Les bases du RGPD et de l'IA pour les PME

Ce qu'elle couvre

Une session pratique et sans jargon couvrant l'intersection entre le RGPD et les outils IA couramment utilisés par les petites et moyennes entreprises. Les participants apprennent quels traitements de données sont licites, quelles clauses contractuelles exiger des fournisseurs, ce que signifie concrètement la résidence des données, et comment le règlement européen sur l'IA les concerne. Dispensé sous forme d'atelier d'une demi-journée à une journée complète, avec des scénarios réels de PME et une liste de contrôle conformité à emporter. Aucune formation juridique préalable n'est requise.

À l'issue, vous saurez

• Identify which of your current AI tool uses require a lawful basis under GDPR and state which basis applies
• Review a vendor Data Processing Agreement and flag missing or inadequate clauses before signing
• Explain to a colleague or employee what data residency means and why EU-hosted services differ from US-hosted ones
• Map your business's AI tools against EU AI Act risk categories and identify any that require additional scrutiny
• Apply the compliance checklist to audit at least one business process involving personal data and AI within a week of the session

Sujets abordés

• GDPR fundamentals: lawful basis, consent, legitimate interest — applied to AI tools
• What AI vendors can and cannot do with your data under GDPR
• Key clauses to look for in Data Processing Agreements (DPAs)
• Data residency and cloud storage: EU vs non-EU implications
• EU AI Act basics: which risk categories apply to SME use cases
• Handling employee and customer data in AI-powered tools (ChatGPT, CRMs, HR tools)
• Breach notification obligations and simple incident response steps
• Quick-win compliance checklist for SMEs

Modalité

Typically delivered in-person or live online (half-day or full-day). Hands-on ratio is approximately 50% instruction and 50% guided exercises using real vendor contracts and SME scenarios. Participants receive a GDPR-AI compliance checklist, a DPA clause reference card, and a one-page EU AI Act cheat sheet. Remote delivery uses breakout rooms for small-group scenario work. No specialist software required — only a browser.

Ce qui fait que ça marche

• Assign a named person (owner or office manager) to own the compliance checklist and review it quarterly
• Audit all current AI-tool vendor contracts within 30 days of the workshop using the DPA reference card
• Update employee and customer privacy notices to reflect AI-tool data flows before resuming those workflows
• Make the session mandatory for anyone who onboards or evaluates new software tools in the business

Erreurs fréquentes

• Assuming a vendor's 'GDPR-compliant' badge on their website means no further due diligence is needed
• Using free-tier AI tools (e.g. ChatGPT free plan) to process employee or customer personal data without a DPA in place
• Believing the EU AI Act only applies to large tech companies and ignoring risk-category obligations that affect SME tool buyers
• Collecting broad AI-powered analytics on customers without a clear lawful basis or transparent privacy notice

Fournisseurs à considérer

• CNIL (Commission Nationale de l'Informatique et des Libertés) — free SME guidance & workshopswww.cnil.fr/fr/intelligence-artificielle →
• OpenClassrooms — RGPD & protection des donnéesopenclassrooms.com/fr/courses/4261271-montez-une-organisation-en-conformite-avec-le-rgpd →
• DataScientest — formation RGPD appliquéedatascientest.com/formation-rgpd →
• Coursera — GDPR and Data Privacy (University of London)www.coursera.org/learn/gdpr →

Sources

• CNIL — Intelligence artificielle et RGPD →
• EU AI Act — Official EUR-Lex Text →