Written by: Haim Ravia, Dotan Hammer
The European Data Protection Supervisor (EDPS) published “Guidance for Risk Management of Artificial Intelligence Systems” in respect of EU institutions, bodies, and agencies subject to the version of the GDPR that applies to EU bodies (“EUDPR”).
The guidance aims to help EU institutions acting as controllers to identify and reduce specific data protection risks under the EUDPR. The guidance focuses on risks related to fairness, accuracy, data minimization, security, and data-subject rights. These are areas where technical mitigation measures may be required and should be integrated from the earliest design phase and throughout the lifecycle of the system. It recommends that where an AI deployment could pose a high risk to the rights and freedoms of data-subjects a Data-Protection Impact Assessment (DPIA) should be carried out.
The guidance further underlines that algorithmic decision-making, model training, output monitoring, logging, human-in-the-loop controls, and vendor management are all subjects of supervisory interest. From a compliance standpoint, organizations deploying AI must ensure their documentation (including model-inventory, training dataset registries, vendor audits, and output monitoring) aligns with the EDPS expectations.
The publication signals that privacy and risk-management will therefore be embedded into AI-governance frameworks rather than treated as an after-the-fact checklist. Entities operating in other sectors may treat this as a benchmark of regulatory thinking within the EU, even if the EDPS guidance is formally limited to EU institutional actors.
Click here to read the EDPS guidance.
