A surprising number of AI products ship without a Data Protection Impact Assessment (DPIA) or a Data Processing Agreement (DPA), often because legal counsel sees them as optional.
Treat them as engineering artifacts and they become extraordinarily useful: they force explicit data flow diagrams, retention contracts, and incident playbooks before code lands in production.
Here is the lightweight template we use with clients to make both documents pull their weight.