But its value depends on how it’s implemented. When used responsibly, AI can streamline admin tasks, improve candidate matching, and support more consistent, less biased decision-making. 

But there is a risk of creating a two-tier hiring system, where executive roles may retain personalized attention, while high-volume recruitment becomes impersonal. To avoid this, organizations must maintain a human touch. 

Ultimately, recruitment should remain a human-led process. Organizations that combine AI efficiency with human judgment will be best positioned to attract and retain top talent.

 ____________________________________________________________________________________________________________

AI Governance is essential for ensuring AI systems are developed, deployed, and monitored in line with legal and ethical standards. If your organization is starting or scaling its AI compliance journey across the EU and UK, contact us to learn how The DPO Centre can support you with expert guidance for compliance with the EU AI Act, GDPR and the UK’s DUAA regulations.  

____________________________________________________________________________________________________________

In case you missed it…

• EU AI Act Compliance part 4: Essential strategies for North American organizations 
• Lead generation and the GDPR: A guide for North American businesses 
• Large-scale processing and the GDPR: When to appoint a DPO 

___________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn

The post Recruitment revolution: Is AI replacing human hiring? appeared first on DPO Centre.

One of the key factors is large-scale processing of personal data. However, the General Data Protection Regulation (GDPR) doesn’t offer a precise definition for this, which leaves room for interpretation and can cause confusion. 

In this blog, we explain what qualifies as large-scale processing, the criteria for appointing a DPO, and how the rules apply across key sectors. 

• When is a DPO legally required?
• What is ‘large scale’ processing?
• Examples of ‘large scale’ processing?

For simplicity, we use ‘GDPR’ to refer to both the EU and UK versions of the General Data Protection Regulation. While the two frameworks are broadly aligned, there are notable differences, particularly around international data transfers. 

Recent UK legislation developments, including the Data Use and Access Act 2025, may also affect your organization’s obligations. We recommend seeking advice from a data protection professional to ensure your approach remains compliant and up to date. 

When is a DPO legally required?

Under Article 37 of the GDPR, organizations must appoint a DPO if they: 

• Are a public authority or body (excluding courts acting in a judicial capacity) 
• Regularly and systematically monitor individuals on a large scale as part of their core processing activities 
• Process special categories of personal data on a large scale 

A DPO can be an internal employee or an external provider. Learn more in our blog, Hiring a Data Protection Officer – Internal vs. Outsourced. 

A single DPO may serve multiple organizations, such as a corporate group, public authorities, or associations. 

These requirements ensure that organizations engaged in complex or high-risk data processing have independent oversight to support GDPR compliance. 

What is ‘large scale’ processing?

The GDPR doesn’t define large-scale processing, but individual regulators provide guidance to help organizations assess their activities. 

According to the UK’s Information Commissioner’s Office (ICO), key factors include: 

• Number of individuals: Processing data from a significant population 
• Volume: Handling large quantities of personal data 
• Variety: Processing different types of data 
• Frequency and duration: Ongoing or frequent processing
• Geographic reach: Operating across multiple regions or countries 

You don’t need to meet all of these to qualify as large-scale, and any combination may apply depending on the context. It’s advisable to consult with a data protection professional to help assess your specific situation. 

Examples of ‘large scale’ processing

The following sector-specific examples illustrate what may qualify under the GDPR as large-scale processing: 

• Healthcare: A hospital handles various data types, such as medical records, insurance data, and appointment histories for thousands of patients 
• Finance: A bank processes account details and transactions for millions of customers 
• Technology: A cloud provider stores and manages vast amounts of files, photos, and personal details across multiple countries 
• Retail: A clothing chain tracks purchase histories, payment data, and shipping info for millions of customers 
• Education: A university processes applications, academic records, financial aid data, and health information for thousands of students 
• Charity: An organization manages donor details, donation records, and beneficiary information at scale 

Key takeaways

Determining whether your organization conducts large-scale processing is key to understanding if you’re legally required to appoint a Data Protection Officer (DPO) under the GDPR. Public authorities, organizations that systematically monitor individuals, or those processing large volumes of sensitive data typically fall within this requirement. 

Assess your obligations by considering factors like the number of data subjects, volume and variety of data, processing frequency, and geographic reach. 

Appointing a DPO can strengthen your data protection framework and show a proactive stance on compliance, even if not legally required. 

The DPO Centre offers a range of outsourced data protection services, including fractional DPOs and EU/UK Representatives. Contact us to learn how we can help you meet your legal obligations. 

____________________________________________________________________________________________________________

In case you missed it… 

• How GDPR territorial scope impacts North American Businesses 
• Data retention strategies for GDPR compliance 
• 5 steps for GDPR-compliant vendor due diligence 

____________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn

The post Large-scale processing and the GDPR: When to appoint a DPO appeared first on DPO Centre.

You’ll learn how to: 

• Review the vendor’s data handling practices 
• Assess policies and procedures 
• Evaluate technical security measures 
• Review international data transfer controls and processes 
• Mitigate risks & finalise the Data Processor Agreement (DPA) 

Overview

According to a report by technavio, the global outsourcing market is expected to grow by $88.8 billion between 2024 and 2029, with a compound annual growth rate of 6.8%. 

Outsourcing specific processes, or even entire business functions, can enhance efficiency and allow companies to focus on their core strengths. However, when you have vendors handling personal data, it’s critical to understand the associated data protection responsibilities of both parties. 

Under the General Data Protection Regulation (GDPR), vendors include any third parties, partners, or suppliers with access to personal data – not just traditional service providers. 

Organizations are legally required to safeguard personal data, and failure to do so can result in fines and reputational harm. Ensuring that your vendors also meet GDPR obligations is a key part of maintaining compliance. 

Understanding GDPR roles: Controller vs processor 

The GDPR distinguishes between a data ‘controller’ and a ‘processor’ to clarify their respective roles and responsibilities in managing personal data. 

• A ‘controller’ decides how and why personal data is collected and processed 
• A ‘processor’ handles personal data on behalf of the controller, following on their instructions 

Data controllers hold the highest level of compliance responsibility, even if a third-party vendor is handling the day-to-day processing.  

Data processors have some direct legal obligations, including notifying the controller of any data breach, implementing appropriate data security measures, and keeping a record of data processing activities.  

Let’s look at a real-world example: 

A North American healthcare provider (controller) collects patient data from individuals in the EU to provide medical services. The data is stored and managed on a third-party cloud storage platform (provider) and includes information such as names, addresses, and medical histories.  

In this example, the healthcare provider must ensure any personal data is processed in strict accordance with the GDPR. This includes providing clear privacy notices, establishing an appropriate lawful basis, and safeguarding the security of the data, including any onward transfers of personal data outside the EU.  

Before using the third-party cloud storage platform, the healthcare provider must: 

• Ensure the vendor’s data protection practices meet GDPR standards 
• Identify and mitigate any risks before sharing personal data 
• Implement clear contracts that outline roles, responsibilities, and security requirements 

Once onboarded, the cloud storage platform must follow the healthcare company’s instructions and maintain robust safeguards. If a data breach occurs, the cloud storage provider is expected to notify the healthcare company without undue delay – ideally within 48 hours, though this should be determined in each contract.  

Reminder: Under the GDPR, controllers have up to 72 hours after becoming aware of a personal data breach to report it to the relevant regulatory authority. If the breach poses a high risk to individuals, they must also be informed directly.  

5 essential steps for effective due diligence

A best practice due diligence process typically starts with a questionnaire and follows these 5 key steps:  

Step 1: Review the vendor’s data handling practices

A due diligence questionnaire should request the vendor’s privacy policy and any voluntary or mandatory risk assessment documents, such as Data Protection Impact Assessments (DPIAs), relating to the services offered.  

