Free EU AI Act & GDPR Compliance Templates
50 expert-written checklists, policies, and procedure templates covering EU AI Act, GDPR, UK GDPR, healthcare, finance, HR, and SME compliance. Use them as a starting point or let our fixed-scope sprint turn them into production-ready documents for your organisation.
EU AI Act Templates
Obligations in force from August 2025 (prohibited practices) and August 2026 (high-risk systems)
High-Risk AI System Compliance Checklist
A step-by-step checklist for organisations operating high-risk AI systems under Annex III of the EU AI Act, covering all mandatory requirements before market placement.
General-Purpose AI (GPAI) Model Compliance Template
Obligations checklist for providers of general-purpose AI models, including foundation models and those with systemic risk (>10²⁵ FLOPs training compute).
Prohibited AI Practices Screening Template
Use this template to screen your AI systems against Article 5 prohibited practices before deployment to the EU market. Non-compliance carries the highest penalties in the regulation.
AI System Risk Classification Template
A structured decision tree to classify any AI system into the EU AI Act's four risk tiers: unacceptable, high, limited, or minimal — determining your compliance obligations.
AI Conformity Assessment Template
Step-by-step conformity assessment template for high-risk AI providers, covering both self-assessment (Annex VI) and notified body routes (Annex VII).
Annex IV Technical Documentation Template
Complete Annex IV technical documentation template for high-risk AI providers, covering all eight mandatory sections required before market placement.
Human Oversight Implementation Template
Implementation checklist for Article 14 human oversight requirements, ensuring humans can effectively monitor, understand, and intervene in high-risk AI system outputs.
AI Transparency Obligations Checklist
Checklist covering Articles 13, 50, and 52 transparency requirements for high-risk AI systems, chatbots, emotion recognition systems, and AI-generated content.
AI Serious Incident Reporting Template
Incident reporting procedure for Article 73 obligations: identifying, classifying, and notifying market surveillance authorities of serious incidents involving high-risk AI systems.
Post-Market Monitoring Plan Template
Article 72 post-market monitoring plan for high-risk AI providers, covering monitoring systems, data collection, performance review, and corrective action procedures.
CE Marking for AI Systems Template
Procedural checklist for affixing the CE marking to high-risk AI systems, covering all pre-conditions, documentation requirements, and marking obligations.
SME EU AI Act Compliance Guide
Practical compliance roadmap for small and medium enterprises deploying AI, focusing on proportionate obligations, reduced fees, and priority actions before the August 2026 deadline.
Clinical AI Validation Compliance Template
AI systems used for clinical decision support, diagnosis, or treatment recommendation in the EU or UK must comply with the EU AI Act (High Risk, Annex III) and may also be regulated as medical devices under MDR or IVDR. This template covers the dual compliance requirement.
Software as a Medical Device (SaMD) Compliance Checklist
Software as a Medical Device (SaMD) is software intended to be used for medical purposes — diagnosis, prevention, monitoring, prediction, prognosis, treatment, or alleviation of disease. This template covers MDR/IVDR classification, conformity assessment, and AI Act overlay.
Healthcare AI Ethics and Governance Framework
AI in healthcare raises ethical challenges beyond regulatory compliance: bias in training data, explainability of clinical decisions, and equitable outcomes across patient demographics. This template covers the ethical governance framework required alongside legal compliance.
Financial Services AI Model Risk Management Template
AI models used in financial services for credit decisions, risk assessment, trading, or fraud detection are classified as High Risk under the EU AI Act and subject to FCA and PRA model risk management guidance. This template covers model validation, explainability, and governance.
MiFID II AI-Assisted Trading Compliance Checklist
Algorithmic and AI-assisted trading in the EU and UK is regulated under MiFID II. Firms must have pre-trade controls, kill switches, and governance for algorithms. AI-driven trading systems also fall within the EU AI Act High Risk category.
AML / KYC AI System Compliance Template
AI systems used for anti-money laundering (AML) screening, Know Your Customer (KYC) identity verification, and transaction monitoring are classified as High Risk under the EU AI Act. This template covers the AML/KYC regulatory requirements and AI governance overlay.
AI in Hiring — EU AI Act & Equality Law Compliance
AI systems used in recruitment, CV screening, candidate ranking, and hiring decisions are explicitly listed as High Risk under EU AI Act Annex III. This template covers the conformity requirements, equality law obligations, and GDPR Article 22 rights for job applicants.
AI-Based Employee Monitoring Compliance Template
AI tools that monitor employee productivity, track communications, analyse behaviour, or score performance are subject to GDPR, employment law, and in some cases EU AI Act High Risk classification. This template covers lawful monitoring practices.
AI Act Compliance Roadmap for Startups
Startups building AI-powered products need a compliance roadmap that does not slow down product development. This template provides a phased approach: build safely, assess risk, and only invest in full conformity when required by your market.
GDPR Templates
Data protection obligations under EU GDPR and UK GDPR — applicable now
GDPR Data Audit Template
A structured data audit to map all personal data flows, legal bases, processors, and retention periods — the foundation of any GDPR compliance programme.
GDPR Consent Management Template
Implementation checklist for valid GDPR consent under Article 7: granular, informed, freely given, unambiguous, and as easy to withdraw as to give.
Data Subject Rights Response Template
Procedures and response templates for handling all eight GDPR data subject rights — from access requests to the right to object — within mandatory timelines.
GDPR Privacy Notice Template
Compliant privacy notice template covering all mandatory Articles 13-14 disclosures for data collected directly from individuals and from third-party sources.
