Back to Blog

The EU AI Act Starts Enforcement in August 2026. Here's What That Means for Your LLM Pipeline.

Compliance 5 min read

If you're building anything with LLMs, whether internal tools, customer-facing features, or AI agents, the EU AI Act enforcement deadline in August 2026 is going to matter to you.

Not because you're building "high-risk AI." Most LLM applications probably won't fall into the high-risk category. But because the Act introduces data governance obligations that apply much more broadly than people realise.

Here's the part most engineering teams haven't thought about yet.

The Data Governance Problem

Article 10 of the AI Act requires that training and testing data be "relevant, representative, free of errors and complete." That's about model training, and it mostly affects AI companies building foundation models.

But Articles 13 and 15 introduce transparency and accuracy obligations that trickle down to anyone deploying AI systems. If your AI system processes personal data (and if it touches customer support tickets, user profiles, or any customer-facing data, it does), you need to be able to demonstrate that you've handled that data responsibly.

Combined with GDPR (which doesn't go away just because you're also subject to the AI Act), the practical requirement is: don't send personal data to AI systems unless you have a clear legal basis and appropriate safeguards.

For most companies using third-party LLM APIs, the simplest safeguard is: strip the personal data before it gets there.

What This Looks Like in Practice

Your customer support AI summarises tickets. Each ticket contains a customer's name, email, and sometimes their address. Today, all of that goes to OpenAI or Anthropic.

Under combined GDPR and AI Act obligations, you need to either:

  1. Have explicit legal basis for sending that personal data to a third-party AI provider
  2. Have a DPA with the AI provider that specifically covers this processing
  3. Demonstrate data minimisation: only send what's necessary for the AI to do its job

The LLM doesn't need the customer's name to summarise their complaint. It doesn't need their email to suggest a reply. It doesn't need their address at all.

Stripping PII before the LLM call satisfies all three requirements simultaneously. You're minimising data, you're not sending personal data to a third party, and you don't need a DPA covering PII processing with your AI provider because no PII reaches them.

A Simple Pipeline Change

import requests

def strip_pii(text):
    response = requests.post(
        "https://api.comply-tech.co.uk/api/v1/anonymise",
        headers={"X-Api-Key": "your-api-key", "Content-Type": "application/json"},
        json={
            "content": text,
            "contentType": "text",
            "strategy": "Redact",
            "frameworks": ["GDPR"]
        }
    )
    return response.json()["anonymisedContent"]

# Before: send raw ticket to LLM
# After: send clean ticket to LLM
clean_ticket = strip_pii(raw_ticket)
summary = openai.chat.completions.create(
    model="gpt-4",
    messages=[{"role": "user", "content": clean_ticket}]
)

One extra API call. Sub-100ms latency. The LLM gets the same context without the personal data.

Why This Matters Now, Not in August

Compliance deadlines don't work the way engineers think they do. The enforcement date is when regulators can start fining you. But auditors, enterprise clients, and compliance teams start asking questions months before that.

If you're in B2B SaaS and you sell to European customers, expect security questionnaires to start including AI-specific data handling questions in the next few months. Having an answer that says "we strip PII before it reaches any LLM API" is significantly better than "we're working on it."

Try It Now

curl -X POST https://api.comply-tech.co.uk/api/v1/anonymise \
  -H "X-Api-Key: demo-key-complytech" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "Customer Sarah Mitchell (sarah@gmail.com) says her order #4821 hasnt arrived at 14 Beechwood Ave, Manchester M20 3FJ",
    "contentType": "text",
    "strategy": "Redact",
    "frameworks": ["GDPR"]
  }'

Free demo key, no signup. See what gets caught and what comes through clean.

Get ahead of the August 2026 deadline

One API call adds PII sanitisation to your LLM pipeline.

Get Your API Key Read the Docs