Key details to establish: 

• How personal data will be collected 
• Where it will be stored 
• Who will have access to the data 
• Use of sub-processors, including their data handling practices (sub-processors are third parties engaged by the vendor who may access the personal data) 
• What the retention periods are (the GDPR requires data to be kept no longer than necessary) 
• If they have any certifications, such as Cyber Essentials Plus, ISO9001, or ISO27001/27701, which demonstrate a commitment to strong data protection practices across the organization 

Step 2: Assess policies and procedures

The next step is to evaluate the vendor’s data protection policies and procedures to ensure they align with GDPR requirements.  

These should include at least: 

• Privacy policy and privacy notice 
• Data breach response procedure 
• Data Subject Access Request (DSAR) procedure 
• Data sharing processes 
• Employee data protection training programs 

The vendor needs to demonstrate that appropriate controls are in place for data processing, including any sub-processors they may use, and that these controls are regularly audited and maintained.  

Step 3: Evaluate technical security measures

Ensure the vendor has robust technical safeguards to protect personal data from unauthorized access, alternation, disclosure, or destruction.  

These measures may include: 

• Encryption: Converts data into a code to prevent unauthorized access 
• Access controls: Authenticates users and restricts access to systems and data 
• Firewalls: Monitors and controls incoming and outgoing network traffic based on predetermined security rules 
• Intrusion detection systems (IDS): Detects malicious activity within the network 
• Security incident and event management (SIEM) systems: Analyses security alerts generated by applications and network hardware in real time 
• Regular security audits: Systemic evaluations of IT systems to measure how well they conform to a set of established criteria  

Step 4: Review international data transfer controls and processes 

If personal data is stored or processed outside the EEA and/or UK, the vendor must demonstrate that a valid international transfer mechanism is in place.  

Your contract should require the vendor to implement appropriate safeguards for both their own transfers and any onward transfer by sub-processors. This often involves using Standard Contractual Clauses (SCCs) or another GDPR-approved mechanism.  

If the data is considered high risk, a supporting DPIA should also be provided.  

International Data Transfers: Explaining EU SCCs, UK Addendum and UK IDTA | DPO Centre

Step 5: Mitigate risks & finalise the Data Processor Agreement (DPA) 

If any risks have been identified during the due diligence process, the vendor needs to resolve them before moving forward. For example, if the vendor lacks intrusion alerts, they should implement system monitoring and provide evidence.  

The final step is to draft a Data Processing Agreement (DPA), which should include: 

• General information – Purpose, duration, data categories, and GDPR responsibilities of both parties 
• Security measures – Technical and organizational safeguards required of the processor 
• Sub-processors – Whether sub-processing is allowed and under what conditions 
• Breach notifications – Requirement to notify the controller without undue delay in the event of a breach 
• Audits and inspections – Controller’s should secure the right to verify compliance through audits 
• End-of-contract provisions – Instructions on returning or deleting data at contract termination 
• Liabilities and indemnities – controllers should require processors to indemnify them against all costs, claims, damages, and expenses incurred because of their actions. Controllers typically seek unlimited liability, while processors should negotiate a cap. 

For a template DPA download our GDPR Policy Toolkit 

Summary

Conducting vendor due diligence is essential for identifying and mitigating risk and ensuring GDPR compliance. It provides an opportunity to evaluate a vendor’s operational procedures data protection practices before entering into a contract.  

An effective due diligence process should include a questionnaire covering five key areas: data handling practices, policies and procedures, technical security measures, international data transfers, and risk mitigation prior to drafting a Data Processing Agreement (DPA). 

These steps also apply to existing suppliers or outsourced services. However, given the number of suppliers most organizations work with, it’s often more practical to start with a pre-qualification risk assessment. This helps prioritize which vendors require further review based on factors like GDPR applicability, risk level, and the type of data processed. 

____________________________________________________________________________________________________________

The DPO Centre has extensive experience helping North American organizations meet their GDPR obligations when working with third-party vendors. Contact us today for expert support with your vendor due diligence processes. 

____________________________________________________________________________________________________________

In case you missed it… 

• Lead generation and the GDPR: A guide for North American businesses 
• Data retention strategies for GDPR compliance
• How GDPR territorial scope impacts North American businesses

____________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn

The post 5 steps to GDPR-compliant vendor due diligence  appeared first on DPO Centre.

Since the General Data Protection Regulation (GDPR) came into effect in 2018, marketing strategies have undergone a significant transformation, with a definite shift toward inbound methodologies. Attracting engagement from customers, rather than pursuing prospects directly has become the modern standard. Outdated tactics such as buying prospect lists, cold calling, and sending unsolicited emails have been replaced by a focus on creating valuable, engaging content, and tailored experiences. 

For the purposes of our discussion, we consider the EU GDPR and the UK GDPR under the same umbrella, focussing on the common aspects for businesses operating in both or either the EU and the UK. There are specific differences and nuances in the legislations that are not covered here and may be applicable to your organization. For further advice, please speak to your Privacy Officer/Data Protection Officer. 

Establishing a lawful basis under the GDPR 

The General Data Protection Regulation (GDPR) provides the legal framework for the collection, processing, and storage of personal data of individuals in the EU (with the UK GDPR applying to individuals in the UK). 

North American organizations must establish an appropriate lawful basis for processing personal data of EU and UK individuals. This means that before collecting any personal data, you must first identify and document the lawful basis for doing so. 

There are six lawful bases under the GDPR:

Consent – where an individual has given consent for their personal data to be processed 

Legitimate Interests – where the processing of an individual’s personal data is necessary for the legitimate interests of a business or organization, unless there is a good reason to protect the individual’s personal data, which then overrides those legitimate interests 

Contract – where the processing is necessary for the performance of a contract a business or organization has with an individual 

Legal Obligation – where the processing is necessary for a business or organization to comply with the law 

Vital Interests – where the processing is necessary to protect someone’s life 

Public Task – where the processing is necessary for the performance of a task in the public interest or for official functions, and the task or function has a clear basis in the law 

After determining a lawful basis, you must document it and ensure the information is clearly stated in your privacy policy and privacy notice. 

Choosing the most appropriate lawful basis is essential, as it is difficult to change later without good reason. The lawful bases commonly used for processing personal data for marketing and lead generation purposes are consent and legitimate interests. For certain types of marketing activities, consent is the only appropriate lawful basis to use. A data privacy officer (DPO) can provide guidance on the most suitable lawful basis for your personal data processing. 

ePrivacy Directive and PECR

In addition to the GDPR, North American businesses undertaking digital marketing and lead generation activities in the EU and/or UK must also comply with regulations governing electronic communications, cookies, and tracking technologies. 

The EU’s ePrivacy Directive, often referred to as the ‘cookie law’, covers key areas related to electronic communications and privacy, including consent for cookies and marketing communications. 

The UK’s Privacy and Electronic Communications Regulations (PECR) sets out the rules and requirements for electronic communications and privacy within the UK. The legislation is the UK’s implementation of the EU’s ePrivacy Directive, and it sits alongside the UK GDPR. 

Privacy rules for electronic communications 

The ePrivacy Directive and PECR have specific standards that apply when processing the personal data of individuals in the EU and UK through electronic communications and other marketing tactics. 

You must: 

• Obtain consent before collecting an individual’s personal data 
• Provide clear and transparent information about how the personal data will be used
• Collect only the personal data that is necessary 
• Obtain consent before placing non-essential cookies on a user’s device  
• Provide an easy way to opt-out 

Understanding consent

Consent is a fundamental aspect of data privacy law. The GDPR defines consent as: 

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. – Article 4(11) 

In certain situations, or for specific processing activities, consent is the only lawful basis that can be used. 

