Module · GDPR meets the prompt box

The AI Privacy Operations Check

Your privacy programme was built for databases and forms, not for staff pasting customer emails into a chatbot. AI does not suspend data protection law; it just moves the processing somewhere your controls may not reach. This module checks the five places where GDPR discipline meets AI reality: processor contracts, data minimisation in prompts, subject-request traceability, impact assessments, and retention in the logs.

Question 1 of 5 · Processors are contracted

Do you have a data processing agreement with every AI tool that touches personal data?

Every vendor that processes personal data on your behalf needs an Article 28 contract, not just terms of service. Free browser chatbots and plugins count as processors the moment a customer name goes in. Without the contract, you are the one exposed when the regulator asks who authorised it.

Question 2 of 5 · Prompts stay minimal

Is anything stopping staff from pasting more personal data than a task needs into AI tools?

Data minimisation is a legal duty, and the prompt box is where it quietly fails. People paste the whole email thread when a summary needs two lines, the full spreadsheet when one column would do. A rule people know beats a rule that only exists in the policy PDF.

Question 3 of 5 · You can answer requests

When someone asks what you did with their data, can you account for the AI steps?

A subject access or erasure request covers every processing step, including the ones an AI tool performed. If you cannot say what was sent, to which tool, and whether it can be deleted, you cannot answer the request honestly. 'We are not sure what the AI kept' is not a defensible reply.

Question 4 of 5 · Risky uses assessed

Have you run a data protection impact assessment for your riskier AI use cases?

A DPIA is mandatory where processing is likely to be high risk, and AI on personal data at scale usually qualifies. It is not paperwork for its own sake: it forces you to see the risk before deployment, not after a complaint. One generic assessment across everything is a way of doing none.

Question 5 of 5 · Logs do not hoard

Do the personal data sitting in your AI logs and prompt history have a deletion schedule?

Prompts, outputs and tool logs quietly accumulate personal data, and storage limitation applies to them too. Indefinite retention turns a helpful audit trail into a growing breach surface. The question is whether anything actually deletes, or whether the logs just grow.

For the statistics · one click each

Three questions for the public picture

These do not affect your score. They feed the anonymised, aggregated statistics; groups under 8 respondents are never shown.

How many of your AI tools have a signed data processing agreement?

None
Some
Most
All of them
We do not know

Have you completed a data protection impact assessment for any AI use case?

None
Planned
For some use cases
For all high-risk uses
Not sure

How often does personal data end up in prompts to public AI tools?

Never, we are confident
Rarely
Often
Routinely
We cannot tell

Your context

Used to calibrate the report. Company size and sector remain in the anonymized dataset; your email does not.