GDPR-ready workplace AI rollouts need purpose limits, data minimisation, a DPIA for higher-risk use cases, clear employee guidance, and controls that reduce personal data before it is submitted to AI tools.
Controller responsibility in practice
When your employees use an AI tool for work purposes, your organization is the controller for the personal data they put into prompts. That means the familiar obligations apply: lawful basis, purpose limitation, data minimisation, and the rest.
The challenge is that AI tools have made it much easier to accidentally process personal data at scale. A single support team member can run hundreds of prompts per day, each potentially containing customer names, contact details, or account information.
Treat AI usage as a workflow risk, not only a procurement risk. The vendor's terms matter, but so does what employees actually do with the tool.
DPIA: when do you need one?
A DPIA is most relevant when the use case is likely to create high risk for individuals. Practical triggers include:
- Systematic processing of special category data (health, religion, political views)
- Processing at scale that would not otherwise be subject to oversight
- Combining datasets in ways that create new risks
Not every use of ChatGPT requires a DPIA, but using it to process customer health records or employee performance data very likely does. Document which categories of data should never enter public AI tools as a starting point for your risk assessment.
Data minimisation: the practical approach
The GDPR principle of data minimisation means using only the personal data necessary for the purpose. In prompt terms, this means:
- Remove identifiers that the AI does not need to complete the task
- Replace real names and addresses with generic placeholders
- Mask sensitive values like account numbers or dates of birth
Employees cannot do this automatically. They need a tool that shows them what is sensitive in their prompt before they submit it, so they can make the right choice in the moment.
Keep evidence of training, controls, and review without turning the product into surveillance.
What employees need to know
They should know:
- Which tools are approved for which use cases
- What categories of data are out of scope for AI tools (special categories, confidential client data, credentials)
- How to anonymise or mask prompts when working with sensitive content
- Where to escalate if they are unsure
A good policy is short, specific, and tied to real workflows. Write rules employees can remember during real work, not a 20-page document they sign once and never read again.
Frequently asked questions
Do all AI tools require a DPIA? Not always. A DPIA is most relevant when the use case is likely to create high risk for individuals.
What should employees know? They should know which tools are approved, what data is out of scope, and how to anonymise or mask prompts.