Consent is also mandated by the ePrivacy Directive and PECR, where the use of cookies, tracking pixels, web beacons, and other similar technologies are used to collect personal data for online advertising and targeting. 

Consider this example: How CompanyX reaches potential customers

CompanyX wants to connect with website visitors who have not yet made a purchase. A tracking pixel from a social media provider is integrated onto their website. The pixel tracks users after they have left the site, allowing CompanyX to display targeted ads for their products when that user visits other websites. 

This strategy falls under the ePrivacy Directive and PECR and requires consent. Both use the definition of consent found within the GDPR (above). 

How to obtain consent

Under the GDPR, organizations must obtain explicit consent from customers before collecting their personal data. Lead generation tactics, such as pre-ticked boxes, implied consent, or bundling consent in with other actions, are no longer allowed. 

Here is a breakdown of the factors required for obtaining consent under the GDPR: 

Freely given: Consent must be given voluntarily, without coercion or manipulation. It should be a genuine choice for the individual, not forced. 

Specific: Consent must be tied to the exact purpose. Individuals should be informed what their personal data will be used for, and their agreement limited to that specific use. When processing has multiple purposes, consent must be obtained for all of them. 

Informed: Individuals must be given information about the processing of their personal data before giving consent. This includes knowing what data will be collected, who is collecting it, why, how long it will be kept, and any other relevant details. 

Unambiguous: Consent should be clear and easy to understand. 

Indication of wishes: Consent must be given through an affirmative action, including written, electronic, and oral statements. For example, a tick box on a website or a written consent form. Pre-ticked boxes or inactivity do not constitute consent. 

Withdrawable: Individuals who change their mind have the right to withdraw their consent at any time. The withdrawal process must be as easy as giving consent. 

How to collect, record and manage consent

In line with the GDPR’s accountability principle, which states that organizations must take responsibility for what they do with personal data, there is a requirement to evidence the process of obtaining consent.  

This means that in addition to securing permission from an individual to process their data, you also need to keep records and evidence the process. 

Let’s look at the critical aspects of consent management a little closer and the details you should document: 

Who consented: The name of the individual or other identifier (e.g. online username, session ID). 

When they consented: A dated document or online records with a timestamp. For oral consent, a note with the time and date of the conversation. 

What they were told at the time: A master copy of a document or data capture form containing their consent statement and a copy of the privacy notice or other privacy information, including version numbers and dates that match the date consent was given. For oral consent, your records should include a copy of the script used at that time. 

How they consented: A copy of the relevant document or data capture form. For online consent, your records should include the data submitted and a timestamp to link it to the relevant data capture form. For oral consent, the whole conversation does not need to be recorded, only a note of the time the conversation took place. 

Whether they have withdrawn consent: If so, when? 
 
Review and refresh the consent process if anything changes. It is recommended that you consider updating consent every two years. 

Relying on Legitimate Interests

The GDPR states that the processing of personal data for direct marketing purposes may be considered a valid reason or legitimate interest (GDPR Recital 47). However, as marketing is generally in the interests of the business, the validity of using legitimate interests as a lawful basis for processing data must be carefully considered, balancing any possible consequences for the individual.  

A Legitimate Interests Assessment (LIA) is a useful tool that can be used to identify and consider this lawful basis as a possible justification for processing personal data under the GDPR. 

An LIA is comprised of the following three-part tests: 

1. The purpose test (identify the legitimate interest)  
2. The necessity test (consider if the processing is necessary)  
3. The balancing test (consider the individual’s interests)  

Using legitimate interests as a lawful basis will only be permissible if it does not affect the fundamental rights and freedoms of individuals, which always take precedence. This means that while using legitimate interests as a lawful basis, the focus is not on preventing every negative outcome or consequence but on ensuring that any potential negative consequences are not excessive or out of proportion compared to the intended benefits or purposes. It’s about maintaining balance. 

Consider this example: How CompanyX delivers personalised ads 

When PersonA became a customer of CompanyX a year ago, they provided their email address for communication purposes. During the first communication, CompanyX informed PersonA of two key points: (i) their email address would be used to advertise similar CompanyX products on social media, and (ii) they had the right to object to this processing at any time. 

CompanyX then added PersonA’s email address to its customer database and shared it with a social media provider. This collaboration allowed CompanyX to match its list of customer email addresses with those held by the social media provider. As a result, CompanyX gained the ability to precisely target and market similar products to PersonA via their social media feed. 

This strategy falls under the GDPR and can rely on the lawful basis of legitimate interests. 

Working with lead generation providers

Lead generation companies use a variety of marketing strategies to provide qualified leads that can potentially be turned into customers. 

However, it is important to note that your data processing responsibilities remain and must be upheld, regardless of the use of a third-party service. 

The GDPR makes a distinction between organizations and third parties by using the terms ‘data controller’ and ‘data processor’. 

Data controller: This is a person or organization that decides how and why personal data is collected and used. Controllers have overall control over the data, therefore, the highest level of compliance responsibility. 

Data processor: This is a person or organization that handles personal data on behalf of the controller. Processors are responsible for ensuring the data processing is in line with the instructions of the controller, in addition to other legal obligations, including notifying the controller in the event of a data breach. 

Is your lead generation partner meeting GDPR requirements?

As a controller, it is important that you conduct due diligence on any third-party company you plan on using. You need to confirm the third-party’s compliance with the GDPR and any other relevant data privacy laws, such as the ePrivacy Directive and PECR, as detailed above. 

It is vital that you ensure the outsourced lead generation company has sufficient technical and organizational measures in place to protect the personal data they are processing on your behalf. 

For more detailed information about conducting due diligence on your data processors, read

Vendor due diligence and GDPR compliance with 5 practical steps.

Summary

Lead generation is an important aspect of business growth, but it must be conducted in line with the relevant data privacy laws. For North American organizations handling the personal data of EU and UK individuals, these include the EU GDPR, UK GDPR, ePrivacy Directive, and PECR. 

Before undertaking a lead generation strategy, it is essential that the correct measures are in place, including assigning the most appropriate lawful basis and ensuring the obligations and responsibilities as a data controller are understood and implemented. 

By understanding and adhering to the relevant regulations, organizations can prevent any future non-compliance issues as well as strengthening customer trust, confidence, and engagement. 

Confident customers lead to increased loyalty, which translates into becoming a more successful and sustainable business.  

Contact us to find out how an outsourced data privacy service can support you in maximising marketing ROI while staying compliant with EU and UK data privacy laws. 

Visit The DPO Centre to find out how an outsourced data privacy service can support you in maximising marketing ROI while staying compliant with EU and UK data privacy laws. 

Alternatively, you can get in touch by filling in the form below. 

____________________________________________________________________________________________________________

In case you missed it… 

• EU AI Act Compliance: What North American organizations need to know
• Data retention strategies for GDPR compliance
• How GDPR territorial scope impacts North American businesses

____________________________________________________________________________________________________________

Don’t miss out on the latest data protection updates – stay informed with our fortnightly newsletter, The DPIA

The post Lead generation and the GDPR: A guide for North American businesses appeared first on DPO Centre.

• How long should different types of personal data be retained? 
• What makes an effective data retention policy and schedule? 
• What responsibilities do data controllers, processors and sub-processors have for data retention? 

In this blog, we dive into these questions and share practical guidance – from determining the lifespan of different types of personal data to creating an effective data retention policy and schedule. 

