Agentic AI and GDPR: The Elephant in the room!

Written By Maeve Dunne

We were recently asked by a new client to evaluate their US-based agentic AI. We conducted a detailed data audit, followed by a DPIA. Once we had finished this work, we concluded that we would have to engage with the DPC, on the client’s behalf, as there were several red flags raised in the DPIA, that appeared to us, were just not compatible with the GDPR. This was the inspiration for this note on the subject.

Artificial intelligence is evolving fast. We have moved well beyond chatbots and search tools. A new generation of AI systems, known as agentic AI, can now take actions, make decisions, and move data around entirely on their own. For Irish and UK businesses, that raises serious GDPR questions that cannot be ignored.

So what exactly is agentic AI?

Think of it less like a tool and more like a digital assistant that works independently. You give it a goal, and it figures out how to achieve it, calling on other software, accessing external services, and making real-time decisions along the way. It can handle multi-step tasks without you directing every move. That makes it genuinely powerful. It also makes it genuinely risky from a data protection standpoint.

The transfer problem

GDPR has strict rules about sending personal data outside the EEA. We currently use Standard Contractual Clauses, transfer impact assessments, Article 30 records, but these all rely on one basic assumption, that your organisation knows where the data is going before it gets there.

Agentic AI breaks that assumption. These systems can route data through multiple APIs, cloud services, and model endpoints in different countries, all in real time, and all without asking you first. The same user query could be processed entirely within the EEA one day and partly in the US the next. Your compliance documentation stays static while the data flows become unpredictable.

Individual rights become a headache

Beyond transfers, agentic AI makes it much harder to honour the rights your customers and staff have under GDPR. Consider:

  • Right to erasure (the 'right to be forgotten'): If a person asks you to delete their data, can you actually find all of it? Agentic systems can pass personal data into dozens of tools, logs, and sub-processors. Locating and deleting every instance may be practically impossible.

  • Subject Access Requests (SARs): You have one month to respond and tell someone what data you hold about them. If an AI agent has scattered that data across multiple third-party services in multiple countries, compiling a complete and accurate response becomes a serious operational challenge.

    Right to rectification: Correcting inaccurate data is straightforward in a single database. In an agentic environment, where data may have been copied, transformed, or cached across multiple services, the same correction may need to be applied in several places simultaneously.

  • Transparency obligations: GDPR requires you to tell people where their data goes. If the honest answer is that your AI system decides that at runtime and you cannot predict it in advance, your privacy notice is already out of date.

Accountability across the supply chain

A typical agentic AI deployment might involve your own organisation, the AI model provider, an orchestration platform, several third-party tool providers, and one or more cloud vendors. Each of them may handle personal data. Each of them may influence where it ends up. Under GDPR, the question of who is the controller and who is the processor, and who is accountable when something goes wrong, becomes genuinely difficult to answer.

What should businesses do now?

Regulators, including the Irish DPC and the UK ICO, have not yet issued definitive guidance on agentic AI specifically. But the existing GDPR obligations apply now, regardless of the technology involved. Businesses deploying or considering agentic AI tools should be asking whether they can document where personal data goes, whether they can fulfil data subject rights in practice, and whether their contracts with AI vendors properly reflect data protection responsibilities.

This is a fast-moving area and the compliance landscape will continue to develop. The organisations that start asking the right questions now will be best placed when regulators do act.

Using AI tools in your business? We can help you assess your current AI-related data protection risks and put practical compliance measures in place. Get in touch with Privacy Path today for a free initial consultation.

Maeve Dunne
Next

Can event organisers take photos of me without my consent?