Kaius resource · AI Act + GDPR checklist

AI Act + GDPR checklist for law firms

Thirty control points grounded in the official texts (Regulation EU 2024/1689 and GDPR) to assess your firm's maturity on AI.

01

1. AI mapping and governance

Foundational: know which AI tools are used at the firm, by whom, for what matters, and train the team.

0/4

02

2. Classifying use cases

The AI Act follows a risk-based approach. Each use case must be classified: prohibited, high-risk, transparency-specific, or limited risk.

0/4

03

3. Vendors and GPAI models

Using a general-purpose AI model (Anthropic, OpenAI, Mistral, Google…) involves a chain of responsibilities between the model provider, the solution provider and the deploying firm.

0/4

04

4. GDPR — Legal basis and minimisation

Every submission of personal data to an AI model is a processing operation under the GDPR and must rest on a clear legal basis.

0/4

05

5. GDPR — Data subject rights and DPIA

AI use must remain compatible with informing data subjects and enabling their rights, especially in the case of automated decision-making.

0/4

06

6. Security, transfers and legal privilege

AI use must strengthen — never weaken — the level of security and the legal privilege that apply to the lawyer.

0/4

Your maturity

0% · High risk

0 item(s) validated out of 24

Educational tool published by Kaius. It does not constitute legal advice and does not replace the analysis of a lawyer or your DPO. Sources: Regulation (EU) 2024/1689 (AI Act) and Regulation (EU) 2016/679 (GDPR).