Data, privacy & cybersecurity partner Rohan Massey has authored a checklist for LexisNexis for buyers carrying out data protection due diligence as part of a share or asset acquisition of a business that processes personal data through its use, development, or supply of generative AI systems. GenAI systems typically depend on large volumes of data, including personal data, to train and develop their models, which can present substantial compliance challenges under the UK GDPR – particularly around lawful basis, purpose limitation, data minimisation, and AI-specific security risks.
The checklist sets out a structured approach to evaluating a target's UK GDPR compliance across the GenAI lifecycle, covering proprietary and third-party licensed AI systems, cross-border data transfers, contractual arrangements with AI providers, and breach and incident response. It focuses on UK data protection law, though practitioners should also be mindful of the EU AI Act, and is intended to be used alongside due diligence enquiries in other areas including general corporate, intellectual property, information technology, and HR.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.
