GDPR & the EU AI Act:An AI-Infrastructure Checklist

Two regimes now govern AI deployments touching EU data subjects: the GDPR, which governs personal data, and the EU AI Act, which governs AI systems by risk tier. They overlap. This guide cuts through the legal text to what they actually require of your infrastructure — and gives you a checklist to pressure-test a deployment against both.

OrientationTwo regimes, one stack

It helps to keep the two regimes' jobs distinct, then see where they intersect on your infrastructure.

GDPRWhat GDPR asks of your infrastructure

GDPR is principles-based, but several principles translate directly into infrastructure requirements:

• Lawfulness & purpose limitation — you can name the legal basis and purpose for every category of data the AI processes.
• Data minimisation — the system retrieves and exposes to the model only the data necessary for the task; PII is masked where it isn't needed.
• Security of processing (Art. 32) — encryption in transit and at rest, access control, tenant isolation, and the ability to demonstrate them.
• Storage limitation & erasure — data can be deleted on request and on retention expiry, including from vector stores and logs.
• Records & accountability — you can produce a record of processing activities and demonstrate the controls, not just assert them.
• Transfers — where data leaves the EU (e.g. a closed API), an appropriate transfer mechanism (such as SCCs) and a transfer risk assessment are in place.

GDPRWhen you need a DPIA

A Data Protection Impact Assessment is required where processing is likely to result in a high risk to individuals — which large-scale AI processing of personal data frequently is. A DPIA documents the processing, assesses necessity and proportionality, evaluates the risks, and records the mitigations. Treat it as the artefact that ties your infrastructure controls back to the legal requirement.

EU AI ActThe risk tiers, and what they demand

The EU AI Act classifies systems by risk and attaches obligations accordingly. The tier your use case falls into determines how heavy the infrastructure burden is:

Most general-productivity AI sits in the limited or minimal tier, where the headline duty is transparency. But the moment a system influences a decision about a person — hiring, lending, eligibility — high-risk obligations attach, and your infrastructure must produce logging, traceability and human-oversight hooks.

ChecklistThe AI-infrastructure checklist

Data & residency

• Inference and storage are pinned to a known, documented jurisdiction.
• Personal data is minimised and PII is masked before it reaches a model where not needed.
• Data can be deleted on request and on retention expiry — including from vector stores and logs.

Security & access

• Encryption in transit (TLS 1.3) and at rest (AES-256), with documented key management.
• Tenant and role isolation enforced in the retrieval layer, not just the UI.
• Cross-border transfers covered by an appropriate mechanism and a transfer risk assessment.

Transparency, logging & oversight

• Users are told when they are interacting with an AI system or AI-generated content.
• Every AI interaction is logged immutably with enough detail to reconstruct what happened.
• For high-risk uses, a human-oversight path and technical documentation exist.

Governance & paperwork

• A DPIA exists where processing is high-risk.
• A signed DPA is in place with every processor; a BAA where health data is involved.
• A record of processing activities and a control matrix are available for review.