GDPR and data retention

The General Data Protection Regulation (GDPR) has set new standards for the way businesses handle EU personal data, including what type of data is collected and the length of time it is kept. If your organization processes the data of individuals in the EU or European Economic Area (EEA), implementing a robust data retention policy is crucial. 

The GDPR’s principles of Storage Limitation, Minimisation, and Accuracy play a vital role in shaping such a policy. 

Storage Limitation: Ensure personal data is not retained beyond the necessary time period 

Minimisation: Collect only the minimal amount of data required 

Accuracy: Maintain accurate, up-to-date, and reliable information 

In other words, the processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the specific purposes of the processing. You must only process personal data that is needed for the operations of your business. 

The GDPR doesn’t define exactly what ‘no longer than necessary’ means, so how can you judge timeframes? 

Necessity is a key factor in an effective data retention timeframe and is determined by your purpose for processing. In other words, your reason for handling and storing personal data will dictate the length of time you keep it. 

Storage periods will depend on several elements, such as the industry sector, the type of data processing, and any other regulatory requirements that apply. However, in some circumstances there is a statutory retention. For example, finance records in the UK and EU are generally maintained for 7 years (6 years plus current year), in accordance with the Companies Act.  

Under the GDPR, the key requirement for data retention is that the chosen duration must be justified, and this decision must be documented. 

The documents you will need to produce: 

• A data retention policy – This provides a general overview of the data management practices and is a broad document outlining how the organization manages its data, how long it keeps certain types of data, and the roles and responsibilities of staff 
• A data retention schedule – This is also known as a disposal schedule and is a more detailed document, specifying the exact retention period for different classes of records and the action needed to be taken at the end of the retention period 

Data retention roles: Controllers, processors and sub-processors  

Whether you’re a data controller, processor, or sub-processor, understanding your responsibilities and obligations is essential. It is important to manage data retention in a way that ensures compliance with the General Data Protection Regulation (GDPR) and meets your business needs. 

Data controllers

Data controllers determine the purpose of any personal data processed, and the means of processing. 

A data controller is primarily responsible for determining the data retention timeframe, as they decide the purposes and means of processing personal data. 

If you are the data controller, you must ensure you have a comprehensive data retention policy and schedule in place and communicate this to any data processors or sub-processors you have engaged, such as cloud storage companies or marketing agencies. As a controller, you carry the primary responsibility for complying with data protection laws. 

Data processors

Data processors process personal data on behalf of the controller, and sub-processors are third parties engaged by the processor. 

Data processors and sub-processors are responsible for processing personal data on behalf of the controller. They must follow the controller’s instructions, including abiding by a data retention timeframe, which should be set out in the contract or data processing agreement. Details should also include what will happen to the personal data once the contract is terminated.  

Top 4 data retention challenges and how to solve them

1. Changing regulatory landscape

Data protection laws continue to develop at a rapid pace around the world. Existing EU and UK privacy laws are also frequently updated. Organizations can struggle to keep up with these changes, especially when processing and storing personal data across multiple jurisdictions.

Advice: Keep updated on the latest data protection laws 

Seek advice from an experienced Data Protection Officer (DPO) who specializes in EU and UK data protection laws – a dedicated DPO will regularly review and update your data retention policies and schedules and ensure they are compliant with the latest regulations. 

Solution – Hire a dedicated Data Protection Officer (DPO) 

2. Data subject awareness

Individuals are increasingly aware of their rights and more likely to make a data subject access request (DSAR). This can place a burden on an organization’s data retention framework, as it must be equipped to efficiently locate, retrieve, and respond to a DSAR, providing the requested data within a strict timeframe. Read our DSAR FAQs for more information.

Advice: Proactively prepare for data subject requests

Ensure your organization has a well-documented and tested process for handling Data Subject Access Requests (DSARs). This includes training relevant staff, having clear workflows in place, and knowing where personal data is stored.  
 
Solution – establish a robust DSAR response process

3. Data volume

It can be difficult to manage the vast quantities of data that are collected daily from various digital channels, such as email, social media, websites, and virtual stores. Not to mention paper archive records, which can create a significant challenge for companies to organize.

Advice: Implement data minimisation practices

Only collect what is absolutely necessary. A practical tip is to conduct a data audit. This involves reviewing the types of personal data your organization collects and identifying what is needed. For example, an online store collects customer names, addresses and payment information for order fulfilment. However, the store also collects dates of birth and marital status, which, depending on the types of products sold, could be considered excessive and in breach of the GDPR’s data minimisation principle. 

Solution – Conduct a data audit and implement data minimisation practices 

4. Over-retention

Without specific rules on timeframes, organizations can often keep information far beyond its intended or necessary retention period. This can increase operational costs for storage, backup and retrieval. There is also the heightened risk of reputational damage if a cyber-attack or breach were to occur, which is a breach of the GDPR’s 5^th principle, and can potentially result in regulatory action.

Advice: Avoid keeping information for too long

It is important to have a clear data retention schedule for each type of data. Automated tools can be used to manage the schedule and delete or anonymise data that is no longer needed. Employees also need to be made aware of data retention policies and schedules, so they understand what to do with the data.   

Solution – Implement a clear data retention schedule 

Best practice tips for data retention

Effective management of personal data can help you to reduce risks and maintain compliance with data protection laws. 

Here are some helpful tips for your data retention strategy: 

To ensure compliance with the AI Act, organizations need to focus on critical areas such as staff training, robust corporate governance, and strong cybersecurity and data protection measures

• Conduct a data audit 
• Only collect data that is necessary for your purposes 
• Implement a data retention policy and schedule for each type of data collected 
• If data is kept for longer or shorter periods than the retention schedule, the reason for this needs to be documented 
• Review processing activities on a regular basis and add new ones to the schedule 
• Train staff on policy and schedule requirements, ensuring awareness of the operational requirements before any data is deleted, understanding that deleting data too soon is also considered a breach 
• Where there is a recommendation to archive older data, this can be in an electronic format and filed in a separate electronic folder, suitably labeled as holding archive material 
• Paper archive records need to be indexed and once retention is met, they should be destroyed safely and securely, using a confidential waste provider or cross cutting shredder 

See also the Retention Policy template in our free-to-download GDPR Toolkit 

Summary

There are several challenges for businesses when it comes to data retention and GDPR compliance. The key is to understand your organization’s purpose for collecting personal data and align this purpose with the principles of data minimisation, storage limitation and accuracy. 

Documentation is essential for GDPR compliance, and a comprehensive data retention policy and schedule are a requirement. However, it is important to remember that effective data management is not just about compliance.  

Individuals are more likely to engage with organizations they trust to handle their personal data responsibly. Investing in robust data management practices and having a well-defined data retention schedule is a win-win for both compliance and customer satisfaction. 

The DPO Centre has one of the largest teams of Data Protection Officers (DPOs), working globally with over 1,000 organizations across the spectrum of industry sectors, delivering GDPR compliance solutions. 

If you need help with your GDPR compliance or you are considering an outsourced data protection solution, please get in touch with our team

For more news and insights about data protection follow The DPO Centre on LinkedIn 

____________________________________________________________________________________________________________

In case you missed it… 

• EU AI Act Compliance part 4: Essential strategies for North American organizations
• How GDPR territorial scope impacts North American businesses
• Data Privacy Day 2025: Navigating privacy in Canada

____________________________________________________________________________________________________________

Don’t miss out on the latest data protection updates – stay informed with our fortnightly newsletter, The DPIA

The post Data retention strategies for GDPR compliance appeared first on DPO Centre.

For North American organizations, this often means implementing compliance measures that go beyond domestic requirements, particularly in areas like algorithmic transparency and bias testing.

