ARTICLE
5 December 2025

Protecting Personal Data In The Age Of AI: Lessons From The Latest EDPS Guidance

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
The European Data Protection Supervisor (EDPS) AI guidance for EU institutions has lessons for businesses.
United States Privacy
Kristi L. Thomas and Kathryn Smith
Your Author LinkedIn Connections
Sheppard Mullin Richter & Hampton are most popular:
  • within Compliance topic(s)

The European Data Protection Supervisor (EDPS) AI guidance for EU institutions has lessons for businesses. This includes when inputting personal information into these tools. The recommendations from the guidance fall into five categories, which businesses can take as potential principles. Namely:

  • Do your diligence. Know where personal information enters AI processes. Personal information can show up in training, during use, and in the results the AI gives. It is important to check every step for risks to personal data.
  • Be transparent. Do not just use public data and hope for the best. Privacy laws impose obligations to tell people why their information is being collected and how it will be used. They also require telling people who will handle their personal data.
  • Be accountable. This means making it clear who is responsible for decisions about personal data and keep accurate records. In the guide, the EDPS reminds EU Institutions that as AI changes, security risks like hacking become more common. So, businesses need to update their defenses often.
  • Respect the rights of individuals. Let people see, fix, or remove their data, even if the data is hidden in AI systems. This can be technically demanding, but the burden is on the business to make it possible.
  • Be thoughtful. Do not use a check-the-box approach to risk assessments. Before deploying a new generative AI system, conduct a full Data Protection Impact Assessment, question whether all data collection is genuinely necessary, and prefer anonymized or synthetic data where possible. Keeping up with regular checks for accuracy and bias, plus open communication with staff and users, helps build compliance.

Putting it into Practice: These recommendations were directed to EU Institutions, not private businesses. However, they may signal what regulators expect of businesses when implementing AI tools. As AI laws and obligations continue to develop, consider basing your privacy program on these principles from diligence to thoughtfulness. Taking a principle-based approach to compliance can allow your company to more nimbly react as laws develop and change.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Kristi L. Thomas
Kristi L. Thomas
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More