Luxgap: AI to protect personal data

[This article is part of a content series developed in collaboration with FEDIL, showcasing how artificial intelligence is contributing to the digital transformation of Luxembourg’s economy.]

Despite the efforts made by the European Commission through the Omnibus Directive to ease constraints, companies have in recent years been facing an acceleration and increasing complexity of regulations of all kinds, whether linked to the implementation of the CSRD (Corporate Sustainability Reporting Directive) or to obligations related to digitalisation and cybersecurity (NIS 2, AI Act, Digital Markets Act, etc.). It has become difficult, especially for SMEs, to keep up and to translate all these legal obligations into concrete operational actions, not to mention the significant investments required to remain compliant at all times.

“On the one hand, we were seeing teams becoming saturated by a growing volume of recurrent and standardised compliance questions,” explains Guillaume Moreau, Senior Data Protection Consultant and Certified DPO at Luxgap, a company founded in 2019 and specialising in personal data protection. “These requests were mobilising qualified legal resources for low-complexity issues, to the detriment of more strategic analyses.”

As a result, response times, although reasonable, remained misaligned with operational teams’ expectations for immediacy. More than 60 percent of internal requests concerned standardisable cases, with response times of up to 24 to 48 hours depending on workload.

This was compounded by a traditional training model that was reaching its limits, with generic content, limited personalisation, uneven engagement and difficulties in rapidly adapting materials to regulatory or sector-specific changes. “Compliance was too often perceived as a formal obligation rather than a management tool,” says Moreau.

Strengthened understanding and team autonomy

This led Luxgap to implement an integrated solution combining regulatory e-learning with an AI assistant specialised in compliance. The platform guides users towards relevant resources and enables them to quickly identify useful information within the document corpus made available to them, including internal policies, procedures, training materials and FAQs.

“The tool acts as an intelligent knowledge access engine, without replacing legal analysis when it is required,” says Moreau.

In parallel, Luxgap develops video capsules using AI technologies, allowing content to be tailored to the specific needs of each client, their sector and their individual challenges. “This approach increases the relevance of messages, improves ownership of the rules and transforms compliance into an operational, personalised and scalable system.”

Response times reduced from 24 hours to under 5 minutes

In practical terms, the user submits an operational question. The AI identifies the relevant type of processing, structures the response around the fundamental principles of data protection, including purpose, proportionality, security and governance, and delivers a clear and directly actionable recommendation.

“The platform is interconnected with the training modules, making it possible to automatically link to targeted educational content, thereby strengthening understanding and team autonomy.”

The benefits are measurable. Average response times for standardised questions have dropped from 24 hours to under five minutes. Teams spend on average 40 to 50 percent less time handling recurring compliance requests. The initial generation of structuring documents, such as processing registers, impact analysis frameworks and clause templates, has been accelerated by 60 to 70 percent.

Human analysis remains essential

Artificial intelligence therefore enables immediate guidance and effective pre-processing, while the involvement of legal experts downstream ensures a secure and contextualised response without significantly extending timelines.

“It is important to emphasise that the tool does not replace human analysis. All situations, including those identified through the platform, are handled, validated and monitored by our teams. Specific or complex issues are addressed individually, within an appropriate legal framework.”

As for training, completion rates, defined as the proportion of users who complete an action such as viewing a video, completing a course or submitting a form compared with those who started it, have increased by 35 percent thanks to AI-driven interactivity.

All of this is delivered at a controlled cost of three euros per user per month, making compliance accessible and scalable, including for multi-subsidiary groups.

Continuous legal monitoring

Since Luxgap was founded, the number of platform users has grown steadily, with more than 2,000 registered today, “which confirms its operational relevance,” notes Moreau.

The next steps are part of a strategy focused on regulatory anticipation and continuous security. “The priority is to ensure compliance with new European and international regulations on data protection, cybersecurity and artificial intelligence.”

This ambition relies on ongoing legal monitoring, regular updates of educational and documentary content and the adaptation of platform functionalities to new regulatory requirements. The objective is twofold: to ensure users benefit from a tool that remains constantly aligned with applicable law and to proactively integrate regulatory developments into training pathways and documentary guidance mechanisms.

“This approach allows every legislative change to be transformed into an opportunity for continuous improvement, while maintaining a high level of legal and operational certainty,” concludes Moreau.