If you’re developing or deploying AI systems for EU markets, your compliance journey is likely to be complex and demanding, especially if you’re managing high-risk systems. But compliance has to be approached as more than a tick-box exercise. It’s an opportunity to lead the way in responsible AI innovation, building trust with users and regulators alike.

By embracing compliance as a catalyst for more transparent AI usage, organizations can turn regulatory demands into a competitive advantage.

Before we dive into the specifics of the essential compliance strategies you should consider, here’s a quick overview of the main points we’ve previously addressed:

What we’ve covered so far

By following our blog series, you’ll already have taken the first steps in preparing for compliance with the EU AI Act. Specifically, you should have:

• Determined whether your AI system falls under the AI Act based on how it affects EU markets
• Identified any exemptions (e.g. research, military use)
• Clarified your role in the AI value chain (i.e. Provider, Deployer or another role)
• Understood the purpose of your system, and whether it’s classified as ‘prohibited’, ‘high-risk’ or a General Purpose AI model (GPAI)

The EU AI Act comes into full effect in August 2026

There are certain provisions coming into force earlier, such as a ban on systems that perform prohibited functions. It’s important organizations make sure they give themselves plenty of time and resources to meet all aspects of the AI Act’s implementation deadlines.

More detailed guidance on the timelines and deadlines, risk-based classifications, and compliance obligations, can be found in parts 1-3 of this blog series:

Compliance with the AI Act blog series

• Part 1: Essential knowledge for North American organizations
• Part 2: Understanding ‘high-risk’ activities
• Part 3: Roles and requirements for North American organizations

Let’s now look at some of the essential strategies you can implement to support your AI Act compliance journey.

Key strategies for EU AI Act compliance

1. Staff awareness and training

All organizations intending to use AI systems in any capacity should carefully consider the potential impact of those systems and engage in staff awareness and upskilling.

Training is essential to ensure all team members understand their roles in compliance and are able to implement the AI Act’s requirements.

A comprehensive training program should address the AI Act’s key requirements and include role-specific details. For example, AI developers may need more in-depth technical training, while Compliance Officers need to focus on documentation and regulatory obligations.

Tailor staff training programs to the specific risks associated with the type of data processed and the system’s intended use. For example, employees working with systems that have a greater impact on individuals, such as those making credit decisions affecting EU customers, may need more extensive training than those handling non-sensitive functions.

2. Establishing strong corporate governance

For Canadian and US organizations providing or deploying high-risk or General Purpose AI (GPAI) systems in EU markets, strong corporate governance is essential to demonstrate and maintain compliance. Without certain elements in place, organizations may struggle to meet the Act’s specific requirements and maintain the necessary compliance documentation.

To build and maintain strong corporate governance, organizations should focus on:

• Implementing effective risk and quality management systems to oversee and mitigate risks and help identify and address any issues early on
• Ensuring robust cybersecurity and data protection practices are in place to safeguard sensitive personal data and protect against data breaches
• Developing accountability structures with clear lines of responsibility to ensure compliance efforts are coordinated and effective
• Monitoring AI systems regularly and reporting on their performance and compliance status

Cybersecurity and data protection practices

To meet the stringent requirements of the AI Act, organizations should prioritize strong cybersecurity and data protection practices. This means embedding effective risk and quality management systems into your operations.

Without these practices, organizations may fail to meet specific requirements of the Act and will likely struggle to produce and maintain other compliance documentation that’s required.

For cybersecurity aspects, practices should include implementing robust infrastructure security with strict access controls, having a detailed incident response plan, and ensuring regular security audits to identify vulnerabilities.

The data protection requirements of the AI Act overlap with the EU’s General Data Protection Regulation (GDPR) in several areas and key principles,  particularly around transparency and accountability.

While the GDPR focuses on the protection of personal data, the AI Act covers the broader development and regulation of AI systems. This includes not only safeguarding personal data but also managing overall AI risks to ensure fairness, prevent harm, and promote transparency.

You can use the GDPR principles and current data protection practices to support compliance with the AI Act by integrating ‘Privacy by Design’  into your AI systems, conducting Impact Assessments for high-risk AI applications, and maintaining clear documentation of data protection activities.

3. Being ready for upcoming guidelines and templates

Available in the coming months – the EU is developing specific codes of practice and templated documentation to help organizations meet their compliance obligations.

We’ll provide updates in further blogs as these become available.

4. Following ethical AI principles and practices

Although guidelines and practical applications of the EU AI Act are still evolving, its core principles are well established in ethical AI frameworks. Organizations using AI, especially with personal data or human impact, must understand how the system works, its purpose, and its limits. Documenting these aspects supports best practice and accountability.

Organizations must also comply with transparency requirements under existing data protection laws in addition to the specifics of the AI Act.

Finally, it’s essential to conduct a risk assessment of how the AI system may impact individuals who interact with it and the organization’s liability and reputation if anything should go wrong. This proactive approach to AI governance is highly beneficial and can mostly be implemented without needing to tailor it for specific regulations.

5. Seeking expert guidance

There are resources available to support your compliance journey. This includes the EU AI Act Compliance Checker , a tool designed to help organizations verify that their AI system aligns with regulatory requirements.

However, the nuances of the AI Act are complex, and we urge every organization uncertain of its obligations to seek professional advice.

Key takeaways

• To ensure compliance with the AI Act, organizations need to focus on critical areas such as staff training, robust corporate governance, and strong cybersecurity and data protection measures
• Embedding ethical AI principles and maintaining transparency are essential for Canadian and US companies developing AI systems that serve EU markets, especially those impacting individuals and handling personal data
• Although practical guidelines for the Act are still to come, businesses should proactively implement these strategies and prepare for future updates

In conclusion: Staying ahead of AI regulations isn’t just about compliance – it’s an opportunity to build trust and lead the way in responsible AI innovation.

The DPO Centre has developed a comprehensive AI Audit and Impact Assessment service. If you need support beginning or continuing your AI compliance journey with confidence, please contact us.

____________________________________________________________________________________________________________

In case you missed it… 

• EU AI Act compliance part 3: Roles and requirements for North American organizations
• How GDPR territorial scope impacts North American businesses
• GDPR guide for SaaS companies expanding into EU & UK markets

____________________________________________________________________________________________________________

Don’t miss out on the latest data protection updates – stay informed with our fortnightly newsletter, The DPIA

The post EU AI Act Compliance part 4: Essential strategies for North American organizations appeared first on DPO Centre.

The AI Act will come into full effect in August 2026, 24 months after its official publication, although certain provisions will come into force earlier. For a detailed understanding of the AI Act’s implementation timeline, and further information about the risk-based classification of AI systems, please refer to Part 1 and Part 2 of our blog series:

Compliance with the AI Act Part 1: Timeline and important deadlines

Compliance with the AI Act Part 2: What is ‘high-risk’ activity?

Whether your organization develops AI chatbots for customer service, uses predictive algorithms for credit assessment, or deploys image recognition software, understanding your role and responsibilities under the EU AI Act is crucial for maintaining compliance when operating in European markets.

Navigating the AI Act’s global reach

Similar to the EU’s General Data Protection Regulation (GDPR), the AI Act has extra-territorial reach, making it a significant law with global implications. Its provisions apply to any organization marketing, deploying, or using an AI system that affects individuals or businesses in the EU, no matter where the system is developed or operated.

For example, if an AI system hosted in Toronto or San Francisco generates data or decisions that impact individuals or businesses in any of the EU’s 27 Member States, that system must comply with the AI Act.

The aim of the extra-territorial scope is to ensure the fundamental rights of EU residents are respected, regardless of international boundaries. This approach seeks to promote a consistent standard of ethical AI practices, encouraging all organizations to uphold high standards of accountability and transparency.

