0Pricing
AI Agents · Lesson

Regulatory Compliance: GDPR and SOC2

Data minimization, consent tracking, and access control for compliant agents.

Why Regulations Apply to AI Agents

AI agents process user data, make decisions, and take actions. This puts them directly in scope for data protection regulations (GDPR) and security frameworks (SOC 2).

Compliance is not optional — violations carry fines up to 4% of global annual revenue under GDPR.

GDPR: Data Minimization

GDPR's data minimization principle requires collecting only the personal data strictly necessary for the stated purpose. An agent should not store full conversation transcripts if only the outcome (resolved/unresolved) is needed for analytics.

def minimized_log_entry(conversation: list[dict], user_id: str) -> dict:
    '''Store only what is needed — not the full transcript.'''
    return {
        'user_id':       user_id,
        'timestamp':     conversation[-1].get('timestamp'),
        'turns':         len(conversation),
        'resolved':      conversation[-1].get('resolved', False),
        'intent':        conversation[-1].get('intent'),
        'satisfaction':  conversation[-1].get('csat_score'),
        # NOT stored: full message text, PII mentioned in conversation
    }

# WRONG — stores raw messages which may contain PII
# {'messages': conversation, 'user_id': user_id}

All lessons in this course

  1. Immutable Action Logging for Agents
  2. Policy Enforcement for Agent Actions
  3. Regulatory Compliance: GDPR and SOC2
  4. Human-in-the-Loop Approval Gates
← Back to AI Agents