Back to Blog

The EU AI Act Starts Enforcement in August 2026. Here's What That Means for Your LLM Pipeline.

Compliance 5 min read

If you're building anything with LLMs, whether internal tools, customer-facing features, or AI agents, the EU AI Act enforcement deadline in August 2026 is going to matter to you.

Not because you're building "high-risk AI." Most LLM applications probably won't fall into the high-risk category. But the Act's arrival is prompting compliance teams to scrutinise AI data flows that have been overlooked, and GDPR obligations that already apply are coming into sharper focus.

Here's what most engineering teams haven't thought about yet.

The Data Governance Problem

The AI Act's strictest obligations apply to high-risk AI systems, and most LLM applications won't fall into that category. But the Act doesn't exist in a vacuum. GDPR already requires data minimisation (Article 5), appropriate technical safeguards including pseudonymisation (Article 32), and Data Processing Agreements with any third party handling personal data (Article 28). These obligations apply to every company processing EU citizen data, regardless of how the AI Act classifies your system. The AI Act's arrival is simply making compliance teams take a harder look at AI data flows that they've been overlooking.

The practical upshot: don't send personal data to AI systems unless you have a clear legal basis and appropriate safeguards.

For most companies using third-party LLM APIs, the simplest safeguard is: strip the personal data before it gets there.

What This Looks Like in Practice

Your customer support AI summarises tickets. Each ticket contains a customer's name, email, and sometimes their address. Today, all of that goes to OpenAI or Anthropic.

Under existing GDPR obligations, if you're sending personal data to a third-party LLM provider, you need to either:

  1. Have a valid legal basis for sending that personal data to a third-party AI provider
  2. Have a DPA with the AI provider that specifically covers this processing
  3. Demonstrate data minimisation: only send what's necessary for the AI to do its job

The LLM doesn't need the customer's name to summarise their complaint. It doesn't need their email to suggest a reply. It doesn't need their address at all.

Stripping PII before the LLM call is the simplest way to address data minimisation, and it significantly reduces the complexity of the DPA and legal basis questions because no personal data reaches the third party.

A Simple Pipeline Change

import requests

def strip_pii(text):
    response = requests.post(
        "https://api.comply-tech.co.uk/api/v1/anonymise",
        headers={"X-Api-Key": "your-api-key", "Content-Type": "application/json"},
        json={
            "content": text,
            "contentType": "text",
            "strategy": "Redact",
            "frameworks": ["GDPR"]
        }
    )
    return response.json()["anonymisedContent"]

# Before: send raw ticket to LLM
# After: send clean ticket to LLM
clean_ticket = strip_pii(raw_ticket)
summary = openai.chat.completions.create(
    model="gpt-4",
    messages=[{"role": "user", "content": clean_ticket}]
)

One extra API call. Sub-100ms latency. The LLM gets the same context without the personal data.

Why This Matters Now, Not in August

Compliance deadlines don't work the way engineers think they do. The enforcement date is when regulators can start fining you. But auditors, enterprise clients, and compliance teams start asking questions months before that.

If you're in B2B SaaS and you sell to European customers, expect security questionnaires to start including AI-specific data handling questions in the next few months. Having an answer that says "we strip PII before it reaches any LLM API" is significantly better than "we're working on it."

Try It Now

curl -X POST https://api.comply-tech.co.uk/api/v1/anonymise \
  -H "X-Api-Key: demo-key-complytech" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "Customer Sarah Mitchell (sarah@gmail.com) says her order #4821 hasnt arrived at 14 Beechwood Ave, Manchester M20 3FJ",
    "contentType": "text",
    "strategy": "Redact",
    "frameworks": ["GDPR"]
  }'

Free demo key, no signup. See what gets caught and what comes through clean.

Reduce your AI pipeline's compliance exposure

One API call adds PII sanitisation to your LLM pipeline.

Get Your API Key Read the Docs