aigdprcompliance

GDPR and AI: what Irish businesses need to know before automating customer data

8 June 2026 7 min read

Every Irish business that touches customer data is regulated by GDPR and the Data Protection Commission. AI doesn't get a free pass. The good news: using AI responsibly is mostly about a handful of sensible defaults, not a 60-page Data Protection Impact Assessment. Here's what actually matters in 2026.

The five things the DPC will care about

  1. 1.Lawful basis — why are you processing this data at all?
  2. 2.Data minimisation — are you sending more than the AI needs?
  3. 3.Transparency — does the customer know AI is involved?
  4. 4.Data residency — where does the data physically go?
  5. 5.Sub-processors — who else gets a copy along the way?

ChatGPT, Claude and Gemini: the consumer vs API distinction

This is the single most common mistake we see. Pasting a customer email into chat.openai.com is not the same as calling the OpenAI API from your CRM. The consumer apps may use your inputs to train models unless you turn that off; the paid API and enterprise tiers explicitly do not. If your team is using ChatGPT free or Plus on real customer data, fix that first.

Where the data actually goes

All three major model providers now offer EU-region or zero-retention endpoints suitable for Irish business use:

  • OpenAI — EU data residency available on the API for enterprise and standard plans on request.
  • Anthropic (Claude) — EU region via AWS Bedrock or Google Vertex.
  • Google Gemini — EU region via Vertex AI.
  • Open-source models (Llama, Mistral) — can be hosted entirely inside the EU on your own infrastructure.

If a vendor cannot tell you which country your data is processed in, that's your answer — keep looking.

Data Processing Agreements (DPAs)

Any provider handling personal data on your behalf is a data processor under GDPR. You need a DPA in place with each of them. The big providers publish standard DPAs online; smaller vendors should sign yours or theirs without a fuss. If they won't sign one, walk away — you're the one liable when it goes wrong.

Transparency to your customers

You don't have to plaster "AI INSIDE" across your site. You do need:

  • A line in your privacy notice explaining you use AI to process enquiries.
  • Clear disclosure when a customer is talking to an AI voice or chat agent (the EU AI Act now requires this).
  • A way for a customer to ask for a human instead.
  • A record of the decision logic if the AI is making a meaningful decision about them (e.g. credit, hiring, insurance).

Sensitive data: the extra caution

Health records, legal matters, children's data, financial details — these are "special category" or high-risk under GDPR. Don't pass them to a general-purpose model without specific safeguards: EU-only processing, no retention, redaction of identifiers where possible, and a documented DPIA if you're processing at scale.

The questions to ask any AI vendor in Ireland

  1. 1.Where, geographically, is my data processed?
  2. 2.Do you retain my prompts or outputs, and for how long?
  3. 3.Will you sign a DPA?
  4. 4.Who are your sub-processors and where are they?
  5. 5.What happens to my data if I cancel?
  6. 6.Is your service covered by your own ISO 27001 / SOC 2 audits?

Any reputable vendor — including us — answers these in under five minutes. Anyone who can't, won't, or who needs to "check with engineering and get back to you" is not ready to handle Irish customer data.

The short version

Use the paid API, not the consumer chat. Pick EU-region endpoints. Sign DPAs. Tell customers when AI is involved. Don't feed sensitive data to general models. Most of GDPR compliance for AI is exactly the GDPR compliance you should already have — applied to a new category of vendor.

See how we handle data on Irish automation projects

Go

Want a site built like our advice?

Honest pricing, no monthly lock-in, AI speed with a designer's eye.

See pricing

Cookie Preferences

We use cookies to improve your experience. Necessary cookies are always on. Analytics cookies help us understand how visitors use our site.