Privacy laws don't ban AI in customer service, but they require the company to know exactly where personal data enters, gets processed and stored. When the conversational agent handles ID, address, health or financial data, the bar goes up.
Minimum checklist
- Defined legal basis for each type of processing (contract execution, legitimate interest, consent).
- Automatic masking of sensitive data in logs and prompts.
- Clear retention policy: how long the conversation is stored and who can access.
- Per-conversation audit trail: who (human or AI) said what, when and based on which source.
- Vendor contracts explicitly stating that data is not used for training.
- Functional channel for data subjects to exercise rights (access, correction, deletion, portability).
The most common blind spot
Knowledge bases. Many companies dump internal PDFs with customer data into a vector store without realizing that's now personal data processing. Before uploading a document for the agent to consult, run it through the same privacy review you'd apply to publishing on your website.
“Privacy by design isn't compliance — it's competitive advantage. A customer well treated, in every sense, comes back.”
