Bhavyatta Bhardwaj

Responsible Supplier Assessment

(For organizations with 0–50 people evaluating AI tools under the EU AI Act. Supplementary for UK GDPR/DUAA 2025 compliance)

This Responsible Supplier Assessment (RSA) is designed for small mission driven organizations evaluating AI tools before adoption, primarily to comply with EU AI Act requirements for deployers of high-risk AI systems. Use it to ask critical questions about data, transparency, equity, and risk. This is not intended to document your decision-making process.

Note: The RSA is an EU AI Act requirement for high-risk AI deployments. The UK does not have a standalone RSA requirement (but follow UK GDPR accountability principles). The EU AI Act entered into force in August 2024 with staged compliance deadlines through 2026–2027; the UK uses a sector-based AI regime (not a single AI Act) under UK GDPR and DUAA 2025.

Part 1: Basic Identification 

  1. What is the tool and what does it do? 
  2. What specific feature or function is being proposed for use? 
  3. What business need does it serve, and is there an approved tool that could meet the same need? 

Part 2: Data 

  1. What data would be entered into this tool? 
  2. Does that data include personal information about any individual? 
  3. Does it include special category data, confidential partner information, or client/community content? 
  4. Where is data stored, and in which country or jurisdiction? 
  5. Does the tool use inputs to train its models? Can this be disabled? 
  6. What is the tool’s data retention policy? 

Part 3: Transparency and Control 

  1. Can we export or delete its data from this tool? 
  2. Is the provider able to explain, in plain language, how the AI makes decisions or generates outputs? 
  3. Does the provider have a published privacy policy and terms of service? 
  4. Has the provider demonstrated GDPR compliance (EU/UK), or do they operate under an equivalent framework? Do they comply with EU AI Act transparency requirements if they offer high-risk AI systems?

Part 4: Equity and Values 

  1. Could this tool produce outputs that stereotype, misrepresent, or exclude the communities we serve? 
  2. Has it been tested with diverse populations, including non-native English speakers? 
  3. Does its use align with intersectional principles and commitment to equity? 

Part 5: Risk and Sign-Off 

  1. Based on the AI Inventory & Classification section, what risk level does this tool carry? 
  2. If limited or higher risk: has the designated lead reviewed and approved? 
  3. If the tool involves automated decision-making about individuals: has a DPIA been completed? 

Note: Sources and References listed separately.

Disclaimer: This is not a substitute for legal advice tailored to your specific operations. You are solely responsible for consulting qualified legal counsel, verifying current regulatory requirements (including whether an RSA is required for your AI use case under the EU AI Act), and ensuring full compliance with all applicable laws in your jurisdiction.