
Your definitive encyclopedia of AI, EU AI Act, data privacy, and compliance terminology. From FRIA to GPAI, DPIA to RoPA — every term, every concept, every regulation explained.
The system of rules, processes, practices and accountability structures that ensure an organisation's use of artificial intelligence is ethical, transparent, compliant and aligned with business strategy. AI governance is not a document — it is an operating model.
Effective AI governance sits at the intersection of three domains: technical oversight (can we explain how this model works?), legal compliance (are we meeting regulatory requirements?) and ethical alignment (are the outcomes fair and justifiable?).
The branch of ethics that examines the moral implications of artificial intelligence systems. It covers issues such as fairness, accountability, transparency, privacy, safety and the impact of AI on employment and society.
AI ethics principles commonly include: transparency, fairness, non-maleficence, accountability, human oversight and privacy by design. These principles are codified in the EU AI Act's requirements for high-risk systems.
Under the EU AI Act, an AI system is defined as a machine-based system designed to operate with varying levels of autonomy that may exhibit adaptiveness after deployment, and that infers from the input it receives how to generate outputs such as predictions, content, recommendations or decisions.
This broad definition captures everything from recommendation algorithms to generative AI models to automated decision-making systems. The definition intentionally avoids specifying particular techniques, ensuring technology-neutral coverage.
Systematic and repeatable errors in a computer system that create unfair outcomes, such as privileging one arbitrary group of users over others. Bias can emerge from training data, algorithm design, or human decisions in the development process.
Types include: historical bias (data reflects past inequities), representation bias (training data doesn't represent the population), measurement bias (faulty data collection) and aggregation bias (one-size-fits-all models).
Decision-making processes carried out by automated means without meaningful human involvement. Under GDPR Article 22, individuals have the right not to be subject to solely automated decisions with legal or significant effects.
The EU AI Act imposes additional requirements on ADM systems, particularly in high-risk domains like recruitment, credit scoring and law enforcement. Organisations must provide human oversight, explanation rights and appeal mechanisms.
Annex III of the EU AI Act lists the specific AI use cases classified as high-risk. These include: biometric identification, management of critical infrastructure, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and administration of justice.
Any AI system used in these domains that is intended to be used as a safety component or that has a significant impact on people's fundamental rights falls under the high-risk classification and must comply with the full set of obligations.
Annex IV specifies the technical documentation that high-risk AI system providers must maintain. This includes: general description of the system, elements of the risk management system, description of data used for training/validation/testing, human oversight measures, and performance metrics.
The documentation must demonstrate that the system complies with the requirements set out in Chapter III of the AI Act and must be kept up to date throughout the system's lifecycle.
The automated recognition of individuals based on their biological and behavioural characteristics, including facial recognition, fingerprint scanning, iris recognition and voice identification.
Under the EU AI Act, real-time remote biometric identification in publicly accessible spaces is classified as a prohibited practice (with limited law enforcement exceptions). Non-real-time biometric identification is classified as high-risk.
Under GDPR Articles 33 and 34, organisations must notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it, where feasible. If the breach is likely to result in a high risk to the rights and freedoms of individuals, they must also be informed directly.
The notification must include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences and measures taken or proposed.
High-risk AI systems placed on the EU market must bear the CE marking, indicating conformity with the EU AI Act. This follows the same New Legislative Framework approach used for other product safety legislation.
The CE marking for AI is obtained after completing a conformity assessment procedure, which may involve self-assessment or third-party notified body assessment depending on the system type.
The process of verifying whether a high-risk AI system meets the requirements set out in the EU AI Act. This includes examining the technical documentation, risk management system, data governance practices and quality management system.
For most high-risk AI systems, the provider can perform an internal conformity assessment. For certain systems (e.g., biometric identification), a notified body must be involved.
Under GDPR Article 4(11), consent is "any freely given, specific, informed and unambiguous indication" of the data subject's wishes. It must be given by a statement or by a clear affirmative action.
Key requirements: freely given (no imbalance of power), specific (separate consent for different purposes), informed (clear plain language), unambiguous (opt-in, not pre-ticked boxes), and withdrawable (as easy to withdraw as to give).
The transfer of personal data from the EU/EEA to third countries (countries outside the EU/EEA). GDPR Chapter V requires that such transfers only occur if the destination country ensures an adequate level of protection or if appropriate safeguards are in place.
Transfer mechanisms include: Adequacy decisions (EU Commission finds country adequate), Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and certified codes of conduct. The Schrems II ruling invalidated the Privacy Shield framework.
GDPR Article 8 provides specific protections for children's personal data in the context of information society services. Where the child is below 16 years, processing is lawful only if consent is given or authorised by the holder of parental responsibility.
Member States may lower this age to not less than 13 years. The EU AI Act further restricts AI systems that exploit the vulnerabilities of children, classifying such systems as high-risk or prohibited depending on the use case.
The overall management of data availability, usability, integrity and security in an enterprise. It encompasses the policies, processes, roles and technologies required to ensure data is managed as a strategic asset.
In the AI context, data governance specifically covers: data quality management (accuracy, completeness, representativeness), data lineage (tracking data from source to model), data access controls and data retention/deletion policies.
The process of assigning labels or tags to raw data (text, images, audio, video) to train supervised machine learning models. Under the EU AI Act, training data practices must meet quality criteria.
The AI Act requires that training, validation and testing datasets be relevant, representative, free of errors and complete for the intended purpose. Data annotation processes must be documented as part of the technical documentation.
Under GDPR Article 4(7), the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The controller is the primary accountable party under GDPR, responsible for: ensuring lawful basis for processing, implementing privacy by design, responding to data subject requests, reporting breaches and maintaining the Record of Processing Activities (RoPA).
