Exploring GDPR, EU AI Act, Compliance Requirements, and Security Protocols for Sensitive Research Data

In the European Union, the General Data Protection Regulation (GDPR) serves as a foundational instrument, mandating stringent controls on personal data processing within AI systems (Novelli et al. 2024). Complementary legislation, such as the EU AI Act, introduces risk-based classifications to ensure ethical deployment (European Data Protection Board 2024). In the United Kingdom, adaptations post-Brexit, including the Data (Use and Access) Act 2025, align with these principles while promoting innovation. These regulations are crucial for handling sensitive research data, which often includes personal health or proprietary information vulnerable to breaches. Compliance requires integrating legal obligations with robust security measures to mitigate risks like data leakage and bias amplification (Taeihagh 2025).

The GDPR, effective since 2018, establishes core principles for processing personal data, including lawfulness, transparency, and accountability, which extend to generative AI contexts (Ruschemeier 2025). It categorises personal data expansively, requiring controllers to justify processing activities, particularly in AI training where vast datasets may inadvertently include sensitive information (Solove 2025). The regulation prohibits automated decision-making with significant effects unless safeguards are in place, a provision increasingly relevant to generative models that could perpetuate biases. Building on the GDPR, the EU AI Act, adopted in 2024, employs a tiered risk framework, designating certain generative AI systems as high-risk and mandating conformity assessments (Novelli et al. 2024). Providers must ensure transparency in training data and outputs, aligning with GDPR's data minimisation principle to prevent over-collection. The Act's phased implementation, with full enforcement by 2026, includes prohibitions on unacceptable risks, such as manipulative AI, and emphasises human oversight (European Data Protection Board 2024). This integration addresses gaps in traditional data protection by focusing on AI-specific harms.

In the UK, the Data (Use and Access) Act 2025 modifies the UK GDPR to facilitate data sharing for research while upholding protections (Taeihagh 2025). It introduces provisions for automated processing in low-risk scenarios and emphasises data sovereignty in cross-border transfers. Globally, these frameworks influence standards, with bodies like the European Data Protection Board (EDPB) advocating harmonised guidelines on AI data scraping (CNIL 2025). Such regulations underscore the evolving need for adaptive governance to balance innovation with rights preservation.

Achieving compliance in generative AI necessitates identifying a lawful basis for data processing under the GDPR, such as consent or legitimate interests, with the latter requiring a rigorous balancing test against individual rights (Ruschemeier 2025). For sensitive research data, explicit consent is often mandated, coupled with transparent notices detailing AI usage (Solove 2025). Data protection impact assessments (DPIAs) are compulsory for high-risk activities, evaluating potential harms like privacy intrusions in model training. The EU AI Act amplifies these by requiring fundamental rights impact assessments for high-risk systems, ensuring non-discrimination and proportionality (Novelli et al. 2024). Transparency mandates compel labelling of AI-generated content to avert misinformation, while accountability involves documenting data provenance and conducting audits (European Data Protection Board 2024). In the UK, the 2025 Act permits broader automated decisions with human intervention safeguards, but retains DPIA requirements for sensitive data. Organisations must address cross-border complexities, employing mechanisms like standard contractual clauses for transfers (Taeihagh 2025). Ongoing staff training and incident reporting protocols enhance compliance, as emphasised by regulatory guidance (CNIL 2025). These requirements foster a proactive stance, integrating ethical considerations throughout the AI lifecycle.

Securing sensitive research data in generative AI demands multifaceted protocols, beginning with encryption and access controls to prevent unauthorised exposure (Achuthan et al. 2024). Techniques like differential privacy add noise to datasets, preserving utility while anonymising personal information during training (Ruschemeier 2025). Federated learning enables model development across decentralised sources without centralising data, reducing breach risks. Provenance tracking logs data origins and transformations, ensuring traceability and compliance with GDPR's accuracy principle (Taeihagh 2025). Intrusion detection systems, powered by AI, monitor for anomalies, while regular vulnerability assessments align with standards like ISO 27001 (Achuthan et al. 2024). For cloud-hosted AI, vendor due diligence verifies adherence to security benchmarks, including multi-factor authentication. These protocols must evolve with threats, incorporating red teaming to simulate attacks and mitigate jailbreaking vulnerabilities (Novelli et al. 2024). Ultimately, they safeguard research integrity, preventing data poisoning or leakage that could undermine scientific validity.

References:

1. Achuthan, Krishnashree, Sasangan Ramanathan, Sethuraman Srinivas, and Raghu Raman. 2024. "Advancing Cybersecurity and Privacy with Artificial Intelligence: Current Trends and Future Research Directions." Frontiers in Big Data 7: 1497535. ^ Back

2. CNIL. 2025. AI and GDPR: the CNIL Publishes New Recommendations to Support Responsible Innovation. Available at: https://www.cnil.fr/en/ai-and-gdpr-cnil-publishes-new-recommendations-support-responsible-innovation (Accessed: 15 July 2025). ^ Back

3. European Data Protection Board. 2024. EDPB Opinion on AI Models: GDPR Principles Support Responsible AI. Available at: https://www.edpb.europa.eu/news/news/2024/edpb-opinion-ai-models-gdpr-principles-support-responsible-ai_en ^ Back

4. Novelli, Claudio, Federico Casolari, Philipp Hacker, Giorgio Spedicato, and Luciano Floridi. 2024. "Generative AI in EU Law: Liability, Privacy, Intellectual Property, and Cybersecurity." Computer Law & Security Review 55: 106066. ^ Back

5. Ruschemeier, Hannah. 2025. "Generative AI and Data Protection." In Cambridge Forum on AI: Law and Governance, vol. 1, p. e6. Cambridge University Press. ^ Back

6. Solove, Daniel J. 2025. "Artificial Intelligence and Privacy." Florida Law Review 77 (1): 1–73. ^ Back

7. Taeihagh, Araz. 2025. "Governance of Generative AI." Policy and Society 44 (1): 1–22. ^ Back