Data Processing Agreement (DPA) Template
Mandatory Article 28 Data Processing Agreement template for controller-processor relationships, covering all required provisions and sub-processing controls.
GDPR International Data Transfers Template
Compliance checklist for lawful transfers of personal data to third countries under GDPR Chapter V, covering adequacy decisions, SCCs, BCRs, and derogations.
GDPR Data Breach Response Template
Step-by-step incident response procedure for personal data breaches, covering the 72-hour supervisory authority notification and individual communication requirements.
Data Protection Impact Assessment (DPIA) Template
Article 35 DPIA template for high-risk processing activities, covering systematic risk identification, likelihood/severity assessment, and required mitigation measures.
Legitimate Interest Assessment (LIA) Template
Three-part Legitimate Interest Assessment for Article 6(1)(f) processing: purpose test, necessity test, and balancing test — including documentation for supervisory authority review.
GDPR Data Retention Policy Template
Data retention policy template defining retention periods by data category, legal basis, and business purpose — with automated deletion schedules and exceptions for legal hold.
Cookie Compliance Template (GDPR + ePrivacy)
Cookie consent and management checklist combining GDPR consent requirements with ePrivacy Directive obligations — covering first-party, third-party, and tracking cookies.
GDPR Compliance Template for SaaS Providers
GDPR compliance checklist specifically for SaaS providers who act as data processors for customer data, covering product design, contractual obligations, and operational security.
GDPR for Startups: Minimum Viable Compliance
A practical minimum-viable GDPR compliance checklist for early-stage startups — covering the baseline you must have before your first user, not the comprehensive programme for later.
UK GDPR Post-Brexit Compliance Checklist
After Brexit, the UK retained GDPR as UK GDPR under the Data Protection Act 2018. This template covers the key divergences from EU GDPR, ICO obligations, and what UK businesses must do to comply with both regimes when processing EU and UK resident data.
ICO Registration Requirements Checker
Most UK organisations that process personal data must pay the ICO data protection fee and register as a data controller. This template helps you determine whether you need to register, which tier applies, and how to complete registration correctly.
UK Data Bridge — US Transfers Compliance Template
The UK-US Data Bridge (extension of the EU-US Data Privacy Framework) allows UK organisations to transfer personal data to certified US organisations without additional safeguards. This template covers how to use the Data Bridge correctly and what to do when it is not available.
PECR Cookie Compliance Template
PECR governs cookies, electronic marketing, and communications security in the UK. Unlike UK GDPR it has its own consent standard for cookies. This template covers cookie compliance, consent banners, and the interaction between PECR and UK GDPR.
UK GDPR Quick-Start for Startups
A lean UK GDPR compliance template for early-stage UK startups. Covers the minimum viable compliance set to reduce ICO risk while you build, without the overhead required of larger organisations.
UK Adequacy Decision Monitoring Template
The EU granted the UK an adequacy decision in June 2021, allowing free flow of personal data from the EU to the UK without additional safeguards. This template helps EU-facing UK businesses monitor the adequacy decision and prepare contingency plans.
Patient Data Protection Compliance Template
Health data is a special category under GDPR, requiring explicit consent or another Article 9 condition for processing. This template covers lawful bases for processing patient data, access controls, breach response, and NHS Digital requirements.
NHS Data Security and Protection Toolkit
The NHS Data Security and Protection (DSP) Toolkit is mandatory for all organisations with access to NHS patient data and systems. This template guides you through achieving a Standards Met assessment, the minimum required for NHS Digital connection.
PSD2 / Open Banking AI Compliance Template
Payment Service Directive 2 (PSD2) and the UK Open Banking regime enable third-party providers to access customer bank accounts with consent. AI-powered fintech products using Open Banking APIs must comply with PSD2, UK Open Banking standards, and GDPR.
Automated Decision-Making in HR — GDPR Article 22 Template
GDPR Article 22 gives individuals the right not to be subject to solely automated decisions that produce legal or similarly significant effects. This applies to HR decisions including hiring, performance reviews, pay decisions, and termination.
Pay Equity AI Audit and Compliance Template
The EU Pay Transparency Directive (2023/970) requires employers to report gender pay information and comply with equal pay principles. AI salary-setting and compensation systems must be audited for gender and protected-characteristic bias. This template covers the audit and disclosure requirements.
GDPR Quick-Start for Small Businesses (Under 250 Employees)
Small businesses with fewer than 250 employees have limited exemptions under GDPR but still face most obligations. This template focuses on the pragmatic minimum compliance set for SMEs — what you must do, in the right order, without unnecessary overhead.
E-Commerce Privacy Compliance Template
E-commerce businesses collect extensive personal data through transactions, browsing behaviour, and marketing. This template covers the privacy compliance requirements specific to online retail, including cookie consent, marketing, and payment data handling.
Remote Work Data Security Compliance Template
Remote and hybrid work introduces data security risks that organisations must manage under GDPR. Personal data processed on home networks, personal devices, and collaboration tools must be secured and governed. This template covers the minimum controls.
Social Media GDPR Compliance for Businesses
Using social media platforms for marketing involves processing personal data through pixels, custom audiences, and social login. This template covers the GDPR and PECR compliance requirements for business use of social media advertising and data collection.
Industry & Sector-Specific Templates
Healthcare, finance, HR, and other sector-specific obligations alongside AI Act and GDPR
Need these turned into real documents?
Our fixed-scope compliance sprint delivers production-ready documents in 5–15 business days. Starting from £2,500.
View Sprint Packages →