Is compliance a reason or an excuse?
A few weeks ago I sat in on a vendor call with a client firm. The agenda was a new contract review tool, and the meeting had been pushed for by two of the firm's more forward-looking partners. For the first twenty minutes it went well. The tool ran locally, the data never left the building, and you could watch people in the room start to picture it in their own work. There was that rare thing in a legal technology demo: actual interest. Then someone raised GDPR.
It was not a question so much as a concern, raised in the tone that does not expect an answer. Within a minute the energy was gone and the partners who had organised the call stopped talking. The meeting closed with the firm asking for additional time to review the compliance position, which everyone present understood to mean the project was now, quietly, on hold.
I thought about that call again later, when I opened the recording. It had been shared by link, and the link was open to anyone who had it.
What the regulation actually asks
It is worth being precise here, because the people reading this will be precise for a living.
The GDPR does not prohibit the use of AI tools. It governs the processing of personal data, whatever the technology. For a tool that processes personal data, the relevant questions are finite and known.
First, a lawful basis. Article 6 sets out six, and any one of them is enough: consent, performance of a contract, a legal obligation, vital interests, a public task, or legitimate interests. The European Data Protection Board has been clear that the order implies no hierarchy — the basis has to be the one most appropriate to the circumstances. For most work a firm already does, the basis is the same one it relies on for every other file.
Second, a contract with the provider. Where an external vendor processes personal data on the firm's behalf, Article 28 requires a written agreement that binds the processor on what it may do with the data, what security it applies, and what happens to the data afterwards. This is the data processing agreement. Firms sign these routinely with their document management vendor, their email provider, their cloud host.
Third, location and retention. Where is the data processed, is any of it transferred outside the EU, and how long is it kept. For a tool that runs entirely offline, most of these questions answer themselves.
None of this is exotic. It is the same assessment a firm should already perform before adopting any system that touches client data. A data protection review is a defined exercise with a defined end. What happened on that call was not that exercise, but the avoidance of it.
One point worth separating cleanly: this is a GDPR discussion, not an AI Act one. The AI Act brings its own obligations, on a different timeline, and they sit on top of data protection law rather than replacing it. But "GDPR concerns" and "AI Act concerns" are not interchangeable, and using one to mean the other is the first sign that no assessment has been done.
What "GDPR concerns" usually means instead
GDPR is a real law with real teeth, and treating it seriously is part of the job. It deserves better than to be used as a conversation-ending gesture.
Usage runs ahead of structure and the pattern is consistent across the market. Eurostat reports that one in five EU enterprises with ten or more employees used AI technologies in 2025, up from 13.5% the year before, with the highest adoption in Denmark, Finland and Sweden. The same enterprise survey records data protection and privacy concerns as one of the most cited reasons for not adopting at all. The concern is real and widely felt. But what is done with it?
In a firm that did the assessment, "GDPR" is part of a routine check. In a firm that never assessed the tool, the "GDPR" conversation usually ends it. The immediate veto is usually a good signal of the absence of a data protection review. Because the work was never done, the concern can never be closed, and the tool sits in indefinite review while everyone moves on to the next thing.
The part nobody examines
Here is the uncomfortable symmetry. The firm pausing a vetted, offline tool over data protection is very often the same firm with genuine, unexamined exposure elsewhere.
The associate pasting a client's draft into a consumer chatbot with no agreement and no idea where the text goes. The matter documents in a personal cloud folder. The meeting recording shared by open link to anyone who has it. None of this went through review, because none of it arrived with a vendor and a slide deck. It simply happened, quietly, while the formal tool waited for a compliance position.
Many of the same firms have done little about the AI literacy duty that has applied since February 2025, untouched by the recent delays to the high-risk rules.
The objection rarely comes from someone who has assessed the tool. It comes from whoever carries the blame if something goes wrong and earns nothing if it goes right. GDPR supplies the vocabulary and the reluctance supplies the motive.
GDPR is a clear set of obligations, and a competent firm can meet them. Many have done that, and they are already using the tools others are still reviewing. Caution is the job, and the worry is usually real. But a real worry still has to be assessed, not just named. When a project stalls there, the law is rarely what stopped it.