Key organizational roles under the AI Act

Compliance obligations for organizations are determined by two main factors:

1. The risk level of the AI system
2. The organization’s role in the supply chain

The risk classification of AI systems is detailed in Part 2 of our blog series. Therefore, let’s explore the various categories of roles organizations can play and the specific obligations associated with each.

What role does your organization play?

Under the AI Act, organizations fall into one of six distinct roles, each with its own set of obligations:

• Provider
  An individual or organization that develops an AI system and places it on the market. Providers are responsible for ensuring their system meets the necessary requirements of the AI Act.
• Deployer
  An individual or organization using an AI system developed by a Provider. A Deployer’s responsibilities under the AI Act are minimal if they use the AI system without changing it. If they modify the system significantly or use it under their own name or trademark, they take on the Provider’s responsibilities, as if they were the original Provider.
• Distributor
  An individual or organization making an AI system available on the EU Market, acting as an intermediary between provider and user.
• Importer
  Any natural or legal person based in the EU who brings an AI system into the EU market from outside the EU. This role is particularly relevant for North American organizations selling AI systems to EU customers.
• Product Manufacturer
  An individual or organization introducing or putting into service an AI system on the EU market as part of another product and brands it with their own name or trademark.
• Authorized Representative
  An individual or organization based in the EU who’s been formally appointed by a Provider located outside the EU. This role is especially important for North American companies without EU offices.

Representatives are responsible for managing and fulfilling regulatory obligations and documentation required by the AI Act on behalf of Providers. This is similar to the GDPR Representative role, although documentation is more detailed and extensive. This is because the AI Act involves complex regulatory requirements for AI systems, covering a broad range of technical, operational, and safety aspects.

Provider or Deployer? 

Carefully assess whether you’re a Provider or Deployer, as this will significantly affect your compliance responsibilities. It’s important to make sure how you deploy an AI system doesn’t inadvertently make you responsible as a Provider.

While most obligations fall on Providers, Deployers also have various responsibilities.

Common requirements for Providers AND Deployers

AI literacy – Providers and Deployers must ensure all staff and agents using AI systems have the appropriate knowledge. This depends on their roles and the associated risks, but is similar to mandatory data protection training under the GDPR.

Transparency – Providers and Deployers must ensure any AI system interacting with individuals (termed a ‘natural person’) meets transparency obligations, such as clearly marking content generated or manipulated by AI.

Registration – similar to data protection registration with a supervisory authority, Providers and Deployers must register the AI system in the EU’s database.

Provider-specific obligations

Because Providers design, develop, and bring AI systems to market, they bear primary responsibility for ensuring they meet safety and ethical standards. They also control the creation and operation of AI systems, so are crucial to ensuring systems meets the required standards for safety, effectiveness, and ethics.

Transparency and accountability: Two key principles of the AI Act

Providers must ensure their AI system is easy to understand, and clearly communicate its functionalities, limitations, and potential risks. This helps users know exactly what to expect and how to use it safely and effectively.

Key requirements for Providers include:

• Imposing responsibilities on importers and distributors – ensure all parties in the AI supply chain know about and adhere to their compliance standards, including completion of conformity assessments 
• Establishing a risk management system – a structured process to regularly review the AI system, identifying, evaluating and mitigating any risks
• Implementing effective data governance – develop clear procedures and processes for managing training data, including ensuring diversity and establishing protocols for data handling and data protection
• Preparing technical documentation – create detailed and accessible documentation about the AI system’s design, functionality, and performance to enable user understanding BEFORE it goes on market
• Maintaining event logs – set up automatic logging systems to track the AI system’s operations and any issues that may arise
• Creating usage documentation for Deployers – provide Deployers with clear and comprehensive guides on how to use the AI system (Deployers must also maintain documentation relevant to their use of the system, if it differs)
• Establishing human oversight – design the AI system to allow for human intervention and monitoring (also impacts Deployers)
• Ensuring accuracy and robustness – confirm the AI system is reliable and resilient in its operations, and suitable for its intended purpose
• Implementing cybersecurity measures – integrate strong cybersecurity practices to protect the AI system from potential threats
• Maintaining a quality management system – establish a quality management system to oversee ongoing development of the AI system
• Addressing issues and conformity – quickly address any issues with the AI system and withdraw any systems that don’t conform or comply with compliance standards (also impacts Deployers)
• Completing documentation and assessments – complete all documentation and conformity assessments accurately, and retain for at least 10 years
• Appointing a Representative – if needed, appoint a Representative to support compliance obligations and be a point of contact between Provider and regulatory authorities, particularly relevant for North American Providers based outside the EU
• Cooperating with supervisory authorities – be ready to liaise with regulatory bodies, providing requested information and helping with inspections or audits to show compliance
• Imposing responsibilities on importers and distributors – ensure all parties in the AI supply chain know about and adhere to their compliance standards, including completion of conformity assessments

In summary

The EU AI Act is a landmark piece of legislation, setting the first global standards for the responsible development and deployment of artificial intelligence systems.

As with many new regulations, the EU’s AI legislation has sparked concerns and debates among various stakeholders, including industry associations, tech companies, and legal professionals.

Their concerns echo the initial criticisms that surrounded the introduction of the EU’s General Data Protection Regulation (GDPR). Namely, the potential difficulties for organizations and businesses in interpreting and implementing its provisions.

However, despite its complexity, the AI Act, much like the GDPR, has a structured approach that makes implementation more manageable. There are clear definitions for the six roles in the AI supply chain. Each role comes with specific compliance obligations, with the Provider role having the greatest responsibilities.

Strategic Considerations for North American Organizations

With the AI Act coming into full effect in August 2026, it’s essential North American organizations operating in EU markets familiarize themselves with the compliance obligations and how they apply. 

Complying with the AI Act could serve as a market differentiator and a unique selling point that attracts clients and partners who value responsible and ethical AI practices.

If your organization would benefit from specialist data protection or AI governance advice for EU or UK markets, please contact us.

EU AI Act compliance part 4: Essential strategies for North American organizations

Coming next, in the final part of this blog series, we explore some of the best practices to guide you in meeting compliance requirements.

____________________________________________________________________________________________________________

In case you missed it… 

• EU AI Act compliance part 2: Understanding ‘high-risk’ activities
• How GDPR territorial scope impacts North American businesses
• GDPR guide for SaaS companies expanding into EU & UK markets

____________________________________________________________________________________________________________

Don’t miss out on the latest data protection updates – stay informed with our fortnightly newsletter, The DPIA

The post EU AI Act compliance part 3: Roles and requirements for North American organizations appeared first on DPO Centre.

For details of the AI Act’s timeline and deadlines for its phased implementation, see Part 1 of our blog series – EU AI Act compliance part 1: Timeline and important deadlines 

Understanding AI risk categories

The EU AI Act’s risk-based approach to classifying AI systems aims to balance innovation with regulation to prevent harm to health, and ensure safety and fundamental human rights. By assessing risk, the legislation recognizes that not all AI systems pose the same level of threat and that varying levels of control and oversight are required. 

AI systems are categorized into different risk levels based on their potential impact, with the burden of compliance increasing proportionate to the risk. 

These are the three main categories: 

• Prohibited 
• High risk 
• Low risk 

For Canadian and US organizations, these categories apply to any AI systems that affect EU residents or markets, no matter where the system is developed or operated. 

Prohibited systems

AI applications in this category are banned due to their unacceptable potential for negative consequences. 

High-risk systems

These systems have a significant impact on people’s safety, wellbeing and rights, so are subject to stricter requirements. 

