← Journal
FR EN NL
Compliance · GDPR · May 11, 2026 · 8 min read

AI agents and GDPR: the checklist before launching a pilot

Launching an AI agent pilot has never been easier. That is exactly why you need a checklist.

In 2026, standing up an AI agent pilot takes a few days. One use case, one tool, two motivated people, and you're off. The technology is no longer the bottleneck.

The bottleneck should be somewhere else. Before you connect that agent to real calls, real CVs, real customer records or real workplace photos, one question matters: what personal data will this agent process, and who is responsible for it?

GDPR does not forbid AI. It asks for four things: understand the data you process, limit it to what you actually need, secure it, and be able to explain how it is used. None of those four requirements is exotic. All four are settled before the pilot — not after.

Why GDPR comes before the pilot, not after

There is a comfortable misconception: "It's just a pilot, we'll deal with compliance when we go to production." Wrong.

A pilot does not run on fake data. It runs on real operational data, because that is the whole point: customer names and phone numbers, call recordings or transcripts, candidate CVs, employee HR data, workplace photos. GDPR applies from the very first dataset. Not above a certain volume. Not from production onward.

And it is not alone. The EU AI Act governs so-called high-risk uses — including employment and workplace safety, two areas AI agents land in directly. It entered into force in August 2024, and most of its obligations apply from August 2026. In other words: the regulatory calendar has already caught up with you.

The good news: settling these questions upfront does not slow a pilot down. It keeps the pilot from becoming a dead end — the one where the demo works but deployment is legally impossible.

The checklist before you launch

Here are the questions to ask — in this order — before you write the first line of configuration.

  • 1. What is the exact purpose of the agent? A specific workflow, not "test AI." "Answer missed calls outside business hours and send a summary to the sales team" is a purpose. "See what AI can do" is not. GDPR speaks of a specified purpose: without it, nothing else holds.
  • 2. What personal data will it process? Be literal. A workplace photo contains identifiable people. A CV is dense personal data — career history, implied age, sometimes health or origin. List every field, not every "category."
  • 3. Can the pilot use LESS data? This is data minimization, and it is often the highest-return step. Blur faces. Keep summaries rather than recordings. Test on anonymized or synthetic data. Delete pilot data when you're done. Restrict access. If a piece of data is not needed to prove value, it should not enter the pilot.
  • 4. Where is data stored and processed? Inside the EU? Which third-party model providers are involved? Is the data used to train a model? What do the logs contain, and how long are they kept? A vague answer here is a "no."
  • 5. Who is controller, who is processor? You usually remain the data controller. The vendor is a processor. That requires a Data Processing Agreement and a clear view of subprocessors — the model provider, the host, the transcription tool.
  • 6. Does the agent DECIDE, or only assist? An agent that rejects a candidate on its own, or closes a non-conformity on its own, is making an automated decision — sensitive ground under both GDPR and the AI Act. The safer design is "AI recommends, humans decide."
  • 7. How are people informed? Transparency is not a 20-page policy nobody reads. It is a clear, plain-language notice: here is that an AI agent is processing this call, this CV, this photo, and why.
  • 8. Is a DPIA needed? A Data Protection Impact Assessment is required when processing is sensitive or large-scale — HR data, monitoring, profiling. Ask the question early: the answer shapes the whole pilot design.
  • 9. How are errors and hallucinations handled? An AI agent gets things wrong. Plan for correction, escalation to a human, and the ability to pause the pilot immediately. A pilot you cannot stop is not a pilot.
  • 10. What happens after the pilot? Deletion of test data, defined retention periods, access removed. A pilot has an end date — and that date must be planned before the start date.

Ten questions. None of them needs a full-time lawyer. All of them need a written answer before you connect the first piece of real data.

A fast pilot can still be a responsible pilot

The trade-off between "move fast" and "stay compliant" is a false dilemma. Data minimization often makes a pilot faster: less data to integrate, less risk surface, fewer last-minute discussions. A clear purpose speeds up configuration. An exit plan avoids the chaotic clean-up.

The best AI pilot is not the one that looks impressive in a demo. It is the one you can deploy in the real world without rewriting anything.

That is exactly where BeLogic starts every project: not with "which agent do you want?" but with "what data is in play, and how do we handle it cleanly?" Sentinel, Nova and Aria are designed in that order — compliance first, demo second.

A well-designed AI agent is not the one that does the most. It is the one whose handling of every piece of data you can calmly explain. Tick the ten boxes. Then launch the pilot.