Under GDPR Article 4(8), a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Processors must: process data only on documented instructions from the controller, ensure confidentiality, implement appropriate security measures, only use sub-processors with controller authorisation, assist the controller with compliance and return/delete data at the end of the contract.
A systematic evaluation of the privacy risks arising from processing personal data, required by GDPR Article 35 whenever processing is likely to result in a high risk to the rights and freedoms of natural persons.
DPIAs are mandatory for: systematic profiling, large-scale processing of special categories of data, large-scale systematic monitoring of public areas and any processing involving new technologies that may pose high risks. The assessment must describe the processing, assess necessity, identify risks and outline mitigation measures.
An independent public authority established by each EU Member State to monitor the application of GDPR and enforce data protection law. Examples include the Autoriteit Persoonsgegevens (AP) in the Netherlands, the ICO in the UK and CNIL in France.
DPAs have investigative, corrective, authorisation and advisory powers. They can issue fines up to €20 million or 4% of global annual turnover for GDPR infringements. The European Data Protection Board (EDPB) coordinates DPAs across the EU.
A legally binding contract required under GDPR Article 28 between a data controller and a data processor. The DPA must set out the subject matter, duration, nature and purpose of processing, the type of personal data and categories of data subjects.
The agreement must specify: processing only on documented instructions, confidentiality obligations, security measures, sub-processor conditions, data subject rights assistance, data return/deletion and audit rights. Standard Contractual Clauses (SCCs) serve as DPA templates for cross-border transfers.
An identified or identifiable natural person whose personal data is processed. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier or factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
Data subjects have extensive rights under GDPR including: access, rectification, erasure (right to be forgotten), restriction, portability, objection and rights related to automated decision-making.
The comprehensive set of individual rights granted by GDPR Chapter III, including:
Right to Access (Art.15) — obtain confirmation of processing and a copy of personal data.
Right to Rectification (Art.16) — have inaccurate data corrected.
Right to Erasure (Art.17) — "right to be forgotten" under specific conditions.
Right to Restriction (Art.18) — limit processing in certain circumstances.
Right to Portability (Art.20) — receive data in structured, machine-readable format.
Right to Object (Art.21) — object to processing based on legitimate interests or direct marketing.
Controllers must respond to DSRs within one month (extendable to three months for complex requests).
A request made by a data subject to access their personal data under GDPR Article 15. The request can be verbal or written, and the data subject does not need to use a specific form or refer to GDPR.
Upon receiving a DSAR, the controller must provide: the purposes of processing, categories of personal data concerned, recipients or categories of recipients, retention period, existence of rights, source of data (if not from the data subject), and whether automated decision-making is used. Organisations should have a dedicated DSAR handling process.
Under the EU AI Act, a "deployer" means any natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity.
Deployers have specific obligations including: assigning human oversight to natural persons, monitoring the operation of the AI system, informing data subjects when they are subject to high-risk AI systems, conducting fundamental rights impact assessments and retaining logs for the period specified by the AI Act.
A mandatory role under GDPR Article 37 for certain organisations. A DPO must be designated when processing is carried out by a public authority, the core activities involve large-scale systematic monitoring, or the core activities involve large-scale processing of special categories of data.
The DPO must be: independent in performing their tasks, directly reporting to highest management, expert in data protection law and available to data subjects. DPOs can be shared between organisations (DPO-as-a-Service).
An EU body that contributes to the consistent application of GDPR throughout the EU. It is composed of the head of one DPA from each Member State and the European Data Protection Supervisor (EDPS).
The EDPB issues binding decisions in disputes between DPAs, adopts guidelines on GDPR interpretation and promotes cooperation among supervisory authorities. Its decisions are binding on all DPAs.
An independent EU authority responsible for ensuring that the fundamental rights and freedoms of natural persons, particularly their right to data protection, are respected by EU institutions and bodies.
The EDPS also participates in the EDPB and has been actively involved in developing guidance on the intersection of AI and data protection, including opinions on the EU AI Act from a data protection perspective.
A proposed EU regulation that would replace the ePrivacy Directive and complement GDPR by specifically regulating electronic communications. It covers confidentiality of communications, cookie consent, metadata processing and processing in terminal equipment.
Key areas include: cookie consent requirements, processing of electronic communications metadata, over-the-top communications (WhatsApp, Skype) and marketing communications rules. The regulation has been in legislative negotiation since 2017.
The degree to which a human can understand the cause of a decision made by an AI system. Explainability and interpretability are core requirements of the EU AI Act for high-risk systems.
Techniques include: SHAP (SHapley Additive exPlanations), LIME (Local Interpretable Model-agnostic Explanations), feature importance analysis, attention mechanisms and counterfactual explanations. The EU AI Act requires that high-risk AI systems be designed to enable deployers to interpret their output.
A mandatory assessment that deployers of high-risk AI systems must conduct under the EU AI Act. The FRIA evaluates the potential impact of the AI system on fundamental rights such as privacy, non-discrimination, freedom of expression and access to justice.
The FRIA must include: a description of the deployer's processes, description of the high-risk AI system's intended use, identification of affected persons, assessment of potential impacts on fundamental rights, identification of measures to mitigate risks and oversight mechanisms. It is separate from but complementary to the DPIA under GDPR.
An AI model that is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks. Examples include GPT-4, LLaMA, Claude and Gemini.
Under the EU AI Act, GPAI models with systemic risk (those with high impact capabilities, typically >10^25 FLOPs) face additional obligations including: model evaluation, systemic risk assessment and mitigation, incident reporting and ensuring adequate cybersecurity protection.
