AI Governance Library

Law & Compliance in AI Security & Data Protection

“Organizations might not even have clear answers to more fundamental questions such as: how does the output of an AI system affect things in practice? Or even—is AI used at all here?”
Jakub Szarmach
3 min read
Law & Compliance in AI Security & Data Protection
Law & Compliance in AI Security & Data Protection
Law & Compliance in AI Security & Data Protection.pdf
2 MB
download-circle

⚡ Quick Summary

A structured training resource for privacy professionals navigating the overlap between AI, GDPR, and the AI Act. It demystifies AI system risks across the lifecycle—from design to deployment—through legal analysis, examples, and exercises. Written for DPOs, not developers, it’s modular, accessible, and grounded in practical tasks.

🧩 What’s Covered

The module is split into three parts:

1. Foundations (Part I):

  • Introduces AI-specific risks and technical concepts in plain language
  • Explains how AI systems differ from traditional software in terms of data flows, purpose alignment, and compliance obligations
  • Details how personal data shows up in AI systems as input, output, and training material
  • Distinguishes between security (external interference) and safety (inherent system harms)

2. The AI Lifecycle (Part II):

Using ISO/IEC 5338 as a reference, it outlines compliance tasks across five stages:

  • Inception – Identifying whether AI is needed, lawful, and proportionate
  • Design/Development – Clarifying roles (controller, processor), evaluating data needs, and addressing data quality
  • Verification & Validation – Explains how to measure compliance pre-deployment, including DPIAs, audits, and human oversight
  • Deployment – Covers data subject rights, automated decision-making, and organizational responsibilities
  • Monitoring – Focuses on detecting emerging risks, tracking misuse, and ensuring ongoing accountability

3. Advanced Topics (Part III):

  • Fairness & impact assessment – Covers documentation, equity risks, and legal constraints
  • Transparency – Explains when and how to disclose to public bodies, users, and downstream developers
  • Privacy-Enhancing Technologies (PETs) – Summarizes their role in meeting GDPR’s data minimization and integrity obligations
  • Large Language Models (LLMs) – Outlines privacy risks during training and deployment, and the obligations under systemic risk
  • General-purpose AI – Explains legal obligations under the AI Act and the tension between model opacity and downstream accountability

Also included:

  • Dozens of exercises, multiple-choice questions, and guided discussion prompts
  • Three continuous case studies:
    • A university managing admissions with AI
    • A smart toy company embedding AI in children’s products
    • A hospital using AI for diagnostics and HR

💡 Why it matters?

This is one of the first comprehensive resources designed specifically for DPOs working with AI—not as spectators, but as active risk assessors. It translates the AI Act and GDPR into operational tasks. With the AI Act’s obligations fast approaching, this type of guidance gives privacy teams a head start on practical implementation.

❓ What’s Missing

  • Little attention to redress mechanisms or how to handle individual complaints
  • Doesn’t explore national DPA roles or cooperation mechanisms under the AI Act
  • Ethical questions are mostly bracketed—no discussion of values, legitimacy, or proportionality beyond what’s strictly required by law
  • Liability, enforcement models, and governance coordination are largely outside its scope

👥 Best For

  • DPOs and in-house privacy leads in companies adopting or building AI
  • Public authorities integrating AI tools (e.g., for education, health, citizen services)
  • Consultants and legal advisors building GDPR + AI Act compliance toolkits
  • Trainers and instructors designing AI governance workshops
  • Especially useful for organizations handling high-risk AI systems under the AI Act, or dealing with cross-border processing

📄 Source Details

  • Author: Dr. Marco Almada, postdoc in Cyber Policy, University of Luxembourg
  • Commissioned by: European Data Protection Board (EDPB), Support Pool of Experts
  • Delivered: December 2024
  • Format: 250-page modular training curriculum
  • Disclaimer: Not an official EDPB position. Designed for education, not enforcement.
  • Includes clear references, case studies, and a companion technical module for ICT professionals authored by Enrico Glerean.

📝 Many thanks to Dr. Marco Almada and the SPE programme for offering this standout learning tool for the privacy and AI governance community.

Guide
About the author
Jakub Szarmach

Jakub Szarmach

Read next

OWASP AI Maturity Assessment

Administering and Governing Agents Microsoft (2024)

AI Act Guide – Version 1.1 (September 2025)

AI Alignment vs AI Ethical Treatment: Ten Challenges

AI GOVERNANCE – A Framework for Responsible and Compliant Artificial Intelligence (September 2025)

AI Governance Library

Curated Library of AI Governance Resources

AI Governance Library

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to AI Governance Library.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.