Artificial intelligence (AI) is rapidly changing the world of work. However, the new technological possibilities also come with legal challenges. How can companies implement AI successfully and legally? What legal regulations need to be observed, and how can compliance and data protection be reconciled?
In my interview with Barbara Schmitz, a lawyer and expert in IT and data protection law from Munich, we clarify the most important questions regarding the introduction of AI in companies. She provides insights into the legal foundations, practical tips for businesses and explains why AI skills and training should be a key focus for businesses in 2025.
Listen to the interview in episode 9 of THE PAYROLL PODCAST to find out how you can best prepare your company for the future of AI and introduce AI in your business in a legally compliant way.
Sabine Katzmair: Ms Schmitz, AI is currently a big topic that is developing rapidly. Are you already using AI in your professional or private life?
Barbara Schmitz: Yes, definitely. I use AI both professionally and privately. The technology is fascinating, but it also poses challenges. From a data protection perspective, for example, many questions arise: Where does the data come from? How is it processed? The GDPR is designed to be technology-neutral and provides a central basis.
Sabine Katzmair: AI is becoming increasingly relevant in the world of work. What is important for companies if they want to introduce AI?
Barbara Schmitz: Companies need to establish clear usage guidelines and compliance regulations. Issues such as IT security and the use of AI on business and private devices should be regulated. In addition, legal requirements from the GDPR, the AI Regulation and national laws must be taken into account.
Sabine Katzmair: What is the connection between the GDPR, the AI Regulation and the Federal Data Protection Act?
Barbara Schmitz: The AI Regulation is a European regulation that focuses on artificial intelligence. It complements the GDPR, which regulates personal data. The Federal Data Protection Act is a national implementation of certain aspects of the GDPR. Together, these regulations form the legal framework for the use of AI.
Sabine Katzmair: Are there differences in the type of data affected by these regulations?
Barbara Schmitz: Yes. The GDPR refers exclusively to personal data. The AI Regulation can also affect other types of data, such as product-related or technical data.
Sabine Katzmair: What measures should companies take now?
Barbara Schmitz: Companies should have developed compliance and AI policies. This includes regulations on the use of AI, IT security measures and clear guidelines on which data may be processed. Employee training is particularly important to promote the responsible use of AI.
Sabine Katzmair: From February 2025, employees will have to have sufficient AI skills. How can companies ensure this?
Barbara Schmitz: There are different training approaches, from web-based training to face-to-face workshops. It is important that management is behind the issue and sends a clear message: Dealing with AI is a central part of our corporate culture.
Sabine Katzmair: How can companies prevent the misuse of AI systems?
Barbara Schmitz: Data protection guidelines and technical monitoring options play an important role. For example, the IT department should be able to see which tools are being used. At the same time, trade secrets and the requirements of the GDPR must be observed.
Sabine Katzmair: Are there technical ways to monitor the use of AI?
Barbara Schmitz: Yes, there are IT systems that can monitor data flows and the tools used. However, it is important that the works council is involved in such measures in order to protect the personal rights of employees.
Sabine Katzmair: What do companies with a works council need to consider when introducing AI?
Barbara Schmitz: The works council has a right to information and should be involved in the planning at an early stage. There are already specific regulations on AI in the Works Constitution Act. For example, there is a right to information when AI is introduced in the company.
Sabine Katzmair: What about custom AI solutions, such as in-house AI assistants?
Barbara Schmitz: Self-developed AI solutions fall under the AI Regulation and must comply with its requirements. Companies must ensure that such systems comply with data protection and that no sensitive data is processed without authorisation.
Sabine Katzmair: Ms. Schmitz, what advice would you give to companies that are still hesitant about introducing AI?
Barbara Schmitz: Companies shouldn’t wait and see, they should act. A clear AI strategy, transparent policies and comprehensive training are essential. AI is not a passing trend – it will shape the world of work in the long term.
Sabine Katzmair: Thank you very much for the interesting interview and the valuable insights.
🌟Would you like to listen to all episodes of THE PAYROLL PODCAST? Listen to the episodes here! Listen now! Available on Spotify, Apple Podcasts, Youtube and Amazon Music!