← All experiments
LiveStarted July 1, 2026Updated July 11, 2026
Can an AI be its own data-protection officer?
GDPR Counsel Agent
- Claude
- EU GDPR / Personopplysningsloven
Relevant services: AI Digital Teammates · Thrivbe AI
Hypothesis
An AI-native company processes personal data through pipelines no traditional DPO could review fast enough. A standing counsel agent — versed in GDPR and Norwegian data-protection law, invoked before anything sensitive ships — should catch real compliance problems at development speed.
What we built
An internal counsel agent that reviews our own systems: AI processing chains, recordings, communications, sub-processor lists, and data-subject-rights handling. It's wired into our workflow — new pipelines that touch personal data get a counsel pass before going live, and its findings are tracked like any other engineering work.
Learnings
- It found a real one: tool results containing third-party personal data were being sent onward to free LLM relays that train on prompts. That finding drove an architectural change — sensitive workloads now pin to verified no-train models.
- The counsel is most useful during design, not after: "where does this data flow, and under what basis?" asked early is cheap; asked late it's a rebuild.
- An AI reviewing AI systems isn't a conflict of interest if its findings are binding — ours block launches until addressed.
Log
- 2026-07-11 — Voice-assistant review remediated: no-train model pinning, transcript redaction, sub-processor register updated.
- 2026-07-01 — Counsel agent instated; first pipeline reviews.