Low-risk systems

These systems pose minimal dangers, so have fewer compliance obligations. 

AI applications prohibited by the Act

The prohibitions on unacceptable risk AI systems came into force on February 1, 2025 (see the timeline of the phased implementation schedule here). 

The European Commission will regularly review the list of prohibited AI applications, with the first review scheduled 12 months after the AI Act came into force. 

The table below details the types of AI practices that are the prohibited. These techniques and approaches pose unacceptable risks to health and safety or fundamental human rights, and while some of these practices may be permitted under North American regulations, they are prohibited when serving EU markets. 

What constitutes ‘high-risk’ activity?

Most of the AI Act addresses the regulation of high-risk AI systems, which fall into three distinct categories:

• Standalone AI products already covered by Union product safety laws 
• AI safety components 
• Designated ‘high-risk’ categories 

Let’s explore these high-risk categories in a little more detail: 

Standalone AI products 

This refers to AI systems that are not a component or feature of a larger product, but rather the product in its entirety. Many of these types of products are already regulated by certain EU harmonization laws. Examples include medical devices, heavy industrial machinery, cars, and toys. These are listed in Annex I of the AI Act. 

If you develop or deploy AI systems in a sector with tightly managed safety legislation, it’s highly likely the system will be covered here, and you should check the context of the Annex in full. 

As these products are already subject to strict safety regulations, they are automatically considered a high-risk category under the AI Act. 

AI safety components

This means where an AI system isn’t a standalone product but performs safety-related functions within a product. For example, where an AI system is used for monitoring, controlling, or managing safety features. 

Many of these systems are related to products listed in Annex I of the AI Act, such as industrial machinery, lifts, medical devices, motor vehicles etc. 

The graphic below details the timeline, including some additional and earlier deadlines for specific provisions. 

Designated ‘high-risk’ categories

Certain AI systems not listed in Annex I are also considered high risk. 

This defined list includes systems that would significantly impact people’s opportunities and potentially cause systemic bias against certain groups. 

These systems fall into 8 broad areas: 

Biometrics 

Certain biometric processing is entirely prohibited, as detailed above, but all other biometric processing is classified as high risk (with the exception of ID verification of an individual for cybersecurity purposes – for example, Windows Hello and other biometric login systems used in North American workplaces).  

Critical infrastructure
 

• AI systems used as safety components in managing critical digital infrastructure (similar to the list in Annex I) and utility systems – this applies to Canadian and US organizations providing services or infrastructure solutions to EU markets.  

Education 

• Any AI system determining admissions or evaluating learning outcomes are high risk due to the potential impact on lives (including online learning platforms serving EU students), for example, the risk of perpetuating historic discrimination of women and ethnic minorities.  

Employment & management 

• Any AI system used for recruitment, job application analysis, and candidate evaluation are considered high risk (including North American companies hiring for EU operations or processing EU candidate data). Also, decision-making AI tools used for performance monitoring, work relationships, or termination of employment are high risk.  

Access to essential services 

• Systems determining access to essential services such as public benefits like unemployment, disability and healthcare, or private benefits such as credit scoring systems. This includes Canadian and US financial institutions providing services to EU customers. 

Law enforcement

• Certain tasks are considered high risk, including using lie detectors or similar biometric tools used for testimony assessment, and systems used to assess the likelihood of an individual reoffending.  

Immigration 

• Systems used to assess the security risk of migrants entering the EU, or to process and evaluate asylum claims. AI systems used to verify ID documents are exempt from this.  

Administration of justice and democratic processes 

• This includes AI systems used in legal research or interpreting the law, such as legal databases used by lawyers and judges. Also, systems that could influence voting, like those used to target political ads. 

Exceptions to high-risk and prohibited AI systems

The AI Act exempts certain AI systems otherwise considered high risk or prohibited. 

Prohibited system exemptions are notably for research and national security. 

High-risk system exemptions can apply if the AI system: 

• Performs only a narrow procedural task 
• Improves on the result of a previously completed human activity 
• Detects or monitors bias or other patterns in decision-making, but doesn’t replace human decision-making and is subject to human review 
• Is used for a preparatory task relevant to the assessment of an otherwise high-risk task i.e. you can use AI to help you assess your use case 

What this means for organizations using high-risk AI systems

For Canadian and US organizations, this often means conducting additional risk assessments beyond those required by domestic regulations.  

High-risk AI systems supplied to the EU or affecting EU residents need thorough risk and security assessments and may need EU registration and third-party evaluation. There are also substantial transparency obligations, and users must be clearly informed about how an AI system is deployed and functions. For North American organizations operating globally, this may require maintaining different AI system configurations for EU and non-EU markets. 

If you need advice on ensuring your organization’s AI systems comply with EU requirements, while maintaining efficient operations across North American and European markets, please contact our specialized DPO team. 

EU AI Act compliance part 3: Scope and obligations

Coming next, in part 3 of our blog series, we cover the obligations of the AI Act in more detail, including who the AI Act applies to and what is required. 

Don’t miss out on the latest data protection updates – stay informed with our fortnightly newsletter, The DPIA.

____________________________________________________________________________________________________________

In case you missed it… 

• EU AI Act compliance part 1: Timeline and important deadlines 
• How GDPR territorial scope impacts North American businesses 
• GDPR advise for SaaS companies expanding into EU and UK markets 

____________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn

The post EU AI Act compliance part 2: Understanding ‘high-risk’ activities appeared first on DPO Centre.

If your organization operates in or serves EU markets and has AI-driven chatbots to handle customer inquiries, develops predictive algorithms for credit risk, or uses image recognition software, the EU’s AI Act may impact how you handle data. 

Understanding the requirements of the AI Act and what will apply to your organization is crucial for compliance. 

In our four-part blog series, we cover: 

1. Timeline and deadlines 
2. What constitutes a high-risk activity? 
3. Who has to comply with the AI Act? 
4. Strategies for achieving AI Act compliance 

EU AI Act compliance part 1: Timeline and important deadlines

The AI Act was approved by the European Council in May 2024. It has a phased implementation schedule over two years, designed to give organizations time to make the necessary changes for compliance. 

The new legislation applies to public and private organizations operating in the EU that develop, deploy, or use AI systems in the EU’s single market. For North American organizations, this includes companies doing business in the EU or providing AI-powered services to EU customers, as well as institutions, government bodies, research organizations and any others involved in AI-related activities that impact EU markets. 

How the AI Act and the GDPR work together 

David Smith, DPO and AI Sector Lead explains: 

‘In many cases the AI Act and the GDPR will complement each other. The AI Act is essentially a product safety legislation designed to ensure the responsible and non-harmful deployment of AI systems. The GDPR is a principles-based law, protecting fundamental human privacy rights.’ 

When did the AI Act come into force?

The AI Act’s finalized text was published in the Official Journal of the European Union on July 12, 2024. It officially entered into force 20 days after publication on August 1, 2024, with the enforcement of most of its provisions starting on August 2, 2026. 

The graphic below details the timeline, including some additional and earlier deadlines for specific provisions. 

August 1, 2024: The AI Act becomes law

February 1, 2025 (+6 months)

Prohibitions on unacceptable risk AI systems apply six months after the AI Act became law.  

Banned AI practices are those deemed to pose unacceptable risks to health and safety or fundamental human rights. We will cover prohibited AI applications in more detail in our next blog. 

With the deadline for compliance on unacceptable risk AI systems already past, organizations should evaluate their risk exposure in this area urgently if they haven’t yet done so. 

May 1, 2025 (+9 months)

The AI Office will finalize the codes of conduct to cover the obligations for developers and deployers of AI systems. These codes will provide voluntary guidelines for responsible AI development and use. 

