The growing use of agentic artificial intelligence will test how organisations comply with existing data protection law, a new study warns.
Innovations will test the limits of existing rules, particularly when AI agents perform complex, multi-step tasks with limited human input.
Agentic AI's distinctive features require a more comprehensive approach that extends beyond existing data protection measures alone, the research says.
The study argues that data protection compliance should be supported by stronger accountability mechanisms, governance measures, and forms of human oversight adapted to different levels of agentic AI autonomy.
These safeguards should include documentation, auditability, impact assessments, and ongoing monitoring across the agentic AI lifecycle.
Unlike conventional generative AI, agentic AI systems are designed to pursue complex goals and coordinate multi-step actions, often with limited human input. This creates distinctive interpretative and compliance challenges for organisations subject to data protection law, including the GDPR.
The study, by Professor Ana Beduschi from the University of Exeter, argues that the GDPR remains an appropriate baseline for protecting personal data, but that the distinctive challenges posed by agentic AI require a broader approach involving governance, accountability, assessments of people's rights, and meaningful oversight.
Professor Beduschi said: "Agentic AI does not render the GDPR obsolete. But it does show why data protection cannot operate in isolation from broader questions of governance, accountability, and fundamental rights.
"AI agents should not be treated as data controllers under the GDPR. They remain tools, albeit sophisticated ones, deployed by natural or legal persons. The difficulty is that, in practice, they may shape how personal data processing is carried out, for example, by selecting methods, approaches, task sequences, or adaptive strategies. The varying degrees of autonomy in agentic AI decision-making may introduce complex accountability chains, making it harder to exercise and enforce data subject rights such as access, portability, and erasure."
The research explains that compliance with the right to erasure may become more difficult where personal data has influenced an agentic AI system's dynamic, evolving decision-making processes. This may reveal a gap between legal standards and technical realities.
Professor Beduschi said: "Generative AI already creates difficulties for data protection compliance. But agentic AI adds a further challenge because these systems may operate autonomously over time, connecting multiple decisions and pursuing goals through self-guided steps. This means that the legal challenge is not only to explain a single output, but to understand and oversee an evolving process of action, adaptation, and decision-making."
"As AI agents' autonomy increases, safeguards should shift from embedded human involvement and intervention to more structured, system-level, ongoing oversight that can recalibrate and, if needed, stop autonomous processes."
