AI Compliance

Do you know if you are fully AI compliant?

The AI Act has a hard deadline: 2 December 2027. Most SMEs using AI tools have no idea where they stand. This changes in 8 minutes.

_01
Provider vs Deployer classification
The classification that determines everything

_02
Annex III risk assessment
Is your sector automatically high-risk?

_03
GDPR Article 9 analysis
Special category data obligations

_04
AI Act Article 50 check
Transparency obligations from Aug 2026

_05
72-hour breach notification
Do you have the procedure in place?

United Kingdom (Registered and operating in the UK)

European Union (Operating in any EU member state)

EU customers, based outside EU

Other / Global only (no UK or EU connection)

Sole trader / freelancer (Just you)

Micro business (2–9 employees)

Small business (10–49 employees)

Medium business (50–249 employees)

Charity / non-profit

Public sector body

Yes — AI is part of products or services I sell (Clients interact with or are affected by the AI)

Yes — AI for internal use only (Admin, drafting — clients not directly affected)

Yes — both in products and internally

No AI tools used

Not sure

Im not certain what counts as AI

We built or trained an AI model ourselves (PROVIDER)

We fine-tuned or adapted an existing model (PROVIDER)

We integrated an AI API into our product (e.g. OpenAI, Gemini API — PROVIDER)

We built a custom GPT, Agent, or AI workflow and sell it (PROVIDER)

We sell a pre-built template with AI features (Provider or Distributor depending on AI materiality)

We resell an AI tool as-is to clients (Distributor / Deployer — Articles 24, 26 - DEPLOYER)

We use AI ourselves to deliver a service (Clients dont interact with AI — Deployer (Art. 26) - DEPLOYER)

End clients / patients interact directly (Mandatory AI disclosure required)
Only my staff use the AI (Clients affected by outputs but dont interact directly)
Other businesses who buy from us use it (Art. 26 obligations flow to them)
It runs fully automatically (GDPR Art. 22 if decisions affect people)

*Select one or more options

Yes — completed and documented

In progress

No — not started

We didnt know this was required

Yes — comprehensive Annex IV documentation

Partial documentation exists

No documentation

What is technical documentation?

Explicit consent — specifically for AI processing (Best practice for special category data)
General service consent (May be insufficient for health data)
Performance of contract (Must be genuinely necessary)
Legitimate interests (Invalid alone for special category)
Not sure
I havent considered this

*Select one or more options

Signed agreement with specific AI disclosure clause

Signed agreement — no AI mention

Digital form with checkbox — AI specifically mentioned

Digital form — no AI mention

No written record

No consent process

Yes — prominently disclosed with specific description

Mentioned in a privacy policy theyre directed to (May not meet clear and distinguishable standard)

Mentioned somewhere but not clearly

No — clients are not told AI is used (Critical gap from August 2026)

Not applicable — AI doesnt affect clients

Every AI output reviewed and approved by a human

Most reviewed — minor outputs automated

Some reviewed, others used directly

AI outputs generally used without review

AI makes decisions automatically — no human involved (GDPR Art. 22 applies)

AI doesnt affect client outcomes

No — confirmed none of our AI tools train on client data (Weve verified the terms)

No — but we havent checked the terms

Yes — clients are informed and have consented

Yes — but clients dont know

We dont know

Yes — DPAs in place, transfer mechanisms confirmed

DPAs with some but not all tools

No DPAs in place

I dont know what a DPA is

Yes — ICO registered (I have a registration number)

Yes — registered with EU national DPA (Both ICO and EU DPA registered)

No — not registered

Not sure if I need to register

Yes — comprehensive, up to date, mentions AI processing

Yes — comprehensive but predates AI use (Needs updating)

Something exists but its incomplete

No privacy notice exists

Yes — can respond within 30 days

Informal — wed manage it

No process

Weve received SARs and struggled

I agree to the terms of the Privacy Policy.

⚠

PARTIALLY COMPLIANT

Rebuild may be required before August 2026.

Access the Full Report

COMPLIANT

We believe you don't need to have a full rebuild, but we still encourage to speak to a professional

Access the Full Report