Why claims of 100% GDPR compliance for AI software are a myth

100% GDPR compliant” claims seem to have made a big comeback with the flurry of GenerativeAI tools being released*.
As a reminder, claiming that a software solution is GDPR compliant is a marketing trick at best and misleading at worst.

First, if you’re not sure what the sources are on which a particular AI system was trained, you are in dire need of actionable guarantees. (Not just for data protection but also intellectualproperty, security and lawfulness of training data more generally)

Next, if the tool can draw insights from how you use it, you are really missing the bigger picture about how personal data is being processed.

In addition, AI or not, a tool in and of itself is insufficient for compliance, as there is a whole lot more to be done regarding processes, policies, contracts etc. So even if theoretically something might be “GDPR compliant”, it might not change the fact that your use of it could be non-compliant because you don’t have the rest in place.

I also hope you look beyond the statement and think about your compliance more broadly. The GDPR isn’t the only law you need to comply with – far from it – and your intended use of the tool might push you towards non-compliance with those laws if you are not careful.

So don’t trust the marketing, make your own assessment – and it might be handy to bring in a lawyer to help out.

* I have seen it come up regarding a number of CRM tools recently announced, for instance.

[Little anecdote there: I recently asked a sales chatbot service about its own claims and the chatbot responded in platitudes like “Y takes measures to comply…”. If you are going to make a bold claim of compliance, back it up, and make sure your bot has the right talking points!]