Ensure GDPR Compliance for AI products with Confidence: a quick guide for product managers and business owners.

Introduction

Save time, money and worry with this guide!

Navig: , especially for

g GDPR compliance can be dauntin

product managers and business owners developing Al products

in highly regulated industries. Based on our hands-on experience
understand the challer
faced by those in the medtech world and other re

working with dozens of innovators, w

ulated spaces.

The shift to data-driven business models can often feel
overwhelming, with the complexities of GDPR adding to the

stress,

ide is designed to help you better prepare for legal

consultations, ensuring you make the most of you ith

time
legal experts. By following this prep sheet, you can streamline
your preparation process, reduce consultation costs, and

approach your legal meetings with confidence. Our goal is to

alleviate the anxiety associated with GDPR compliance, and

provide you with the knowledge and tools to secure the right

legal advice.

About Theta

At Theta, we specialize in transforming data into
able insights through our expertise in
evidence-based medicine, machine learning,
physics, medical devices, regulatory affairs,
igital strategy, and software development.

Our team combines deep industry knowledge
dge technology to deliver u
vative solutions that meet the ric

demands of regulated environments.

We understand the common challenges our
clients face, particularly when it comes to
integrating Al and navigating complex
regulations. Our goal is to ease these
challenges by providing valuable resources that
save time, reduce costs, and minimize stress.

This guide is one of the many ways we support

our customers to ensure they can confidently

For feedback or inquiries, please contact Dr Sven Jungmann (foto),
you can click on the underscored name or use the QR code to get there.

www thetadx.ai = | va

advance their data-driven business models.

www.thet

What you get
out of this

This guide is designed to help you

efficiently prepare for legal consultations
on GDPR compliance for your Al and cloud
ntegration projects. By following the

structured sections, you will be better able

to achieve the four goals outlined in the

boxes to the right of this text.

Remember, this guide is

for profes:

tool to help you

ress associated with GDPR

iance. By preparing thorot
y

hly, you

in move foı your data-driven

nitiatives with confidence.

Understand key
GDPR concepts

come familiar with the key a:

Identify areas
of focus

Use the guide to identify specific
areas where you may need legal
clarification or further advice. This
targeted approach will help
streamline your consultation.

Organize Your
Information

Gather and document your current
data practices, policies, and actions.
This will provide a clear overview for
your legal counsel, and ensure that
the most necessary information is
readily available.

Prepare questions
and documentation

elop a list of questions and gather

nt documentation, such as data

sing agreements and consent
forms, to bring to your meeting.

19 well prepared will maximize the

effectiveness of your legal

consultation.

How to use this guide

This guide prepares y

on regarding GDPR compliance for your sensor-driven Al and cloud integration projects. By

following these steps, you'll be well prepared for your legal consultation, allowing you to approach Gi

—Context of Al product

‘Summarize your Al product using the
questions provided to describe its intended
use, This helps your attorney understand the
broader context and implications.

4—Data security & privacy

Evaluate your current security protocols and
data breach plans, if you have them already.
This helps identify areas for improvement.

7— Accountability & governance

If you have it: document your governance
framework, incl. the potential role of a data
protection officer. If you don't have it, read it
up and seek externall consultation.

2—Data practices

Use our questions to outline your data
collection and processing practices,
distinguishing between operational data and
ground truth data. This clarifies data needs
and highlight any sensitive information,

5—Data subject rights

Prepare processes for handling data access,
correction, and deletion requests. This will
streamline your response to data subject
requests and strengthen compliance.

8—preparion for legal counsel

Compile your findings, documentation, and
specific questions into a briefing document.
This structured preparation will maximize the
efficiency of your legal consultation

GDPR compliance with confidence and clarity:

vw.thetad
3—Consent & transparency

Think through your approach to obtaining
informed consent and maintaining
transparency. This helps meet regulatory
requirements and build trust with users.

6—Cloud & third-party compliance

Ensure that your cloud providers and third-
party vendors are compliant with GDPR
standards. This will mitigate risks associated
with outsourcing and data transfers.

9—Post-consultation

Use the insights gained from your legal
consultation to refine your data strategy to
ensure it is robust, compliant, and capable of
supporting your business objectives.

www.thet

Summarize your
Al product

Understanding the broader context of what you

are doing is important for the lawyer, not on!

because it helps them understand the implications

for data use, but also because i

nay alert you to
other legal issues that you may not have
considered. If you already have a forma

description of the intended use, it is best to

provide it; otherwise, a cl

tion
will suffi

What is the intended Who are the intended
use of your AI product? users?

