This Checklist is designed for use by a buyer undertaking data protection due diligence in the course of acquiring the shares or assets of a business that processes personal data in the context of using, developing or supplying generative artificial intelligence (GenAI) systems. It aims to surface data protection risks and enable a buyer to form a comprehensive view of a target’s risk profile in respect of its GenAI systems, models or tools used for internal operational purposes or provided externally to third parties (Business GenAI Systems).GenAI—a type of artificial intelligence that creates new content, such as text, images, audio, video or code, based on patterns learned from training data—is now widely adopted across industries and national borders. GenAI systems typically rely on substantial volumes of data, including personal data, to train and refine their underlying models. Their development and deployment may therefore give rise to significant compliance challenges under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR) regime, particularly in relation to the principles