ARTICLE
5 December 2025

Protecting Personal Data In The Age Of AI: Lessons From The Latest EDPS Guidance

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
The European Data Protection Supervisor (EDPS) AI guidance for EU institutions has lessons for businesses.
United States Privacy
Kristi L. Thomas and Kathryn Smith
Your Author LinkedIn Connections
Kristi L. Thomas’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Privacy topic(s)
  • with readers working within the Retail & Leisure industries
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Cannabis & Hemp and Insolvency/Bankruptcy/Re-Structuring topic(s)

The European Data Protection Supervisor (EDPS) AI guidance for EU institutions has lessons for businesses. This includes when inputting personal information into these tools. The recommendations from the guidance fall into five categories, which businesses can take as potential principles. Namely:

  • Do your diligence. Know where personal information enters AI processes. Personal information can show up in training, during use, and in the results the AI gives. It is important to check every step for risks to personal data.
  • Be transparent. Do not just use public data and hope for the best. Privacy laws impose obligations to tell people why their information is being collected and how it will be used. They also require telling people who will handle their personal data.
  • Be accountable. This means making it clear who is responsible for decisions about personal data and keep accurate records. In the guide, the EDPS reminds EU Institutions that as AI changes, security risks like hacking become more common. So, businesses need to update their defenses often.
  • Respect the rights of individuals. Let people see, fix, or remove their data, even if the data is hidden in AI systems. This can be technically demanding, but the burden is on the business to make it possible.
  • Be thoughtful. Do not use a check-the-box approach to risk assessments. Before deploying a new generative AI system, conduct a full Data Protection Impact Assessment, question whether all data collection is genuinely necessary, and prefer anonymized or synthetic data where possible. Keeping up with regular checks for accuracy and bias, plus open communication with staff and users, helps build compliance.

Putting it into Practice: These recommendations were directed to EU Institutions, not private businesses. However, they may signal what regulators expect of businesses when implementing AI tools. As AI laws and obligations continue to develop, consider basing your privacy program on these principles from diligence to thoughtfulness. Taking a principle-based approach to compliance can allow your company to more nimbly react as laws develop and change.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Kristi L. Thomas
Kristi L. Thomas
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More