AI and Data Protection: A GDPR-Compliant Rollout, Case Study
Photo: FlyD / Pexels
Key takeaways
- AI and data protection meet the moment personal data enters a prompt, not before.
- A UK accountancy firm's rollout worked because they mapped data flows before picking tools, not after.
- The near-miss: a free-tier tool almost went live before anyone checked its training defaults.
- A data processing agreement and a documented lawful basis were the two things that actually mattered to their auditor.
- The rollout took six weeks from data mapping to sign-off, most of it spent waiting on vendor DPAs, not writing policy.
AI and data protection collide the moment personal data goes into a prompt box, and for a UK or EU business that means GDPR is already in scope whether anyone planned for it or not. This case study follows a 40-person accountancy firm through a real rollout: how they approached it, where they nearly got it wrong, and what an auditor actually asked to see at the end. It's a useful template because their situation is ordinary, not a large enterprise with a dedicated privacy office, just a normal firm handling normal client financial data.
The starting point
The firm's junior staff had already been experimenting informally with AI tools for drafting client emails and summarising meeting notes, entirely on personal accounts, before anyone senior had looked at it. That's a common starting point, and it's not a crisis on its own, but it meant the data-protection question wasn't hypothetical by the time leadership engaged with it. Client names, account numbers and financial figures had already passed through at least one free-tier AI tool. The rollout project had to deal with that history, not just design a clean process going forward.
Step one: mapping data flows before picking tools
Rather than starting with 'which AI tool should we buy', the firm's data protection lead started with 'what personal data do we actually handle, and where would AI plausibly touch it'. That produced a short, specific list: client names and addresses in correspondence drafting, financial figures in summarisation tasks, and staff personal data in HR-adjacent uses like performance-review drafting. Mapping this first meant every subsequent tool decision could be tested against a real requirement rather than a guess, which saved real time later when vendors asked what the data actually was.
The near-miss
Midway through, one team had shortlisted a free AI writing tool for drafting client communications, on the strength of a colleague's recommendation, without anyone checking its data-training defaults. It was three days from informal approval when the data protection lead ran it through the firm's AI vendor risk assessment and found the free tier trained on user content by default, with no DPA available at that pricing level. The business tier of the same tool did offer a DPA and a no-training commitment. They switched tiers before rollout, not after, which is the outcome you want, but it was closer than it should have been.
What the lawful basis conversation actually looked like
Under UK GDPR, any processing of personal data needs a lawful basis, and for most AI-assisted drafting work the firm settled on legitimate interests, since the processing was proportionate, expected by clients in the context of ordinary correspondence, and didn't involve special category data. They documented this reasoning in a short legitimate interests assessment rather than relying on consent, which would have been unworkable to obtain and withdraw for every routine email draft. This is the part that took the most internal debate, not the tool selection itself.
What the auditor actually asked for
When the firm's SOC 2 auditor reviewed the rollout six months later, the two documents that mattered most were the signed DPA with each AI vendor and the short written record of the lawful basis decision. Nobody asked for a lengthy AI ethics statement or a governance committee charter. The audit trail that mattered was boring and specific: which vendor, what data, what lawful basis, what contract terms. That's a useful signal for any team assuming an audit demands more ceremony than it actually does.
Timeline and effort
Start to sign-off took roughly six weeks, but the vast majority of that was spent waiting on vendor responses to DPA requests, not on internal policy writing. The data mapping took two days. The policy and lawful basis documentation took another two. The rest was follow-up emails to vendors and one tier switch after the near-miss. For a firm this size, that's a realistic timeline to budget for, and the bottleneck to expect is vendor paperwork, not internal disagreement.
What to copy from this
Map data flows before shortlisting tools, so every vendor conversation starts from a specific requirement. Run every candidate tool through a risk assessment that checks training defaults and DPA availability before informal approval hardens into habit. Document your lawful basis in writing, even briefly, since that's what an auditor will actually ask for. And budget for vendor DPA turnaround time, not internal debate, as the real constraint on your timeline. None of this requires specialist tooling beyond a written AI usage policy and a habit of checking before adopting.
What they'd do differently next time
The firm's data protection lead was candid about one thing they'd change: they'd run the free-tier tool through the vendor risk assessment before anyone shortlisted it, not after informal approval was already in motion. The near-miss happened because a colleague's recommendation carried more early weight than the vetting process, simply because vetting hadn't yet become the automatic first step. Their fix was small but effective: any new AI tool now gets a five-minute risk check the moment it's suggested, not once a team has already started planning to use it, which removes the awkward step of walking back an informal commitment.
How this generalises beyond accountancy
None of the mechanics here are specific to an accountancy firm. Any UK or EU business handling client or staff personal data, a recruitment agency, a healthcare provider, a professional services firm, faces the same basic sequence: map where personal data meets AI use, check training defaults and DPA availability before informal approval, document a lawful basis, and expect an auditor to ask for exactly those two things rather than a broader governance narrative. The specific data categories change by sector, but the shape of the process, and the near-miss pattern that catches teams out, tends to look remarkably similar across industries.
The cost of getting this wrong versus getting it right
It's worth being concrete about what was actually at stake in this case study. A confirmed personal data breach involving client financial information can trigger mandatory notification to the ICO within 72 hours under UK GDPR, potential fines, and, often more damaging in practice for a professional services firm, the loss of client trust that follows any public data-handling failure. Against that, the actual cost of doing this properly was roughly six weeks of part-time effort from one person and no direct spend beyond the AI tool subscriptions the firm was already planning to pay for. That asymmetry, modest upfront effort against a genuinely serious downside, is the strongest argument for treating AI and data protection as a rollout requirement rather than an afterthought.
What the firm learned about staff behaviour along the way
One unplanned finding surprised the data protection lead more than anything in the formal risk assessment: staff overwhelmingly wanted clear rules rather than resenting them. The informal AI use that predated the rollout hadn't come from staff deliberately cutting corners; it came from nobody having told them where the line was. Once a clear, written boundary existed, along with an easy way to ask about a new tool, informal workarounds largely stopped on their own, without any disciplinary conversation ever being necessary. That pattern, that most data protection failures around AI stem from absent guidance rather than deliberate disregard, is one worth remembering before assuming a rollout needs to be adversarial.
| Phase | What happened | Duration |
|---|---|---|
| Data mapping | Identified where personal data meets AI use | 2 days |
| Tool vetting | Risk assessment caught a free-tier training default | 1 week |
| DPA negotiation | Waited on vendor paperwork; drove the switch to business tier | 3 weeks |
| Policy and lawful basis | Documented legitimate interests assessment | 2 days |
| Sign-off | SOC 2 auditor reviewed DPA and lawful basis record | Ongoing, annual |
“Organisations must be able to demonstrate compliance with the data protection principles, and this includes decisions made when using AI.”