The process of taking a pre-trained foundation model and further training it on a smaller, task-specific dataset to adapt it for a particular use case. Fine-tuning is significantly more efficient than training a model from scratch.
From a governance perspective, fine-tuning introduces its own risks: data contamination, overfitting, unintended bias amplification and compliance considerations. Organisations must document fine-tuning processes as part of their AI governance records.
GDPR fines: Up to €20 million or 4% of global annual turnover (whichever is higher) for infringements of core provisions. Lower tier: up to €10 million or 2% for lesser infringements.
EU AI Act fines: Up to €35 million or 7% of global annual turnover for prohibited AI practices. Up to €15 million or 3% for violations of AI Act obligations. Up to €7.5 million or 1.5% for providing incorrect information to authorities.
An AI model that is trained with a large amount of data using self-supervision at scale, displaying significant generality and capable of competently performing a wide range of distinct tasks. The EU AI Act uses this term specifically (Article 3(63)).
All GPAI providers must: draw up and maintain technical documentation, provide information to downstream providers, comply with EU copyright law, and publish a summary of training data. Those with systemic risk face additional obligations.
A structured set of policies, processes, roles, metrics and tools that an organisation uses to manage its AI activities responsibly. A governance framework is not a single document — it is an operating model that connects strategy, compliance and operations.
Key components include: AI inventory and risk classification, AI ethics principles, human oversight mechanisms, incident response procedures, stakeholder accountability (Board, DPO, Ethics Committee), continuous monitoring and auditing and employee training programmes.
A type of AI system that can create new content including text (ChatGPT, Claude), images (DALL-E, Midjourney), audio, video and code. Generative AI models are typically built on transformer architectures and trained on massive datasets.
Under the EU AI Act, most generative AI systems are classified as GPAI models with specific transparency obligations. Systems that generate deepfakes or manipulate human behaviour are subject to additional requirements or prohibitions.
A proposed browser-level signal that users can enable to automatically communicate their privacy preferences (such as opting out of the sale or sharing of personal data) to every website they visit. GPC is recognised under several US state privacy laws (CCPA, CPRA, Virginia CDPA).
While not yet required under GDPR, the concept aligns with the principle of privacy by design and may become relevant as browser-based privacy controls evolve in the EU.
AI systems listed in Annex III of the EU AI Act that have a significant potential to cause harm to people's health, safety or fundamental rights. High-risk systems are subject to the full set of compliance obligations.
Categories include: biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and border control and administration of justice.
A mandatory requirement for all high-risk AI systems under the EU AI Act. Human oversight must be designed to allow natural persons to effectively oversee the AI system during its use, prevent or minimise risks and intervene when necessary.
Measures include: understanding system capabilities and limitations, interpreting outputs, deciding not to use the system in particular situations, intervening on operation through a "stop" button, and correcting inputs or outputs. The deployer must assign oversight to competent natural persons.
A phenomenon where an AI system (particularly a large language model) generates plausible-sounding but factually incorrect or fabricated information. Hallucinations represent a significant risk for organisations using AI for decision-making or content generation.
From a compliance perspective, hallucinations raise concerns under: GDPR accuracy principle (Article 5(1)(d)), EU AI Act transparency requirements and professional liability. Mitigation strategies include retrieval-augmented generation (RAG), output verification workflows and clear disclaimers.
The structural design of shared information environments. In the context of AI governance, IA refers to how data, documents, policies and AI system records are organised so that stakeholders can find and manage them effectively.
A well-designed IA for AI governance typically includes: AI system registry (inventory of all AI systems), document repository (policies, assessments, audits), data catalogue (training data, data lineage) and role-based access (who can see and edit what).
The international standard for AI Management Systems, published in December 2023. ISO/IEC 42001 provides a framework for establishing, implementing, maintaining and continually improving an AI management system within an organisation.
It follows the same High-Level Structure (HLS) as ISO 27001 and ISO 27701, making integration straightforward. The standard covers: AI policy, risk assessment, roles and responsibilities, AI system lifecycle, data management, human oversight and continuous improvement. It is a voluntary standard but demonstrates compliance commitment.
Providers and deployers of high-risk AI systems must report serious incidents to the market surveillance authorities of the Member States where the incident occurred. A "serious incident" means an incident that directly or indirectly led to death, serious damage to health or property, or a breach of fundamental rights.
Reports must be submitted within 15 days of becoming aware of the incident (immediate reporting for critical incidents). GPAI providers with systemic risk must notify the AI Office of systemic risks without undue delay.
The international standard for Information Security Management Systems (ISMS). ISO 27001 provides a systematic approach to managing sensitive company information so that it remains secure.
The standard covers: risk assessment and treatment, security policies, access control, cryptography, physical security, operations security, communications security, incident management and compliance. It is highly complementary to GDPR and EU AI Act security requirements.
An extension to ISO 27001 that specifies requirements for a Privacy Information Management System (PIMS). It provides guidance for organisations that process personal data on their own behalf (data controllers) and on behalf of others (data processors).
ISO 27701 maps directly to GDPR requirements and provides controls for: privacy policies, data subject rights, data sharing agreements, privacy by design and data breach management. It is the most relevant ISO standard for GDPR compliance.
Under GDPR Article 6, every processing of personal data must have a valid lawful basis. The six lawful bases are:
1. Consent — freely given, specific, informed, unambiguous
2. Contract — necessary for a contract with the data subject
3. Legal obligation — necessary for compliance with a legal obligation
4. Vital interests — necessary to protect someone's life
5. Public task — necessary for a task carried out in the public interest
6. Legitimate interests — necessary for legitimate interests (balancing test required)
One of the six lawful bases under GDPR Article 6(1)(f). Processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
A Legitimate Interest Assessment (LIA) is required, involving: purpose test (identify the legitimate interest), necessity test (is processing necessary?) and balancing test (do individual rights override the interest?). The LIA must be documented.
