GDPR and AI Basics for SMEs

What it covers

A practical, jargon-free session covering how GDPR intersects with AI tools commonly used by small and medium businesses. Participants learn what data processing is lawful, which vendor contract clauses to demand, what data residency means in practice, and how the EU AI Act affects them. Delivered as a half-day to full-day workshop with real SME scenarios and a compliance checklist to take home. No legal background required.

What you'll be able to do

• Identify which of your current AI tool uses require a lawful basis under GDPR and state which basis applies
• Review a vendor Data Processing Agreement and flag missing or inadequate clauses before signing
• Explain to a colleague or employee what data residency means and why EU-hosted services differ from US-hosted ones
• Map your business's AI tools against EU AI Act risk categories and identify any that require additional scrutiny
• Apply the compliance checklist to audit at least one business process involving personal data and AI within a week of the session

Topics covered

• GDPR fundamentals: lawful basis, consent, legitimate interest — applied to AI tools
• What AI vendors can and cannot do with your data under GDPR
• Key clauses to look for in Data Processing Agreements (DPAs)
• Data residency and cloud storage: EU vs non-EU implications
• EU AI Act basics: which risk categories apply to SME use cases
• Handling employee and customer data in AI-powered tools (ChatGPT, CRMs, HR tools)
• Breach notification obligations and simple incident response steps
• Quick-win compliance checklist for SMEs

Delivery

Typically delivered in-person or live online (half-day or full-day). Hands-on ratio is approximately 50% instruction and 50% guided exercises using real vendor contracts and SME scenarios. Participants receive a GDPR-AI compliance checklist, a DPA clause reference card, and a one-page EU AI Act cheat sheet. Remote delivery uses breakout rooms for small-group scenario work. No specialist software required — only a browser.

What makes it work

• Assign a named person (owner or office manager) to own the compliance checklist and review it quarterly
• Audit all current AI-tool vendor contracts within 30 days of the workshop using the DPA reference card
• Update employee and customer privacy notices to reflect AI-tool data flows before resuming those workflows
• Make the session mandatory for anyone who onboards or evaluates new software tools in the business

Common mistakes

• Assuming a vendor's 'GDPR-compliant' badge on their website means no further due diligence is needed
• Using free-tier AI tools (e.g. ChatGPT free plan) to process employee or customer personal data without a DPA in place
• Believing the EU AI Act only applies to large tech companies and ignoring risk-category obligations that affect SME tool buyers
• Collecting broad AI-powered analytics on customers without a clear lawful basis or transparent privacy notice

Providers to consider

• CNIL (Commission Nationale de l'Informatique et des Libertés) — free SME guidance & workshopswww.cnil.fr/fr/intelligence-artificielle →
• OpenClassrooms — RGPD & protection des donnéesopenclassrooms.com/fr/courses/4261271-montez-une-organisation-en-conformite-avec-le-rgpd →
• DataScientest — formation RGPD appliquéedatascientest.com/formation-rgpd →
• Coursera — GDPR and Data Privacy (University of London)www.coursera.org/learn/gdpr →

Sources

• CNIL — Intelligence artificielle et RGPD →
• EU AI Act — Official EUR-Lex Text →