AI data protection for an edutech operator

Context

A n international edutech operator had deployed AI-assisted learning tools used by students and instructors across multiple jurisdictions. The platform processed personal data including learning outcomes, behavioural patterns, and, for some user cohorts, data on minors. The operator served customers in both the EU and the UK, meaning UK GDPR and EU GDPR applied simultaneously.

The head of audit flagged the AI programme after a routine review found no consistent lawful basis documented for any of the AI processing activities, no DPIAs on record, and no retrieval authorisation controls on the RAG index the personalisation engine used. The data-protection risk was real and getting larger as the AI feature set expanded. We were engaged to redesign the control layer and integrate data-protection gating into the AI approval lifecycle.

Risk

• RAG over-retrieval exposing regulated data. The personalisation engine retrieved documents from a shared index using broad service credentials. A student could receive grounding content from another learner’s records. The retrieval layer had no per-user entitlement enforcement.
• No lawful basis for training repurposing. Learning-interaction data collected under a contract lawful basis had been used to fine-tune a recommendation model. The purpose-limitation principle under Article 5(1)(b) of both UK and EU GDPR had not been assessed for that repurposing.
• DPIA obligation unmet for high-risk processing. The profiling-based adaptive assessment system met the Article 35 trigger: it used automated processing to evaluate personal aspects of learners on which progression decisions were based, at scale. No DPIA had been conducted.

Engagement

We scoped the engagement in two phases. The first phase redesigned the data-protection control layer against the exfiltration paths the system had open. The second phase integrated DPIA gating into the operator’s AI approval lifecycle so future deployments could not repeat the pattern.

• Minimisation and retrieval authorisation. We restructured the RAG index into sensitivity-partitioned sub-indexes, each aligned to a user entitlement tier. Retrieval now enforced the requesting principal’s entitlements at query time, using the same access model that governed direct record access. Personal identifiers were pseudonymised into consistent surrogates before reaching the model layer, preserving conversational continuity without exposing direct identifiers.
• Lawful basis and purpose-limitation audit. We mapped each AI processing activity to a documented lawful basis under Article 6 of UK and EU GDPR. Where training repurposing could not be defended as compatible with the original collection purpose, we recommended either a fresh lawful basis with separate consent capture or removal of the repurposed dataset from the training corpus. We documented the analysis as a data-governance record the DPO could maintain.
• DPIA lifecycle integration. We drafted a DPIA template calibrated to AI flows and wired the DPIA trigger into gate two of the AI approval lifecycle, running before design freeze and tied to the three-factor risk tier. High-risk processing (profiling at scale, processing of minors’ data, automated decisions with significant effect) required DPIA completion as a hard gate before any architecture sign-off. We also flagged the UK-specific position: UK GDPR Article 22 had been replaced by Section 4A under the Data (Use and Access) Act 2025 (in force 5 February 2026), and the operator’s solely automated significant decision logic for progression assessments needed review against the amended UK text, not the retained EU Article 22.

Outcome

For the regulatory obligations that frame this engagement, read DORA readiness for fintech.