A type of foundation model trained on massive text datasets that can understand, generate and manipulate human language. LLMs use transformer architectures and are the technology behind ChatGPT, Claude, Gemini and similar systems.
Under the EU AI Act, LLMs fall under the GPAI (General Purpose AI) regime. Models with systemic risk face additional obligations. Organisations deploying LLMs for internal use must still comply with transparency requirements, data protection rules and internal AI governance policies.
A Microsoft Purview Information Protection classification that marks content (emails, documents, Teams chats) with a persistent label indicating its sensitivity level. Common label hierarchies include: Public, Internal, Confidential and Highly Confidential.
Labels can enforce protection such as encryption, watermarking, access restrictions and content marking (headers, footers). In AI governance, sensitivity labels help ensure that AI systems only process data appropriate for their classification level.
A risk tier under the EU AI Act for AI systems that interact with humans and pose specific risks of manipulation or deception. This category includes chatbots and systems that generate deepfakes.
Limited risk systems are subject to transparency obligations only — they must make users aware they are interacting with AI (e.g., "I am an AI assistant") and must label AI-generated content including deepfakes. No full conformity assessment is required.
An approach to AI governance that manages risks and compliance throughout the entire AI system lifecycle: from conception and design, through development and training, to deployment, monitoring and retirement.
Key stages: Conception (business case, risk pre-assessment), Design (architecture, data planning, DPIA), Development (training, validation, testing), Deployment (conformity assessment, human oversight setup), Operation (monitoring, incident management) and Retirement (data deletion, handover).
The competent authority in each EU Member State responsible for enforcing the EU AI Act. These authorities monitor the market for AI systems, investigate non-compliance, impose penalties and coordinate with authorities in other Member States.
The AI Office within the European Commission oversees GPAI models with systemic risk, while the European Artificial Intelligence Board (EAIB) coordinates among Member States. Each Member State must designate at least one market surveillance authority.
The default risk tier under the EU AI Act for AI systems that do not fall into any of the higher-risk categories. This includes most AI-powered recommendation systems, spam filters, inventory optimisation and AI-enhanced video games.
Minimal risk systems have no mandatory compliance obligations under the AI Act. However, the Act encourages providers to voluntarily apply codes of conduct for these systems and existing GDPR obligations still apply if personal data is processed.
The central hub in Microsoft 365 for managing compliance policies, data governance, eDiscovery, insider risk and communication compliance. It provides a unified view of compliance posture across the organisation's Microsoft 365 tenant.
Key capabilities: Compliance Manager (assessments and improvement actions), Data Loss Prevention (DLP), Retention policies, eDiscovery (Premium and Standard), Insider Risk Management and Communication Compliance. These tools are foundational for GDPR and EU AI Act compliance in M365 environments.
Microsoft's unified data governance, risk and compliance solution. Purview provides capabilities across three pillars: Information Protection (classification, encryption, labelling), Data Loss Prevention (monitoring and blocking sensitive data sharing) and Information Governance (retention, records management).
For AI governance, Purview is essential because it provides: AI hub (inventory of AI systems), data catalogue (understand what data feeds AI), sensitivity labels (control what AI can access) and audit logging (track AI interactions for compliance).
Microsoft's AI-powered assistant integrated across the Microsoft 365 ecosystem (Teams, Word, Excel, Outlook, PowerPoint). Copilot uses large language models (GPT-4 via Azure OpenAI Service) with organisational data from Microsoft Graph.
From a governance perspective, Copilot inherits the user's permissions (it can only access what the user can access), respects sensitivity labels and DLP policies, and provides audit logs. Organisations must implement Copilot governance policies covering data access, prompt monitoring and output review.
The datasets used to train, validate and test an AI model. Under the EU AI Act, training data governance is a core compliance requirement for high-risk AI systems.
Requirements include: data must be relevant, representative, free of errors and complete; appropriate data governance and management practices must be applied; biases must be examined and mitigated; and data limitations must be documented. Organisations must maintain records of data sources, preprocessing steps and quality assurance measures.
An independent third-party conformity assessment body designated by an EU Member State to assess whether high-risk AI systems meet the requirements of the EU AI Act. Notified bodies are accredited against ISO/IEC 17065.
Most high-risk AI systems can use internal conformity assessment. However, certain systems (e.g., biometric identification systems) require mandatory third-party assessment by a notified body. Notified bodies issue EU Type-Examination certificates for compliant systems.
A voluntary risk management framework published by the US National Institute of Standards and Technology (NIST) in January 2023. It helps organisations increase the trustworthiness of their AI systems by managing risks to individuals, organisations and society.
The framework has two parts: Part 1 (Foundational Information) covering AI risks and trustworthy AI characteristics, and Part 2 (Core and Profiles) with four functions: Govern, Map, Measure and Manage. While voluntary, it is widely recognised and can support EU AI Act compliance.
The state of an organisation's preparedness to adopt, deploy and manage AI systems in compliance with regulations and internal policies. Readiness encompasses people, processes, technology and governance.
Key readiness dimensions: Governance (policies, roles, accountability), People (skills, training, awareness), Process (assessment, monitoring, incident response), Technology (tools, infrastructure, security) and Data (quality, governance, lineage). Executive Shield Partners offers an AI Act Readiness Assessment that evaluates all these dimensions.
A natural or legal person, public authority, agency or other body that develops an AI system or a GPAI model or that has an AI system or a GPAI model developed and places it on the market or puts it into service under its own name or trademark.
