In force since 2018 · sharpened by AI

GDPR was not written for AI.
Your evidence pack should be.

GDPR + AI Compliance Kit — £999 one-time + £199/mo monitoring (optional)

Generative AI triggers GDPR at every layer: prompts, embeddings, fine-tuning, and outputs. We map lawful basis, DPIA, automated decision-making, and Chapter V transfers to auditor-ready evidence in days.

Why AI changes the GDPR risk profile

Prompts and outputs are personal data when they identify or infer individuals.
Inference in a third-country cloud is a cross-border transfer requiring Chapter V safeguards.
Consequential automated decisions trigger Article 22 rights and explanations.
Fines reach 4% of global turnover or €20 million, whichever is higher.

Book free readiness check Compare ISO 42001 See all protocols

Choose your tier

Quick Kit

£9one-time

Self-serve lawful-basis checklist and 12-question GDPR + AI scope test.

Get £9 Quick Kit

GDPR + AI Kit

£999one-time

DPIA template, transfer mapping, DSAR workflows, and one signed conformity attestation.

Buy — £999

Pro

£199/month

Continuous control monitoring, quarterly DPIA refresh, and new regulator guidance tracking.

Subscribe — £199/mo

Enterprise

£1,499/month

Multi-tenant, custom lawful-basis logic, DPO support integrations, and unlimited attestations.

Talk sales — £1,499/mo

What's covered

Lawful basis & purpose limitation

We map each AI use-case to the correct Article 6 lawful basis, document purpose limitation, and flag re-purposing risks before the ICO does.

DPIA & high-risk processing

Template Data Protection Impact Assessment tailored to generative AI: model training data, prompt retention, inference logs, and automated decision-making.

Cross-border transfer evidence

Chapter V transfer mechanisms (SCCs, IDTA, Binding Corporate Rules) mapped to hosting location, sub-processor list, and model-provider jurisdictions.

Data subject rights automation

Erasure, portability, and access workflows wired to your memory layer. Right-to-explanation annotations for consequential automated decisions.

Why this matters now

Generative AI systems process personal data at every layer — prompts, embeddings, fine-tuning, feedback. GDPR applies even when no ‘training’ happens.

Fines hit 4% of global turnover or €20M. The ICO, CNIL, and Irish DPC have already opened AI-related cases. Evidence beats policy slides.

A lawful basis gap discovered mid-audit adds 6-12 weeks. The kit front-loads the analysis so due diligence passes the first time.

Cross-border AI inference is a transfer. If your model provider hosts in the US, you need documented Chapter V safeguards.

Frequently asked questions

Does GDPR apply to AI-generated output?

Yes. If the output contains or is derived from personal data — for example, a summary of a customer record, a recommendation, or a profile — GDPR obligations follow the data. Even synthetic data that can be reverse-engineered to identify an individual may be in scope.

What is a GDPR DPIA for AI?

A Data Protection Impact Assessment under GDPR Article 35 evaluates necessity, proportionality, risks to rights and freedoms, and mitigation measures. For AI, it must cover training data provenance, prompt logging, model inference, automated decision-making, and data subject rights.

How do cross-border transfers affect AI systems?

If personal data leaves the UK/EEA — including to a model provider's US cloud for inference — you need a transfer mechanism such as Standard Contractual Clauses (SCCs), an International Data Transfer Agreement (IDTA), or Binding Corporate Rules. The kit documents the mechanism per data flow.

Can MEOK help with data subject access requests?

Yes. The kit includes DSAR workflow templates and, for MEOK-hosted systems, automated retrieval of an individual's data across prompts, memories, and outputs. Erasure and portability are tracked with tamper-evident audit logs.

How long does implementation take?

Most organisations complete the initial gap analysis and DPIA in 5-10 working days. Full workflow integration with existing ticketing and identity systems typically takes 2-4 weeks.

Need a broader AI governance framework?

See the ISO 42001 AIMS kit →

MEOK AI Labs · CSOAI LTD · UK Companies House 16939677

CSOAI

Initializing...

GDPR was not written for AI.
Your evidence pack should be.

GDPR + AI Compliance Kit — £999 one-time + £199/mo monitoring (optional)

Why AI changes the GDPR risk profile

Prompts and outputs are personal data when they identify or infer individuals.
Inference in a third-country cloud is a cross-border transfer requiring Chapter V safeguards.
Consequential automated decisions trigger Article 22 rights and explanations.
Fines reach 4% of global turnover or €20 million, whichever is higher.

Choose your tier

Quick Kit

£9one-time

Self-serve lawful-basis checklist and 12-question GDPR + AI scope test.

Get £9 Quick Kit

GDPR + AI Kit

£999one-time

DPIA template, transfer mapping, DSAR workflows, and one signed conformity attestation.

Buy — £999

Pro

£199/month

Continuous control monitoring, quarterly DPIA refresh, and new regulator guidance tracking.

Subscribe — £199/mo

Enterprise

£1,499/month

Multi-tenant, custom lawful-basis logic, DPO support integrations, and unlimited attestations.

Talk sales — £1,499/mo

What's covered

Lawful basis & purpose limitation

We map each AI use-case to the correct Article 6 lawful basis, document purpose limitation, and flag re-purposing risks before the ICO does.

DPIA & high-risk processing

Template Data Protection Impact Assessment tailored to generative AI: model training data, prompt retention, inference logs, and automated decision-making.

Cross-border transfer evidence

Chapter V transfer mechanisms (SCCs, IDTA, Binding Corporate Rules) mapped to hosting location, sub-processor list, and model-provider jurisdictions.

Data subject rights automation

Erasure, portability, and access workflows wired to your memory layer. Right-to-explanation annotations for consequential automated decisions.

Why this matters now

Generative AI systems process personal data at every layer — prompts, embeddings, fine-tuning, feedback. GDPR applies even when no ‘training’ happens.

Fines hit 4% of global turnover or €20M. The ICO, CNIL, and Irish DPC have already opened AI-related cases. Evidence beats policy slides.

A lawful basis gap discovered mid-audit adds 6-12 weeks. The kit front-loads the analysis so due diligence passes the first time.

Cross-border AI inference is a transfer. If your model provider hosts in the US, you need documented Chapter V safeguards.

Frequently asked questions

Does GDPR apply to AI-generated output?

What is a GDPR DPIA for AI?

How do cross-border transfers affect AI systems?

Can MEOK help with data subject access requests?

How long does implementation take?

Most organisations complete the initial gap analysis and DPIA in 5-10 working days. Full workflow integration with existing ticketing and identity systems typically takes 2-4 weeks.

MEOK AI Labs · CSOAI LTD · UK Companies House 16939677

GDPR was not written for AI.Your evidence pack should be.

Choose your tier

What's covered

Why this matters now

Frequently asked questions

GDPR was not written for AI.Your evidence pack should be.

Choose your tier

What's covered

Why this matters now

Frequently asked questions

GDPR was not written for AI.
Your evidence pack should be.

GDPR was not written for AI.
Your evidence pack should be.