Describe the primary purpose of your Identify who will use your AI product.
Al product. For example, "Our Al For example, "Emergency medical

ct is designed to analyz services, clinic-based cardiologists,
data from implantable defibrillat patients, and their caregivers.”
to predict shockable and non-

shockable events to alert healthcare

What is the intended What is the AI product

use environment? not intended for?
Specify where the AI product will be Clarify any exclusions. For example,
used. For example, "The primary use t intended for patients at high
is remote patient monitoring, of acute coronary syndrome."

whereby the physicians are not in the

same locations as their patient:

w.thetadx.a

Understand your data

t's important to be clear about

what kind of data you have and how you

intend t

lect it. From a legal pers;

under

Here's

Operational data (data inputs)

+ What data inputs does your AI
product need to make a prediction?
What is nice to have, but not
essential?

Make clear which data could be used to
a person, which data is
particularly sensitiv

automatically collected (e.g. set

manually reported by a human.

tiv

and why certain data is needed and how sensitive each dat:

is especially important to

nat you should have clear before seeking legal counsel

Ground truth data

Ground truth data is essential for
training your Al models to ensure
accurate predictions. It typically includes
verified, real-world data that your model
can learn from. Key questions:

+ What data do you need to train your
algorithm?

+ Are you reusing existing data or
collecting new data prospectively?

+ Do you intend to reuse data originally
collected for other purposes?

General questions

+ Is the data you collect limited to whe
is necessary for your purpose:
Can any data be eliminated or

sensitive

Do you have a clear legal basis for

processing each type of data?

obligation,

interest, I

formed Consent and Transparency

Consent must be explicit, informed (understandable and complete) & documented.
Questions:

+ How do you plan to obtain consent to use data in Al training?

+ How will you inform individuals about data use

+ What do you do to make your communications

Data Security and Privacy Measures

Questions:
+ What technical & organizational measures are in place to protect data?
+ Are there regular security audits & updates?
+ How do you plan for detecting, reporting & responding to data breaches?
+ What are your policies for data retention & deletion?

Critical GDPR
Elements: Consent,
Security & Rights ont sec nas

tegic approach to informed

GDPR compliance requires a st

consent By addr

y, and dat

+ right

these areas, you will improve data privacy, foster user trust,

and streamline compliance processes.

ww.thetadx.ai

Questions:

+ How do you handle requests for access, rectification &

erasure
+ How will you ensure that individuals can easily exercise
their data rights through your systems?

w.thetadx.a

Understand your data

Effective GDPR compliance extends beyond internal data practices to include cloud

integration,

compliant, establishing strong governance fram

employee compliance, you can safeguard your data a

Cloud integration &
third-party compliance

+ How do you ensure your cloud
providers are GDPR compliant?
Do you have data pr
agreements in place
providers?

What mechanisms do you use for
international data transfers, if

necessary?

+ Are you aware of data storage

ind their GDPR complian

à vendor management. By ensuring your cloud

works, and managing vendor a

iders are

\d maintain regulatory adherence,

Accountability &
governance

+ Is a Data Protection Officer (OPO)
required for your organization?

+ Who is your DPO and what are
his/her responsibilities?

+ Do you keep records of all data
processing activities?

+ Have you conducted Data Protection

Impact Assessments (DPIAS) for high-

risk processing activities?
+ How often do you review and audit
your privacy practices?

Supplier &
employee management

How do you verify that third-party
vendors are GDPR compliant?

have contra
GDPR compliance requirements
What training programs do you have
in place for GDPR complian
How do you ensure ongoing
awareness and compliance with data
protection practices?
How do you keep policies up to date
with regulatory changes and

technological advances?

Before the meeting
with your legal counsel

In general, it is helpful to do the following before meeting with the attorney:

Document your current practices Gather necessary documentation
Create a detailed report of your current data handling practices, Make sure you have all relevant documents, such as data processing
policies and procedures. agreements, consent forms, and DPIA reports, ready for review.

List your questions and concerns Define your objectives

Prepare specific questions about areas where you are unsure or need Clearly outline what you want to accomplish in the meeting, such as

valid

legal cla ng your compliance or addressing specific issues.

Use our free
briefing template

To save you time in compiling everything, we prepared
a template for you that you can simply copy and adjust
to your needs. Just click on the link here or on the

image to the right.

Ready to build
transformative
data products?

We're hyperfocused on turning data into actionable
insights where stakes are high. Our heritage in
medical technology made us hone our Al technology
and expertise within the tight constraints of highly
regulated use scenarios. Reach out to us if we can
help you navigate these complexities and create
groundbreaking data driven solutions.

Dr Sven Jungmann

a focus
human sol
o deli

imize
light and shareholder value.

olving comp
challel

ction pla
s in automc
and maritime sensing systems.

Contact Us

800 West Campbell Road
Richardson, Texas 75080
United States

www.thetadx.ai
www.linkedin.com/company/theta-tech/