Providers bear the primary responsibility for AI Act compliance. Their obligations include: ensuring conformity with requirements, establishing a quality management system, maintaining technical documentation, keeping logs, ensuring traceability, conducting conformity assessment and cooperating with authorities.
AI systems and practices that are banned outright under Article 5 of the EU AI Act due to their unacceptable risk to fundamental rights. These include:
• Subliminal techniques to materially distort behaviour causing harm
• Exploitation of vulnerabilities of specific groups (children, elderly, persons with disabilities)
• Social scoring by governments
• Real-time remote biometric identification in publicly accessible spaces (with limited LE exceptions)
• Untargeted scraping of facial images from internet/CCTV
• Emotion recognition in workplace and education (except medical/safety)
• AI systems that infer emotions in law enforcement, border, workplace and education
A mandatory system that providers of high-risk AI systems must establish to actively and systematically collect, document and analyse relevant data provided by deployers or gathered through other sources on the performance of AI systems throughout their lifetime.
The monitoring system must enable the provider to evaluate the continuous compliance of AI systems with the requirements of the AI Act. When providers become aware of a serious incident, they must immediately inform the relevant market surveillance authority.
An approach to projects that promotes privacy and data protection compliance from the start. GDPR Article 25 requires data controllers to implement appropriate technical and organisational measures designed to implement data protection principles effectively.
Key principles: Proactive not Reactive (preventative, not remedial), Privacy as Default (maximum privacy settings by default), Privacy Embedded into Design, Full Functionality (positive-sum, not zero-sum), End-to-End Security, Visibility and Transparency and Respect for User Privacy.
A principle that requires organisations to ensure that only necessary personal data is processed by default. Under GDPR Article 25(2), only personal data which is necessary for each specific purpose of the processing is processed by default.
This applies to: the amount of personal data collected, the extent of processing, the period of storage and accessibility. In AI systems, privacy by default means minimising training data, using synthetic data where possible and limiting model access to necessary personnel.
Any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as:
Name, identification number, location data, online identifier (IP address, cookie ID, device ID) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Pseudonymised data is still personal data. Anonymised data (irreversibly de-identified) is not.
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Under GDPR, profiling with legal or similarly significant effects triggers Article 22 rights. Under the EU AI Act, profiling systems used for certain purposes are classified as high-risk.
The practice of designing and refining inputs (prompts) to AI systems, particularly LLMs, to obtain desired outputs. Effective prompt engineering can significantly improve output quality, reduce hallucinations and constrain responses to appropriate domains.
From a governance perspective, organisations should: document approved prompt patterns, train employees on safe prompting, implement prompt monitoring (detect sensitive data in prompts), establish guardrails (system prompts that constrain behaviour) and review outputs before use in decisions.
The practice of monitoring user prompts submitted to AI systems (such as Microsoft Copilot) to detect potential risks including: sharing of sensitive data, attempts to bypass guardrails, generation of harmful content and compliance violations.
Microsoft 365 provides audit logging for Copilot interactions through the Purview compliance portal. Organisations can configure Communication Compliance policies to detect sensitive content in prompts and can export Copilot interaction logs for regulatory reporting.
The process of identifying, analysing and evaluating risks associated with AI systems. Under the EU AI Act, risk assessment is a continuous process that must be integrated throughout the AI system lifecycle.
The NIST AI RMF defines risk assessment as: Identify (catalogue risks), Analyse (assess likelihood and impact), Evaluate (compare against risk criteria) and Treat (implement controls). The EU AI Act requires providers to establish and maintain a risk management system as a continuous iterative process.
A mandatory system under EU AI Act Article 9 that providers of high-risk AI systems must establish, implement, document and maintain. It must be a continuous iterative process run throughout the entire lifecycle of a high-risk AI system.
The system must: identify and analyse known and foreseeable risks, estimate and evaluate risks that may emerge when the system is used, evaluate other possibly arising risks based on post-market monitoring data and adopt suitable risk management measures.
A mandatory internal register required under GDPR Article 30. Controllers and processors must maintain a record of all processing activities under their responsibility, containing: the name and contact details of the controller, purposes of processing, categories of data subjects and personal data, categories of recipients, transfers to third countries, retention periods and a general description of security measures.
The RoPA is the foundation of GDPR compliance and is the first document a supervisory authority will request during an audit. For AI systems, the RoPA should specifically document the AI use case, training data sources and automated decision-making logic.
Under GDPR Article 17, data subjects have the right to obtain the erasure of personal data concerning them without undue delay. The right applies when: data is no longer necessary, consent is withdrawn, the data subject objects, data was unlawfully processed or erasure is required by law.
In the context of AI, the right to erasure raises complex questions about model unlearning — removing the influence of specific training data from a trained model. This remains an active area of research and is currently extremely difficult for large models.
Under GDPR Article 20, data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and to transmit that data to another controller without hindrance. This applies when processing is based on consent or contract and is carried out by automated means.
For AI systems, this means organisations must be able to export not just raw data but also any inferences, profiles or scores derived from that data. The right to portability does not apply to processing necessary for a task carried out in the public interest.
A technique that enhances LLM outputs by retrieving relevant documents from a knowledge base before generating a response. RAG grounds the model's responses in specific, verifiable information rather than relying solely on the model's training data.
RAG is one of the most effective techniques for reducing hallucinations and ensuring AI outputs are accurate, sourceable and compliant. It also supports data governance by controlling exactly what information the AI can access.
The foundational principle of both the EU AI Act and GDPR. Rather than imposing uniform rules on all AI systems or all data processing, regulations apply obligations proportionally to the level of risk.
