Skip to content
All articles AI Strategy

GDPR and AI: A Practical Guide for eCommerce

How to use AI on customer data while staying on the right side of the GDPR. Principles, pitfalls and practical steps.

Jointco · 8 April 2025 · 6 min read

The GDPR and AI are often framed as opponents, as if doing one well means doing less of the other. In practice they pull in the same direction: both reward knowing exactly what data you hold, why you hold it, and what you do with it. If your data foundations are clean, compliant AI is largely a matter of applying principles you already accept. This guide is for eCommerce teams who want to use AI on customer data with confidence, written in plain terms rather than legalese. It is practical guidance, not legal advice; involve your DPO or counsel for anything material.

The principles that actually apply to AI

The GDPR is built on a handful of principles, and a few do most of the work when AI enters the picture.

  • Lawfulness, fairness and transparency. You need a valid legal basis for each use of personal data, and customers should not be surprised by how their data is used.
  • Purpose limitation. Data collected for one purpose cannot be freely repurposed. The order history a customer gave you to fulfil purchases is not automatically yours to train any model you like.
  • Data minimisation. Use the least personal data needed for the job. AI teams instinctively want everything; the GDPR asks you to justify each field.
  • Accuracy and storage limitation. Keep data correct and do not hoard it indefinitely.
  • Integrity and confidentiality. Secure the data, including wherever it flows to a model or vendor.

None of this prohibits AI. It shapes how you do it responsibly, which is why privacy belongs inside your AI strategy from the start rather than as a late compliance gate.

For most retail AI, two legal bases matter: legitimate interests and consent.

Legitimate interests can cover uses a customer would reasonably expect, such as recommending relevant products or improving site search. To rely on it, run and document a legitimate interests assessment: state the interest, show the processing is necessary, and balance it against the customer’s rights. If the use is intrusive or unexpected, the balance tips against you.

Consent is required where the law demands it, notably for most marketing and for cookies and tracking under the ePrivacy rules. Consent must be freely given, specific, informed and as easy to withdraw as to give. Pre-ticked boxes and bundled consent do not count.

A practical rule of thumb: if a feature helps the customer get what they came for, legitimate interests is often defensible. If it primarily helps you market to or profile them, lean towards consent.

Personalisation, profiling and automated decisions

Personalisation is where most eCommerce AI lives, and where the GDPR has specific things to say.

Profiling

Building a behavioural profile to drive personalised recommendations is profiling under the GDPR. It is permitted, but it must be transparent and have a lawful basis. Tell customers you personalise, in language they can understand, and give them a way to object.

Automated decision-making

Article 22 restricts decisions made solely by automated means that produce legal or similarly significant effects. Recommending a product is fine; using AI alone to deny someone a refund or refuse service could fall foul of it. The usual safeguards are meaningful human involvement, the ability to contest the decision, and clear information about the logic. Keep a human in the loop for anything consequential and you stay well clear of the line.

Sending data to AI vendors and APIs

The moment customer data leaves your systems for a third-party model or tool, several obligations switch on.

  1. Data processing agreement. Any vendor processing personal data on your behalf needs a GDPR-compliant DPA. No DPA, no sending personal data. Make this a hard requirement when choosing an AI vendor.
  2. International transfers. If the vendor processes data outside the EEA, you need a valid transfer mechanism such as Standard Contractual Clauses, and increasingly an EU data residency option.
  3. Training on your data. Check whether the vendor trains its models on what you send. For customer data, you generally want this switched off, and most serious vendors offer that.
  4. Sub-processors. Know who sits behind your vendor and ensure the chain is covered.

A simple safeguard worth adopting: minimise or pseudonymise before data leaves. A support assistant rarely needs a customer’s full name and address to answer a question; an order reference often suffices.

Honouring data subject rights

AI does not exempt you from the rights customers already have, and it can complicate them.

  • Access and portability. If a customer asks what data you hold, that includes profiles and derived attributes, not just the raw fields they gave you.
  • Erasure. When someone exercises the right to be forgotten, their data must come out of the systems that feed your models too, not just the primary database.
  • Objection. Customers can object to profiling for marketing. You need a working switch, not a promise.

This is far easier when you have a clean, unified customer data model rather than personal data scattered across tools nobody fully maps. Strong data foundations turn rights requests from a fire drill into a routine task.

A practical compliance checklist

Before launching an AI feature that touches personal data, confirm:

  • The purpose is defined and the legal basis chosen and documented.
  • Only necessary data is used, minimised or pseudonymised where possible.
  • Any vendor has a DPA, a valid transfer mechanism, and does not train on your data without permission.
  • Your privacy notice describes the processing in plain language.
  • A Data Protection Impact Assessment is done where the processing is high risk, such as large-scale profiling.
  • Data subject rights can be honoured, including erasure from model inputs.
  • A human reviews any significant automated decision.

Common pitfalls

  • Quietly repurposing data. Using purchase history collected for fulfilment to train a marketing model, without a basis or notice. This breaches purpose limitation and is a frequent regulator complaint.
  • Pasting customer data into public tools. Staff using consumer AI tools for convenience, sending personal data to services with no DPA. Address it with a sanctioned alternative, not just a ban.
  • Treating consent as a one-off. Consent can be withdrawn, and your systems must respect that promptly.
  • Forgetting the model inputs on erasure. Deleting the database record but leaving copies in vendor logs or training sets.

Getting it right without slowing down

Compliance and growth are not a trade-off here. The discipline the GDPR asks for, knowing your data and using it deliberately, is the same discipline that makes AI projects succeed. Teams with messy data struggle on both fronts; teams with clean foundations move quickly and stay safe.

If you want help mapping your data flows, picking defensible legal bases, or building privacy into your AI roadmap from the outset, get in touch and we will help you do it properly without grinding your initiatives to a halt.

#strategy#gdpr#privacy

Keep reading

AI Strategy

From AI Pilot to Production Without the Stall

Most AI pilots never ship. The organisational and technical moves that get pilots into production and into the P&L.

 AI Strategy

Enabling Your Team for AI Adoption

Technology is the easy part. How to bring your team along so AI tools actually get used and deliver value.

 AI Strategy

Build vs. Buy: Choosing AI for Your Store

When to build custom AI, when to buy off the shelf, and how to make a decision you won't regret in 18 months.

Ready to turn AI into revenue?

Book a free 30-minute consultation. We'll map the highest-ROI AI opportunities for your store — no obligation, no jargon.

Book a consultation Explore our services