AI Act + GDPR checklist for law firms
Thirty control points grounded in the official texts (Regulation EU 2024/1689 and GDPR) to assess your firm's maturity on AI.
1. AI mapping and governance
Foundational: know which AI tools are used at the firm, by whom, for what matters, and train the team.
0/4
2. Classifying use cases
The AI Act follows a risk-based approach. Each use case must be classified: prohibited, high-risk, transparency-specific, or limited risk.
0/4
3. Vendors and GPAI models
Using a general-purpose AI model (Anthropic, OpenAI, Mistral, Google…) involves a chain of responsibilities between the model provider, the solution provider and the deploying firm.
0/4
4. GDPR — Legal basis and minimisation
Every submission of personal data to an AI model is a processing operation under the GDPR and must rest on a clear legal basis.
0/4
5. GDPR — Data subject rights and DPIA
AI use must remain compatible with informing data subjects and enabling their rights, especially in the case of automated decision-making.
0/4
6. Security, transfers and legal privilege
AI use must strengthen — never weaken — the level of security and the legal privilege that apply to the lawyer.
0/4
Your maturity
0% · High risk
0 item(s) validated out of 24
Educational tool published by Kaius. It does not constitute legal advice and does not replace the analysis of a lawyer or your DPO. Sources: Regulation (EU) 2024/1689 (AI Act) and Regulation (EU) 2016/679 (GDPR).