The EU AI Act has four risk tiers: Minimal risk (no obligations), Limited risk (transparency only), High risk (full compliance) and Unacceptable risk (prohibited). Similarly, GDPR requires DPIAs only for high-risk processing. This approach balances innovation with protection.
Under GDPR Article 9, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for identification), health data and data concerning sex life or sexual orientation.
Processing of special category data is prohibited unless an exception applies, including: explicit consent, employment/social security obligations, vital interests, not-for-profit bodies, manifestly made public, legal claims, substantial public interest and health/social care.
Pre-approved contract templates issued by the European Commission for transferring personal data from the EU/EEA to third countries. SCCs are one of the primary mechanisms for lawful cross-border data transfers post-Schrems II.
The current version (2021) includes modules for: Controller-to-Controller, Controller-to-Processor, Processor-to-Processor and Processor-to-Controller transfers. Organisations must conduct a Transfer Impact Assessment (TIA) to verify that the destination country's laws don't undermine the protections.
A risk that is specific to the high-impact capabilities of general-purpose AI models, having a significant impact on the EU market due to their reach, or actual or reasonably foreseeable negative effects on public health, safety, security, fundamental rights or society.
GPAI models are presumed to have systemic risk when the cumulative amount of computation used for training exceeds 10^25 floating point operations (FLOPs). Models with systemic risk face additional obligations: red-teaming, systemic risk assessment and mitigation, incident reporting and ensuring adequate cybersecurity.
Microsoft Information Protection (MIP) labels that classify and protect content based on sensitivity. Labels are: persistent (travel with content), enforced (automatically apply protection) and customisable ( organisation-defined).
Common label tiers: Public (no restriction), General (internal sharing), Confidential (restricted sharing with encryption) and Highly Confidential (strictly controlled). In AI governance, sensitivity labels ensure Copilot and other AI tools only access appropriately classified data.
Risks arising from AI components sourced from third parties, including: third-party models, APIs, training data, cloud infrastructure and development tools. The EU AI Act addresses this through obligations on both upstream providers and downstream deployers.
Organisations must perform vendor due diligence on AI suppliers, verify compliance documentation, understand data handling practices and maintain visibility into the supply chain. The AI Act's "provider" definition captures anyone placing an AI system on the market under their own name.
Artificially generated data that mimics the statistical properties of real data without containing actual personal information. Synthetic data is created using generative models (GANs, VAEs, diffusion models) trained on real data.
Benefits for privacy: no actual personal data (reduces GDPR obligations), preserves statistical utility for training AI models and enables data sharing without disclosure risks. However, organisations must ensure synthetic data doesn't inadvertently reveal information about individuals (membership inference attacks).
A landmark CJEU ruling (Case C-311/18, July 2020) that invalidated the EU-US Privacy Shield framework. The court found that US surveillance laws (FISA Section 702, EO 12333) did not provide essentially equivalent protection to EU data protection standards.
Post-Schrems II, organisations transferring data to the US must: use Standard Contractual Clauses (SCCs), conduct a Transfer Impact Assessment (TIA) and implement supplementary measures (encryption, pseudonymisation) if the TIA identifies risks. The 2023 EU-US Data Privacy Framework partially addressed this but Schrems III may follow.
The unauthorised use of AI tools by employees without organisational approval or oversight. Shadow AI is the AI equivalent of "shadow IT" and represents a significant compliance risk as these tools may process sensitive data, generate non-compliant outputs or expose the organisation to security breaches.
Common shadow AI examples: employees using personal ChatGPT accounts with company data, using unapproved AI coding assistants, or leveraging consumer AI image generators with proprietary designs. Governance requires detection, acceptable use policies and provision of approved alternatives.
Microsoft 365's vector-based search index that powers Copilot. The Semantic Index maps the relationships between people, content and activity across the Microsoft 365 tenant, creating a searchable knowledge graph that Copilot queries to generate contextual responses.
Key governance considerations: the index respects existing permissions (Copilot can only surface what the user can access), sensitivity labels are enforced, and administrators can exclude specific content locations from the index. Purview eDiscovery can also search the Semantic Index.
A level of risk above minimal risk but below high risk. AI systems in this category are subject to transparency obligations — primarily the obligation to inform users that they are interacting with an AI system.
This includes: chatbots (must disclose they are AI), emotion recognition systems (must inform users), biometric categorisation systems (must inform subjects) and AI-generated content (must be labelled as artificially generated or manipulated). No conformity assessment is required.
Comprehensive documentation that high-risk AI system providers must draw up before placing a system on the market, as specified in Annex IV of the EU AI Act. The documentation must demonstrate that the system complies with all applicable requirements.
Required elements: general description of the AI system, algorithm and architecture, elements of the risk management system, description of datasets, human oversight measures, performance evaluation results, description of changes since previous versions and the quality management system.
High-risk AI systems must undergo rigorous testing and validation before deployment. The EU AI Act requires testing to be performed using representative datasets, covering scenarios that reflect the intended use and foreseeable misuse.
Validation must demonstrate that the system achieves the claimed performance, is robust to expected variations in input data and performs equitably across different demographic groups. Testing results must be documented in the technical documentation and updated throughout the system lifecycle.
Requirements under the EU AI Act that AI systems must be designed and used in a transparent manner. Transparency obligations apply at all risk levels but are most extensive for high-risk systems and limited-risk systems interacting with humans.
Key requirements: inform users they are interacting with AI (chatbots, deepfakes), disclose AI-generated content, provide clear instructions for use, make capabilities and limitations known and ensure outputs are interpretable by deployers. High-risk systems must also have explainable outputs.
