GDPR Essentials for Small Service Businesses Using AI

What it covers

A focused one-day workshop designed for small clinics, agencies, accountants, and legal practices that use AI-powered tools in their day-to-day operations. Participants learn to identify the correct lawful basis for AI-assisted processing, negotiate Data Processing Agreements with AI vendors, and manage sub-processor chains. The session also covers practical data minimisation techniques, how to handle Subject Access Requests that involve AI-generated outputs, and the basics of breach detection and notification. Approximately 40% of time is spent on hands-on exercises using real contract templates and scenario walkthroughs.

What you'll be able to do

• Identify the correct lawful basis for each AI-assisted personal data processing activity in your business
• Review an AI vendor's DPA and flag missing or inadequate sub-processor clauses
• Apply data minimisation principles to at least two existing AI workflows in your organisation
• Draft a compliant response to a Subject Access Request that involves AI-generated content
• Execute the first steps of a personal data breach response, including assessing notification obligations within 72 hours

Topics covered

• Lawful basis for AI-assisted personal data processing (consent, legitimate interest, contract)
• Reviewing and negotiating Data Processing Agreements with AI vendors
• Mapping sub-processor chains for common AI tools (e.g. ChatGPT, Copilot, Jasper)
• Data minimisation and purpose limitation in AI workflows
• Handling Subject Access Requests that involve AI-generated outputs
• Breach detection basics and 72-hour CNIL/DPA notification process
• Practical checklist for onboarding a new AI tool compliantly
• Record of Processing Activities (ROPA) entries for AI use cases

Delivery

Delivered in-person or via live virtual session (Zoom/Teams). Participants receive a compliance toolkit including a DPA review checklist, a ROPA template pre-filled for common AI tools, and a breach response flowchart. Hands-on ratio is approximately 40% exercises, 60% facilitated instruction. Group size capped at 16 to ensure individual Q&A time. Remote delivery adds a 30-minute async pre-read module sent 48 hours in advance.

What makes it work

• Designating a single named person (even part-time) responsible for AI compliance decisions before the workshop
• Completing the DPA review exercise using the firm's actual AI vendor contracts rather than generic examples
• Updating the ROPA within two weeks of the workshop while knowledge is fresh
• Scheduling a 90-day follow-up check-in to review any new AI tools onboarded since training

Common mistakes

• Assuming that accepting an AI vendor's standard Terms of Service is a sufficient Data Processing Agreement
• Failing to map sub-processors — many popular AI tools route data through multiple third-party infrastructure providers
• Treating AI-generated outputs as outside the scope of Subject Access Requests when they contain or are derived from personal data
• Underestimating breach notification timelines by conflating internal investigation time with the 72-hour regulatory clock

Providers to consider

• CNIL (Commission Nationale de l'Informatique et des Libertés) — guidance & self-assessment toolswww.cnil.fr/fr/intelligence-artificielle →
• Privaseewww.privasee.io →
• DPO Consultancy (Bird & Bird LLP)www.twobirds.com/en/capabilities/practices/privacy-and-data-protection →
• OpenClassrooms — RGPD et protection des donnéesopenclassrooms.com/fr/courses/6267821-appliquez-le-rgpd-a-votre-business →

Sources

• CNIL — Intelligence artificielle et RGPD →
• ICO — Guidance on AI and data protection →