Most Firms Unprepared for AI Rules as GDPR Pressure Grows
A recent survey conducted among compliance, legal, and IT professionals has revealed a concerning trend: a significant majority of organizations are ill-prepared for the regulatory landscape that governs the use of artificial intelligence (AI). The research, performed by compliance eLearning provider VinciWorks, surveyed 230 professionals across regulated industries, and the findings are alarming.
Low Preparedness Levels
Only 3.5% of the respondents characterized their organizations as fully prepared for the current AI regulatory requirements. The uncertainty surrounding these regulations is pervasive; approximately 29% of participants indicated they were still determining which rules apply to their organizations. Another 28% acknowledged awareness of the relevant regulations but lacked a clear action plan, while 6% admitted to being unsure of their compliance status. Collectively, 63% of those surveyed could not claim preparedness for the evolving AI environment.
Training Shortfalls
The results highlight a notable gap in training and internal awareness regarding AI. A mere 22% of respondents stated their organizations provide effective AI awareness training. Alarmingly, nearly half (48%) reported having no AI training programs in place but expressed a desire to implement them. Additionally, 12% indicated there are no plans to offer training, while another 12% mentioned existing training that is not particularly effective.
This lack of structured training complicates governance, record-keeping, and internal assurance processes, especially where personal data is concerned. As AI tools proliferate within business functions, many organizations appear to be relying on informal knowledge rather than formal training.
Challenges Under GDPR
Respondents identified several areas where data protection requirements complicate AI utilization. The most significant issue cited was related to automated decision-making rules (27%). Following this, data minimization and retention concerns were mentioned by 23% of respondents, while oversight of vendors and model providers was noted by 21%.
The findings indicate that challenges arise across multiple facets of the data protection framework, rather than from a single point of friction. AI systems typically operate on large datasets, generate outputs that may be opaque, and depend on third-party vendors, thereby increasing the requirements for mapping data flows and documenting compliance decisions.
Operational Disruption
While many organizations report minimal immediate impact on their compliance operations, a smaller segment is already facing significant disruptions. Nearly two-thirds (64%) described AI as only slightly disruptive or not disruptive at all to their compliance programs. Conversely, 12% reported that AI had been very or extremely disruptive.
This disparity suggests uneven adoption of AI. Some organizations are still pilot testing use cases and establishing policies, while others have advanced to broader deployments across various functions. This unevenness affects the volume of compliance work necessary, including risk assessments, procurement checks, and evaluations of how AI tools interact with personal data.
Mixed Confidence Levels
Confidence in compliance with AI regulations is similarly divided. Only 9% of respondents expressed strong confidence that their organization’s use of AI is compliant. A third (33%) reported being not very confident or not confident at all, while the largest group (30%) felt only somewhat confident.
Conclusion
Respondents emphasized the challenge of keeping pace with regulatory changes. AI governance in Europe and the UK is evolving through a mix of new AI-specific regulations and the extension of existing frameworks such as data protection laws. Organizations may need to navigate governance across multiple departments, including legal, compliance, data protection, security, and procurement.
The survey results reflect converging pressure stemming from ongoing GDPR enforcement, the implementation phase of the EU AI Act, and the UK’s sector-specific approach to AI governance. Firms are exhibiting low levels of readiness and limited training as they evaluate how their AI use aligns with current obligations.
