Do I Need Consent to Train an Internal AI Model on My Customer Data?

You do not always need consent to train an internal AI model on customer data. Under the GDPR, many organisations can rely on legitimate interests as the legal basis for this type of processing, provided a structured assessment shows that the processing is appropriate, necessary, and does not override individuals’ rights.

Regulators, including through recent EDPB opinions and guidance, have confirmed that training and improving internal AI systems can fall within legitimate interests when the data involved is standard customer information and not special category data. Consent remains an option, but it is generally harder to use in practice due to the ability to withdraw it and the need to demonstrate it was validly obtained.

Before relying on legitimate interests, you should carry out a documented assessment that does the following:

• Clearly identifies the purpose (for example, enhancing internal services or product performance).

• Demonstrates the necessity of using the data for that purpose.

• Applies proportionate safeguards such as minimisation or anonymisation.

• Weighs these factors against what customers can reasonably expect given their existing relationship with you.
  
  

You will also need to be transparent about the processing of your privacy information and consider a DPIA where risks are higher. Regulators have also noted that training models on third-party or scraped data carries considerably more risk; however, using your own customer data for internal improvements is generally more defensible when appropriate controls are in place.