Bloomberg Law
In-House Counsel
LinkedIn

EU’s AI Act Is In Force. Four Execs Share Their Best Practices

April 9, 2025, 9:00 AM UTC
Isabel Gottlieb
Isabel Gottlieb
Senior Reporter
Kaustuv Basu
Kaustuv Basu
Senior Enterprise Reporter

The EU’s sweeping AI Act went into effect earlier this year, with some of the law’s most important provisions still on the horizon.

Corporate leaders shared best practices for setting up teams and procedures to prepare for the EU AI Act, and discussed how a good privacy and data governance program is the most useful foundation for complying with the new law. Their email responses to Bloomberg Law’s questions were edited for clarity.

Download our full report on the EU AI Act.

Kathlyn Card Beckles, chief legal officer at Verisk

Kathy Card Beckles
Kathy Card Beckles
Courtesy of Verisk

Adding Value

“One strategy Verisk employs is a partnership with our business teams and functional areas to understand their operations, help proactively guide them as they consider potential AI use cases, and provide educational AI resources to support them. Any time in-house counsel can provide practical and educational value within the organization, it serves to raise its sophistication and compliance readiness, as well as support alignment with emerging legal obligations, such as the EU AI Act’s literacy requirements.”

Partnering With Business Teams

“As a multinational organization, we find that focusing on longstanding global, responsible, and ethical data processing principles lends itself to complying with emerging laws in any specific jurisdiction, including the EU AI Act.

For example—the EU AI Act’s key transparency, fairness, and other provisions are consistent with our holistic data processing, privacy, and information security policies and practices, and are reflected in our Ethical AI Principles. Starting with a global responsible data processing baseline can help in-house counsel establish a delta for requirements of new legislation, including specific processing scenarios addressed by the EU AI Act.”

Lindsey Finch, EVP, global privacy, product, AI and cybersecurity legal at Salesforce

Lindsey Finch
Lindsey Finch
Courtesy of Salesforce

First Steps

“For in-house counsel just starting to navigate the EU AI Act, a great first step is building on your company’s existing General Data Protection Regulation program. Since GDPR already provides a solid framework for data regulation—a key part of AI governance—it’s a natural foundation.

Leveraging existing GDPR processes where they align can help streamline compliance efforts and create a more cohesive approach to AI regulation, making it easier for the business to adapt efficiently.”

Collaboration

“One key best practice we’ve developed is embracing a shared responsibility model between service providers and customers. Providers need to meet their own compliance obligations while also offering tools that help customers stay compliant. At the same time, customers need to actively use these tools as part of their own compliance programs. Collaboration is key to building AI systems that are both powerful and trustworthy.”

Gaining Customer Confidence

“Customers are eager to explore the potential of agentic AI, but they also want to ensure it’s built on a foundation of trust, risk management, and ethical use—especially when it comes to compliance with evolving regulations like the EU AI Act. They want confidence in the actions AI agents take, the accuracy of the information they provide, and control over how their data is used.”

Maria Rocha Barros, SVP and chief legal and public affairs officer at Booking.com

Maria Rocha Barros
Maria Rocha Barros
Courtesy of Booking.com

Best Practices

“I recommend any company starting to think about AI literacy take a look at the EU’s Living Repository report to get ideas or identify companies to share best practices with.”

For someone that is just starting the journey, as in-house counsel, the first step is to business-partner with your strategy team, business unit leaders and/or engineering & tech to understand the current thinking and plans they have in the AI space. Understand what potential vendors or partnerships are being considered by the various areas of the business especially in HR, AI tools to rollout to employees or AI features for customers, etc. The situation in your company today might be very different to the situation in the mid to long-terms so it is an opportunity for the in-house team to stay ahead and integrate the legal analysis into the company’s strategy and direction. One example, what are the trade-offs coming from compliance cost and complexity of implementation versus the benefits being pursued?”

Remaining Agile

“By agile, I mean we need to work hand-in-hand with our technology experts to bolster compliance via innovative and effective methods. Some examples of what we have been working on:

  • Adding new features and capabilities to our homegrown AI registry, such as the ability to detect, classify and tag which AI Act risk category the use case falls within.
  • Enabling auto-notification of that tagging and use case to land with our AI legal counsel for triaged review (against a tiered scoring process from 1 to 5 which helps our teams prioritize).
  • Generating recommendations back to the business user as to what AI Act (or other) compliance steps to follow, by when and how.
  • Recording and logging these events, and enabling “show me this/print me this” functionality for use in reporting and audits.
  • More recently (at a very early stage), seeing how we can apply GenAI to improve this registry and process (such as using LLMs to summarize technical content into understandable hard facts for legal review).

We have also set up new structures to oversee our AI compliance work, including governance mechanisms and accountable AI Stewards in each business unit.”

Elise Houlik, chief privacy officer at Intuit

Elise Houlik
Elise Houlik
Courtesy of Intel

Strong Data Governance

“At Intuit, we acknowledged early on that having a common language and set of guiding principles was essential to galvanizing our teams around the use of AI.”

“We use them to guide how we operate and scale our AI-driven expert platform responsibly and in compliance with applicable regulations like the EU AI Act and others enacted around the world.”

Cross-Team Effort

“To address application of the principles, we formed a multidisciplinary team to drive enterprise-wide governance practices that address existing and emerging legal requirements, and take into account industry standards and best practices, which enabled us to be in a strong position to be among the first companies to sign the EU AI Pact in September of last year.”

Open Communication

“Keep in mind that responsible data handling practices go hand-in-hand with responsible use of AI. Strong data governance can help address application of not only the EU AI Act but also the laws yet to come in this space. Take some time to work with your teams to deeply understand how data is used, shared, and maintained within your organization. Keep the lines of communication open with the product and tech teams that want to use that data and AI so that you can have an informed view of when and how there is a regulatory impact to your work.”

To contact the reporters on this story: Isabel Gottlieb in Washington at igottlieb@bloombergindustry.com; Kaustuv Basu in Washington at kbasu@bloombergindustry.com

To contact the editor responsible for this story: Catalina Camia at ccamia@bloombergindustry.com

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.