An approach to AI development and deployment that prioritises ethical principles, human rights, safety and societal wellbeing. The EU High-Level Expert Group on AI defined seven key requirements: human agency and oversight, technical robustness and safety, privacy and data governance, transparency, diversity/non-discrimination/fairness, societal and environmental wellbeing and accountability.
The concept is the philosophical foundation of the EU AI Act and shapes its risk-based approach. Organisations pursuing trustworthy AI should embed these principles into their governance frameworks, development processes and organisational culture.
A mandatory assessment that organisations must conduct before transferring personal data from the EU/EEA to third countries using Standard Contractual Clauses (SCCs). The TIA evaluates whether the laws and practices of the destination country undermine the level of protection guaranteed by the SCCs.
Steps: 1. Map the transfer (what data, to whom, where), 2. Verify transfer tool (SCCs), 3. Assess destination country laws (surveillance, government access), 4. Identify supplementary measures (encryption, pseudonymisation) if needed, 5. Document and re-evaluate periodically.
The highest risk tier under the EU AI Act. AI systems and practices classified as posing an unacceptable risk to fundamental rights, safety or EU values are prohibited outright under Article 5.
Examples: subliminal manipulation causing harm, exploitation of vulnerable groups, social scoring by governments, untargeted facial recognition scraping, real-time biometric identification in public spaces (with limited exceptions) and emotion recognition in workplace/education. Violations can result in fines up to €35 million or 7% of global turnover.
The European Artificial Intelligence Office established within the European Commission to oversee the implementation and enforcement of the EU AI Act, particularly for GPAI models. The AI Office has powers to: evaluate GPAI models, request information, conduct evaluations, establish codes of practice and impose penalties.
The AI Office works alongside the European Artificial Intelligence Board (EAIB) and national market surveillance authorities. For systemic-risk GPAI models, the AI Office is the primary enforcement body.
A subset of data used to evaluate a model during training and tune hyperparameters. The validation set is separate from the training set (used to train the model) and the test set (used for final evaluation).
Proper validation is critical for compliance: the EU AI Act requires that datasets be split appropriately, that validation reflects real-world conditions and that performance metrics be computed on representative holdout sets. Data leakage (using test data during training) invalidates performance claims.
The process of assessing AI vendors and their products before procurement to ensure they meet regulatory requirements, security standards and organisational governance policies. Essential for managing third-party AI risk.
Key diligence areas: AI Act compliance status (conformity assessment, CE marking), data handling practices (training data sources, retention), security certifications (SOC 2, ISO 27001), model performance and bias testing, explainability capabilities, incident history and contract terms (liability, data ownership, audit rights).
Traditional AI development followed a waterfall approach (requirements, design, build, test, deploy), which made governance checkpoints clear but was slow. Modern AI governance must work with agile and DevOps workflows where models are continuously updated.
The solution is "governance by design" — embedding compliance checks into CI/CD pipelines: automated bias testing on commits, automated documentation generation, gated deployments requiring human review for high-risk changes and continuous monitoring dashboards.
Methods and techniques in artificial intelligence that make the decision-making process of AI systems understandable to humans. XAI is a core requirement of the EU AI Act for high-risk systems and is essential for meeting GDPR transparency obligations.
Common XAI techniques: SHAP (SHapley Additive exPlanations), LIME (Local Interpretable Model-agnostic Explanations), attention mechanisms (highlighting what the model focuses on), feature importance (ranking input features by influence), counterfactual explanations ("what would need to change for a different outcome?") and saliency maps (for image models).
Understanding who does what is critical for building an effective governance operating model.
An independent expert responsible for monitoring GDPR compliance, providing advice on data protection obligations, cooperating with supervisory authorities and acting as the contact point for data subjects and the DPA.
The DPO reports directly to the highest management level, must not receive instructions on how to perform their duties and must have adequate resources. A single DPO can serve multiple organisations (DPO-as-a-Service).
A DPO who has earned a professional certification in data protection from an accredited body. Common certifications include: IAPP CIPP/E (Certified Information Privacy Professional/Europe), EXIN CDPO and BSI Data Protection Practitioner.
Certification demonstrates expertise in EU data protection law, GDPR implementation, DPIA methodology and DPO operational practices. GDPR requires the DPO to have "expert knowledge of data protection law and practices" — certification is strong evidence of this.
A professional certified in AI governance principles and practices. The AIGP credential (offered by IAPP and BCG) covers: understanding AI technology and its impacts, applying AI governance frameworks, managing AI risk, ensuring regulatory compliance and implementing ethical AI practices.
The AIGP complements the DPO role: while the DPO focuses on data protection, the AIGP brings expertise in AI-specific governance including the EU AI Act, model risk management, AI ethics and the intersection of AI and privacy.
The executive responsible for the organisation's information technology and systems. In the AI governance context, the CIO ensures that AI systems are deployed on secure infrastructure, that data governance controls are technically enforced and that IT operations support compliance requirements.
CIO responsibilities for AI: infrastructure security for AI systems, access control implementation, data architecture that supports governance, monitoring and logging and integration of AI governance tools into the IT landscape.
The organisation's top legal executive responsible for ensuring compliance with laws and regulations. In AI governance, the CLO oversees legal compliance with the EU AI Act, GDPR and other applicable frameworks, manages regulatory relationships and advises on liability and contractual matters.
Key activities: regulatory interpretation, contract review for AI procurement, incident response legal coordination, litigation preparedness and board reporting on legal risk.
A cross-functional governing body that provides strategic oversight of AI activities. The board typically includes representatives from: executive leadership, legal/compliance, IT/security, data science, business operations, HR and external advisors.
