GDPR and AI for Law Firms: Operational Lessons from EDPB Opinion 28/2024
Law firms adopting AI need more than general privacy principles disconnected from practice. They need reliable operational patterns that survive real client work. The themes in EDPB Opinion 28/2024 offer exactly that: a way to turn GDPR principles into workflow design and daily review behavior (1).
Why Opinion 28/2024 matters for legal practice
The EDPB adopted Opinion 28/2024 in December 2024, and its themes remain highly relevant in 2026 legal AI deployment. The opinion addresses difficult questions around lawful basis, processing stages, and whether data handling expectations can be met in model ecosystems (1).
For law firms, this is immediately practical because legal matters often include special categories, high-confidentiality documents, and cross-border transfers.
Four GDPR pressure points in law-firm AI workflows
- Lawful basis clarity: each AI workflow stage needs a defensible legal basis, not a generic privacy notice.
- Purpose limitation: matter data should not quietly drift into unrelated optimization or analytics uses.
- Data minimization: prompts and document pipelines should be scoped to the minimum needed legal context.
- Rights handling: firms need practical procedures for rights requests affecting AI-assisted processing records.
Build GDPR controls into workflow design, not post-hoc review
A strong operating model starts before data enters the system:
- Define approved data classes for each AI workflow.
- Block unnecessary personal data in prompt templates by default.
- Apply role-based access and retention windows aligned with matter lifecycle.
- Keep decision logs for high-impact AI-assisted outputs.
This approach reduces legal ambiguity and improves audit readiness if clients or authorities ask how processing decisions were made.
Special-category and confidentiality-heavy matters
Legal practices frequently handle data sets where mistakes have disproportionate consequences. In these contexts, technical convenience should never override confidentiality and minimization. ICO AI guidance likewise keeps accountability, lawfulness, transparency, accuracy, fairness, and rights handling in view (2). Firms should set stricter default controls for:
- employment and health-related disputes,
- criminal and sanctions-related matters,
- sensitive investigations and internal reports.
Where uncertainty exists, route work through a higher-assurance workflow with additional human review and reduced data exposure.
Vendor contracting does not replace controller accountability
Even with strong vendor commitments, law firms remain accountable for their own processing decisions. Contract terms should support governance, but internal controls are what prove compliance in practice (3).
At minimum, firms should verify processor roles, retention behavior, transfer mechanics, and incident notification quality before scaling AI usage.
A 60-day GDPR hardening plan for legal AI
- Create a workflow-by-workflow lawful-basis register.
- Standardize prompt minimization templates by matter type.
- Implement stricter defaults for high-confidentiality matter classes.
- Run a rights-request tabletop exercise involving AI-assisted records.
- Review third-party contracts against actual workflow behavior.
GDPR maturity in legal AI is less about one policy document and more about repeatable data-handling behavior under real matter pressure.
Conclusion
Firms that align AI deployment with lawful basis discipline, minimization, and rights readiness can deploy AI with stronger regulatory and client-risk controls. Opinion 28/2024 is not only a legal reference point. It is an operations blueprint.