August 1, 2025 (+12 months)

The rules for providers of General Purpose AI (GPAI) will come into effect and organizations will need to align their practices with these new rules. GPAI refers to advanced AI systems that can perform a wide range of tasks. These include high-compute models where training contains more than 10^25 FLOPS, such as ChatGPT. 

In addition, the first European Commission annual review of the list of prohibited AI applications will happen 12 months after the AI Act enters into force. 

February 1, 2026 (+18 months)

The European Commission will issue implementing acts for high-risk AI providers. This means organizations using high-risk AI systems must follow a standard template to monitor the AI systems after deployment. 

The monitoring plan will help to identify and address any issues or risks, promptly. 

August 1, 2026 (+24 months)

The remainder of the AI Act will apply, including regulations on high-risk AI systems listed in Annex III* of the AI Act. These systems include those related to biometrics and cover technologies such as fingerprint recognition, facial recognition, iris scanning and voice authentication. 

We cover high-risk AI systems in more detail in our next blog. 

EU Artificial Intelligence Act Annex III 

August 1, 2027 (+36 months)

Regulations for high-risk AI systems stipulated in Annex I** become effective. 

EU Artificial Intelligence Act Annex I

By the end of 2030

There are some minor exceptions for certain complex public sector systems that have a longer compliance timeline. 

Coming up next…

EU AI Act compliance part 2: What is ‘high-risk’ activity?

Stay tuned for the second blog in our four-part series, which covers all you need to know about prohibited AI applications and what is categorized as a high-risk activity – stay tuned! 

In the meantime, should you require any advice on EU or UK jurisdiction data protection, our team of expert DPOs can help. We offer a wide range of outsourced privacy services, including AI Governance support for North American organizations operating in EU markets. CONTACT US 

For more privacy updates and breaking news, sign up to our fortnightly newsletter. 

____________________________________________________________________________________________________________

In case you missed it… 

• How GDPR territorial scope impacts North American businesses 
• GDPR advise for SaaS companies expanding into EU and UK markets 
• GDPR Representative: Do you need one? 

____________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn

The post EU AI Act compliance: What North American organizations need to know  appeared first on DPO Centre.

To help navigate these developments, we spoke to these leading experts in the field: Constantine Karbaliotis, Counsel for nNovation LLP and Sylvia Klasovec, Principal Advisor at Trusteva Consulting

Together, they provide perspective on the challenges and opportunities facing businesses in 2025, offering insights on how businesses can stay ahead in this evolving landscape.  

What does 2025 hold for data privacy in Canada?

The Office of the Privacy Commissioner of Canada (OPC) has set the tone for 2025, pledging this Data Privacy Week to ‘put privacy first’. But with the delay in federal legislation due to the prorogation of Parliament, how will privacy evolve in Canada this year? 

Sylvia believes, “It will be a defining year for our country and our privacy landscape. There will be a fragmented approach to privacy, where the provinces may drive their own privacy laws, just as we saw with Quebec’s Law 25, creating dual compliance regimes and more operational complexity.

“The good news is that our privacy regulators are ahead of the curve, collaborating with international organisations like the Future of Privacy Forum to address emerging challenges, such as children’s privacy, biometrics, and data anonymization. 

“I predict a heavy focus on data and metadata management for AI readiness, emphasizing data quality, integrity, and transparency to support secure and reliable AI governance.” 

How do Canadian privacy practices compare to the EU?

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the EU’s General Data Protection Regulation (GDPR) share foundational similarities but there are key differences in enforcement, scope, and approach.  Both adopt a principles-based approach, although the GDPR has stricter requirements, extra-territorial scope and fines tied to global revenue. PIPEDA generally only applies to companies operating in Canada and fines are capped at $100,000 per violation.

Constantine acknowledges the influence of EU practices on Canadian privacy regulation, especially in a principles-based legal environment: “We can look to jurisdictions like the EU and UK to interpret and take guidance on new situations, and our commissioner looks to Europe to understand how to apply our legislation.” 

What are the key aspects businesses should focus on for complying with PIPEDA?

Constantine suggests organizations focus on two key areas: safeguarding data and third-party developments. 

“First and foremost, always be conscious of the risks and implement the appropriate controls to protect individuals’ data. Secondly, watch what your vendors are doing. As they introduce new features to their services, ask yourself: What does this mean for my business? Are they selling the data, and if so, to whom? And most importantly, is my current risk assessment still valid?”

To help you comply with PIPEDA, it is advisable to take these essential steps: 

• Understand what information your organization collects and processes 
• Implement appropriate technical and organizational measures 
• Ensure appropriate consent is obtained and documented for all data collections 
• Conduct regular training and awareness programmes for employees 
• Establish comprehensive policies and procedures that include: 
  • Purpose specificity, data minimisation, and accuracy 
  • Transparency on how information is collected, used, disclosed, retained, and destroyed 
  • Processes for individual access, challenging compliance, and privacy incident management 

What does pausing Bill C-27 mean for data privacy in Canada?

After nearly three years of review, Bill-C27 was halted when Parliament was suspended on 6 January 2025. 

Key aspects of Bill C-27:

• Consumer Privacy Protection Act (CPPA), which would provide updated privacy protections for individuals 
• Artificial Intelligence and Data Act (AIDA), to establish a risk-based framework to regulate AI 

Privacy experts raise concerns about the impact of the delay

Constantine notes that the EU’s renewal of Canada’s adequacy status in 2024 was a missed opportunity to push meaningful reform forward. 

“When the EU renewed our adequacy finding, they took away the one thing that would have put a fire under our parliamentarians’ butts to actually make them pass a law.” 

Sylvia highlights the gaps in critical areas like children’s privacy, cross-border data transfers, and AI governance. She cautions that, “Without the regulatory guardrails AIDA provides, it could stifle innovation and lead to risky AI projects.
“Consent management will be particularly challenging as global counterparts rely on Legitimate Interests for AI data processing, while Canada follows implied consent rules. This will impact multinational AI companies and market dynamics. Whereas, in the EU, rules require transparency, fairness, and AI risk assessments, to name a few.”

She cautions that, “Without similar regulatory guardrails that AIDA would have offered – though not a perfect solution – innovation may be stifled and AI projects could become more risky.”

How can organizations prepare for future regulations in a rapidly evolving environment?

Constantine thinks that as a trading country, we must consider how our business partners are going to interact with us “Look to laws that exist in other countries to provide a structure and build effective governance around these things.”

Sylvia advises taking cues from international guidelines, calling the EU a “north star” that sets the world stage on the protection of human rights and freedoms. “We look to international guidelines because they usually indicate the direction in which any enacted laws will take shape. Mature Canadian enterprises have already codified much of this into their data management practices and some have gone as far as complementing our Canadian laws with ISO standards, ethical codes of practice, and certifications.” 

Summary

As we commemorate Data Privacy Day 2025, Canada is at a pivotal juncture. With federal legislation on hold and provinces stepping in to fill regulatory gaps, businesses face both challenges and opportunities. 

Insights from Constantine and Sylvia underscore the importance of proactive compliance and alignment with global privacy standards. Organizations should prioritize data governance, stay informed on emerging regulations, and implement robust privacy practices.  

____________________________________________________________________________________________________________

In case you missed it… 

• Privacy in Canada and USA: 2024 highlights and 2025 expectations 
• Canadian privacy laws: PIPEDA and beyond 
• Quebec’s Law 25: A guide to support privacy compliance 

____________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn

The post Data Privacy Day 2025: Navigating privacy in Canada appeared first on DPO Centre.