Data Governance for AI Projects — Data & AI — Interactive AI Courses

Data Governance for AI Projects 🔧

Since February 2025, the EU AI Act has been in effect — and with it the obligation to register, document, and monitor AI systems. Violations can result in fines of up to 35 million euros or 7% of global annual revenue. But governance is more than compliance: it is the foundation for trustworthy, scalable AI in everyday work — and understanding what this means for you makes you a competent AI user.

🎯 What You'll Learn

How to understand and apply the EU AI Act risk classification
How to confidently implement GDPR requirements in AI projects
What an AI register is and why it matters
How to implement a practical governance framework

EU AI Act — Risk Classification 🇪🇺

📖 Definition: The EU AI Act is the world's first comprehensive AI regulation. It classifies AI systems by their risk potential and sets different requirements for each level.

Risk Level	Examples	Obligations	Deadline
🚫 Prohibited	Social scoring, manipulative AI, real-time biometric surveillance	Use prohibited	Since Feb 2025
🔴 High-risk	Recruiting AI, credit scoring, medical diagnostics	Registration, audits, human oversight, bias monitoring	Aug 2026
🟡 Limited risk	Chatbots, AI-generated content	Transparency obligations (AI labeling)	Aug 2026
🟢 Minimal risk	Spam filters, recommendation systems	No special obligations	—

⚠️ Caution: Even if your AI deployment currently qualifies as "minimal risk" — the classification can change as soon as you expand the scope of application. Plan governance from the start.

GDPR and AI — What You Need to Know 🔒

The General Data Protection Regulation sets its own requirements for AI projects:

🎯 Purpose limitation: Data may only be processed for the defined purpose — "let's see what the AI finds" is not permitted
📉 Data minimization: Only pass the data to AI that is necessary for the specific purpose — not the entire customer database
🔍 Transparency: Affected persons must be informed when their data is processed by AI
🗑️ Right to erasure (right to be forgotten): Applies to AI systems too — data must be deletable upon request
🤖 Automated decisions (Art. 22): For fully automated decisions with legal effect, there is a right to human review

💡 Tip: Involve your Data Protection Officer early in AI projects — not just before launch. This saves delays and rework.

Building an AI Register 📋

The EU AI Act requires an AI register for high-risk systems. But even for other systems, it is a best practice:

What belongs in the AI register?

Field	Description	Example
📌 System name	Unique identifier	"AI Recruiting Screening v2.1"
🎯 Purpose	What is the system used for?	Pre-screening job applications
⚖️ Risk class	Classification per EU AI Act	High-risk
📊 Data sources	What data is processed?	Applications, LinkedIn profiles
👤 Responsible person	Who is accountable?	Head of HR + AI Officer
🔄 Monitoring	How is it monitored?	Quarterly bias audits, monthly accuracy reports
📅 Last review	When was it last reviewed?	2026-01-15

🏢 Real-world example: An insurance group introduced a central AI register for its 47 AI systems. The effort was 3 person-months. In return, the company was able to provide all information within 48 hours when the first regulatory inquiry arrived — instead of the otherwise typical weeks.

Data Lifecycle Management for AI 🔄

Data in AI projects goes through a lifecycle that must be actively managed:

1. Collection 📥 — Only collect relevant data with a clear purpose 2. Storage 💾 — Encrypted, access-protected, prefer EU servers 3. Processing ⚙️ — Documented, traceable, with audit trail 4. AI usage 🤖 — Under defined policies, with logging 5. Archival 📦 — Transfer to secure archive after usage ends 6. Deletion 🗑️ — Timely, verifiable deletion

🔑 Remember: The lifecycle must be documented for every AI project. Ask yourself at each phase: Who has access? How long is data stored? What happens in case of a data breach?

Governance Framework — Your Checklist ✅

A practical governance framework for immediate deployment:

Organizational:

👤 Appoint an AI responsible person (not the IT manager "on the side")
📋 Create and communicate an AI usage policy
👥 Train employees on AI compliance
🤝 Involve Data Protection Officer in AI projects

Technical:

🗄️ Conduct data classification (public / internal / confidential / strictly confidential)
📊 Create and maintain an AI register
🔄 Implement monitoring processes (bias, accuracy, drift)
🔒 Set up access controls and audit logs

Operational:

📝 Define an approval process for new AI use cases
🏷️ Label AI-generated content (internally and externally)
📅 Establish regular review cycles (at least quarterly)
🚨 Create an incident response plan for AI failures

💡 Tip: Do not start with the perfect framework — start with the first three items in each category and expand gradually. Governance is a journey, not a destination.

📋 Summary

The EU AI Act classifies AI systems into four risk levels with increasing requirements
GDPR principles (purpose limitation, data minimization, transparency) fully apply to AI projects
An AI register and documented data lifecycle management are the cornerstones of any AI governance

🎯 Exercise: Create an overview of all AI tools you use in your daily work (even if it is "just" ChatGPT in the browser). Rate each tool according to the EU AI Act risk category.

Congratulations! You have completed the "Data & AI" course. You now understand the fundamentals of data quality, know the risks of bias and hallucinations, and have a framework for responsible AI governance.