Skip to content
Thrivbe
← All experiments
LiveStarted July 1, 2026Updated July 11, 2026

Can an AI be its own data-protection officer?

GDPR Counsel Agent

  • Claude
  • EU GDPR / Personopplysningsloven

Relevant services: AI Digital Teammates · Thrivbe AI

Hypothesis

An AI-native company processes personal data through pipelines no traditional DPO could review fast enough. A standing counsel agent — versed in GDPR and Norwegian data-protection law, invoked before anything sensitive ships — should catch real compliance problems at development speed.

What we built

An internal counsel agent that reviews our own systems: AI processing chains, recordings, communications, sub-processor lists, and data-subject-rights handling. It's wired into our workflow — new pipelines that touch personal data get a counsel pass before going live, and its findings are tracked like any other engineering work.

Learnings

  • It found a real one: tool results containing third-party personal data were being sent onward to free LLM relays that train on prompts. That finding drove an architectural change — sensitive workloads now pin to verified no-train models.
  • The counsel is most useful during design, not after: "where does this data flow, and under what basis?" asked early is cheap; asked late it's a rebuild.
  • An AI reviewing AI systems isn't a conflict of interest if its findings are binding — ours block launches until addressed.

Log

  • 2026-07-11 — Voice-assistant review remediated: no-train model pinning, transcript redaction, sub-processor register updated.
  • 2026-07-01 — Counsel agent instated; first pipeline reviews.