Artificial intelligence is no longer a topic that belongs only to software engineers or technology companies. It is already entering legal departments, law firms, compliance teams, data protection offices and organisations that need to understand how technology affects their legal obligations.
For lawyers and Data Protection Officers, AI can be useful. It can help with research, document review, internal policies, compliance checklists, contract analysis, preparation of training materials and better organisation of large amounts of information.
But AI also creates new questions.
Can confidential information be entered into an AI tool? Can personal data be processed through AI systems? Who checks the accuracy of AI-generated content? Can an organisation rely on AI when making decisions that affect individuals? What internal rules should exist before employees start using AI in daily work?
These questions are no longer theoretical. They are becoming part of everyday legal and compliance practice.
The European Union has adopted Regulation (EU) 2024/1689, known as the Artificial Intelligence Act, which lays down harmonised rules on artificial intelligence. The AI Act was published as Regulation (EU) 2024/1689 and is the central EU legal framework for AI systems.
AI should help professionals, not replace their judgment
The most useful way to look at AI in legal and data protection work is simple: AI can support professionals, but it should not replace professional judgment.
A lawyer can use AI to prepare a first draft, compare clauses, summarise a long document or structure arguments. But the lawyer must still verify the legal accuracy, check the context, apply the correct law and take responsibility for the final advice.
A DPO can use AI to prepare training materials, organise questions for a data protection impact assessment, draft internal procedures or summarise guidance. But the DPO must still assess the actual processing activity, identify real risks and determine whether the organisation is acting in line with data protection rules.
This distinction is important. AI may speed up work, but it does not understand legal responsibility in the way a qualified professional does. In legal, compliance and data protection work, speed is useful only if the final result is accurate, lawful and properly reviewed.
The AI Act makes risk the central question
The EU AI Act is based on a risk-based approach. This means that AI systems are not regulated in the same way in every situation. The level of obligations depends on the level of risk created by the AI system and its use.
According to the European Commission, the AI Act addresses risks linked to AI and uses a regulatory approach that distinguishes between different levels of risk, including unacceptable risk, high risk, limited risk and minimal or no risk.
This is especially important for lawyers and DPOs because the legal assessment of AI should not start with the tool itself, but with its actual use.
An AI tool used to summarise publicly available legal materials is not the same as an AI system used to assess job candidates, monitor employees, score customers, analyse behaviour or support decisions that may affect someone’s rights or opportunities.
That is why the first practical question should be:
What is the AI system being used for?
After that, the organisation should ask:
What data does the system process?
Does it process personal data?
Who may be affected by the output?
Is the AI used only for support, or does it influence a final decision?
Is there human review?
Are employees trained to use it properly?
Are the risks documented?
For lawyers and DPOs, these questions are the starting point of responsible AI governance.
How AI can help lawyers in practice
AI can be useful in legal work, especially where a professional needs to process large amounts of information quickly.
For example, lawyers can use AI to identify key points in long documents, compare contract versions, prepare the first structure of a legal memo, extract obligations from policies, organise arguments for a case, prepare client-friendly explanations of complex legal topics or create internal checklists.
In contract work, AI may help identify missing clauses, compare obligations between parties or highlight provisions that require closer review. In legal research, AI may help organise questions and summarise materials, provided that all legal sources and conclusions are verified.
The real value is not that AI writes instead of the lawyer. The value is that it can reduce the time spent on repetitive preparation and allow the lawyer to focus more on interpretation, strategy, negotiation and risk assessment.
However, lawyers should be careful with AI-generated legal references, citations and conclusions. AI outputs may be incomplete, outdated or inaccurate. That is why any AI-generated legal content should be treated as a draft, not as final legal advice.
How AI can help DPOs and privacy professionals
For DPOs and privacy professionals, AI can be useful because data protection work often involves many documents, procedures, registers and internal questions.
AI can help prepare drafts of privacy notices, employee data protection notices, internal policies, data protection training, DPIA questionnaires, vendor assessment checklists, breach response templates and summaries of regulatory guidance.
It can also help structure information from different departments. For example, when an organisation wants to understand how personal data is collected, stored, shared and deleted, AI can help organise interview questions, prepare mapping templates and group processing activities by purpose or department.
But the DPO must remain careful. Data protection is not only documentation. It requires understanding how the organisation actually works.
If an AI tool is used in data protection work, the DPO should consider whether personal data is being entered into the tool, whether the tool provider acts as a processor or independent controller, where the data is stored, whether data is used for model training and whether confidential or sensitive information is exposed.
The European Data Protection Board has made clear that AI and data protection must be considered together. In its Opinion 28/2024, the EDPB addressed data protection issues connected with AI models, including when AI models may be considered anonymous, how legitimate interest may be assessed as a legal basis, and what happens if personal data was unlawfully processed during development of an AI model.