Responsibilities: approving the AI strategy, setting governance policies, reviewing high-risk AI approvals, overseeing incident response, ensuring accountability and reporting to the main board. Best practice: meet quarterly with ad-hoc meetings for incidents.
A specialist who bridges machine learning and DevOps, responsible for automating the ML lifecycle: data preparation, model training, validation, deployment, monitoring and retraining. MLOps engineers ensure models are deployed reliably, monitored continuously and updated safely.
In governance, MLOps engineers implement: model versioning, automated testing pipelines, drift detection, audit logging, reproducibility and rollback capabilities. They are critical for maintaining AI Act compliance across the model lifecycle.
A natural person assigned to oversee AI system outputs, empowered to override decisions, correct errors and escalate issues. The EU AI Act requires human oversight for all high-risk AI systems.
Requirements: reviewers must have adequate competence and authority, must understand the system's capabilities and limitations, must be able to intervene on operation (including a "stop" mechanism) and must not be subject to automation bias (the tendency to defer to AI outputs uncritically). Training and refresher programmes are essential.
Essential reference information for compliance planning.
Prohibited (Unacceptable Risk) — Banned outright. Social scoring, subliminal manipulation, exploitation of vulnerable groups, untargeted facial recognition scraping. Fines: up to €35M or 7% of global turnover.
High Risk — Full compliance. Biometric ID, critical infrastructure, education, employment, essential services, law enforcement, justice. Requires: CE marking, conformity assessment, risk management, technical documentation, human oversight, accuracy testing, post-market monitoring. Fines: up to €15M or 3%.
Limited Risk — Transparency only. Chatbots, emotion recognition, biometric categorisation, deepfakes. Must disclose AI interaction. No conformity assessment.
Minimal Risk — No obligations. Most AI systems. Voluntary codes of conduct encouraged.
August 2024 — AI Act enters into force (20 days after publication in Official Journal)
February 2025 — Prohibited AI practices ban takes effect (6 months after entry into force)
August 2025 — GPAI model obligations apply (12 months after entry into force)
August 2026 — High-risk AI system obligations apply (24 months after entry into force)
August 2027 — Full enforcement for all categories (36 months after entry into force)
Tier 1 (up to €20M or 4% of global turnover) — Violations of: basic principles for processing (Art.5), conditions for consent (Art.7), data subjects' rights (Arts.12-22), transfers to third countries (Art.44), non-compliance with DPA orders.
Tier 2 (up to €10M or 2% of global turnover) — Violations of: controller/processor obligations (Arts.25-39), DPO requirements (Arts.37-39), certification obligations, data breach notification (Arts.33-34).
Largest fines to date: Meta €1.2B (2023), Amazon €746M (2021), Instagram €405M (2022).
1. Lawfulness, fairness and transparency — Processing must be lawful, fair and transparent to the data subject.
2. Purpose limitation — Collect for specified, explicit and legitimate purposes; no further incompatible processing.
3. Data minimisation — Adequate, relevant and limited to what is necessary.
4. Accuracy — Keep data accurate and up to date; rectify or erase inaccurate data.
5. Storage limitation — Keep no longer than necessary for the purposes.
6. Integrity and confidentiality — Process securely using appropriate technical and organisational measures.
7. Accountability — Controller is responsible for and must be able to demonstrate compliance.
A DPIA (Data Protection Impact Assessment) is required under GDPR Article 35 and focuses specifically on risks to personal data and privacy rights. A FRIA (Fundamental Rights Impact Assessment) is required under the EU AI Act Article 27 and has a broader scope, covering all fundamental rights including non-discrimination, freedom of expression, access to justice and workers' rights. Many organisations conduct both assessments in parallel for high-risk AI systems.
Yes. The EU AI Act has extraterritorial scope similar to GDPR. It applies to: providers who place AI systems on the EU market (regardless of where they are established), deployers of AI systems within the EU and providers and deployers outside the EU where the output is used in the EU. This means a US, UK or Asian company offering AI services to EU customers must comply.
A Provider develops or commissions the development of an AI system and places it on the market under their own name or trademark. Providers bear the primary compliance responsibility including conformity assessment, technical documentation and CE marking. A Deployer uses an AI system under their authority. Deployers have obligations including: assigning human oversight, monitoring system operation, informing data subjects and conducting fundamental rights impact assessments. The same entity can be both provider and deployer.
No. ISO/IEC 42001 is a voluntary standard. However, it provides an excellent framework for implementing the management system requirements of the EU AI Act. The AI Act requires providers to establish a quality management system — ISO 42001 offers a ready-made structure for this. Many organisations will pursue ISO 42001 certification as a way to demonstrate compliance readiness and build stakeholder trust.
Check Annex III of the EU AI Act — if your use case is listed there, it is high-risk. High-risk categories include: biometric identification, critical infrastructure management, education and training, employment and worker management, access to essential services (credit scoring, insurance), law enforcement, migration and administration of justice. Additionally, AI systems that are safety components of products already regulated under EU product safety legislation are high-risk. If in doubt, consult a qualified AI governance professional.
Shadow AI is the unauthorised use of AI tools by employees without organisational approval. Management requires a three-pronged approach: 1. Detect — monitor network traffic for AI tool usage, scan for consumer AI accounts with corporate email, review expense claims. 2. Prevent — implement an AI acceptable use policy, block consumer AI sites where appropriate, deploy enterprise AI alternatives (e.g., Copilot). 3. Educate — train employees on approved AI tools, data handling rules and the risks of shadow AI.
Executive Shield Partners helps organisations build audit-ready AI governance inside Microsoft 365. From readiness assessments to full implementation, we make demonstrable compliance achievable.