For DPOs, this confirms one important point: AI governance cannot be separated from GDPR compliance.
AI and GDPR overlap more often than organisations think
The AI Act does not replace the GDPR.
This is one of the most important practical messages for companies, institutions and professional teams. If an AI system processes personal data, GDPR obligations may still apply.
That means organisations must still consider lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.
For example, if AI is used to support recruitment, analyse employee performance, classify customers, personalise services, monitor users, assess risk or support automated decisions, the organisation may need to consider both AI Act requirements and GDPR rules.
This is where lawyers and DPOs should work together.
The lawyer may focus on contractual, regulatory and liability issues. The DPO may focus on personal data, transparency, legal basis, data subject rights, DPIA requirements and risk to individuals. The IT or technology team may explain how the system actually works.
Only when these perspectives are connected can the organisation make a serious decision about whether and how to use AI.
AI literacy is now a practical compliance issue
Responsible AI use is not possible if employees do not understand what they are using.
The AI Act contains an obligation related to AI literacy. According to the European Commission’s official AI literacy Q&A, Article 4 of the AI Act requires providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy among staff and other persons dealing with the operation and use of AI systems on their behalf.
This does not mean that every lawyer, DPO, HR manager or compliance officer needs to become a programmer.
It means that people using AI tools should understand the basic logic, limits and risks of AI systems. They should know that AI outputs can be wrong. They should know when human review is necessary. They should understand that confidential information and personal data cannot be entered into tools without proper assessment. They should know which AI tools are approved by the organisation and for which purposes.
For legal and compliance teams, AI literacy should become part of internal training. It is no longer enough to tell employees: “Use AI carefully.” Organisations need clear rules, examples and procedures.
What organisations should define before using AI
Before AI becomes part of everyday work, organisations should define internal rules.
The first question is which AI tools may be used. Employees often start using publicly available tools before the organisation has assessed whether those tools are appropriate for business use.
The second question is what information may be entered into AI tools. This is critical for law firms, legal departments, DPOs and compliance teams because they often work with confidential documents, personal data, internal investigations, contracts, HR files, business plans and sensitive correspondence.
The third question is who checks the output. AI-generated text may look convincing even when it is wrong. That is why organisations should define when review is mandatory and who is responsible for the final content.
The fourth question is whether AI use should be documented. In some situations, especially where AI supports decisions affecting individuals, documentation may be important for accountability, transparency and risk management.
A serious AI policy should not be a long document that nobody reads. It should answer practical questions that employees actually face:
Can I upload a contract into an AI tool?
Can I use AI to summarise employee data?
Can I use AI to prepare a client email?
Can I use AI to analyse CVs?
Can I rely on AI-generated legal references?
Who approves new AI tools?
What should I do if I make a mistake?
These are the questions that make AI governance useful in practice.
The role of lawyers and DPOs in AI governance
AI governance should not be left only to IT departments.
IT teams understand systems, security and technical infrastructure. But lawyers and DPOs understand legal responsibility, regulatory obligations, personal data, risk, transparency and accountability.
In practice, lawyers and DPOs can help organisations create internal AI policies, review contracts with AI vendors, assess whether personal data is involved, prepare employee training, evaluate risks, define human review procedures and identify situations where additional safeguards are needed.
For DPOs, AI may become one of the most important areas of future privacy work. Many AI systems depend on data, and some of that data may be personal data. This means that privacy by design, data minimisation, transparency and accountability will become even more important.
For lawyers, AI will increasingly appear in contracts, disputes, employment issues, intellectual property questions, technology procurement, liability assessments and regulatory compliance.
This is why professionals who understand both law and technology will have a strong advantage.
How we can help?
For many companies and institutions, the problem is not whether AI is useful. The problem is that AI is already being used without clear internal rules.
Employees may be using AI to draft emails, summarise documents, prepare reports or analyse information before the organisation has assessed the legal and compliance risks.
This is where we can help.
We can support companies, institutions, law firms and professional teams in understanding how AI can be used responsibly in legal, compliance, data protection and technology-related work.
Our support can include preparation of internal AI policies, AI literacy training, assessment of AI-related data protection risks, review of internal procedures, preparation of practical guidelines for employees, analysis of AI use cases and support in connecting AI governance with GDPR compliance.
The goal is not to create documents that exist only formally. The goal is to help your organisation understand how AI is actually used, what risks exist and what rules should be established before those risks become a problem.
If your organisation is already using AI tools, or plans to introduce them, now is the right time to define clear rules and ensure that AI supports your work without creating unnecessary legal, compliance or reputational risks.
Official sources used: European Commission, EUR-Lex and European Data Protection Board.