GDPR and AI Act: Similarities, Differences, and Overlaps

Data protection is not new. The GDPR has been shaping how organisations handle personal data for years in the European Union. What has changed is how quickly businesses are adopting artificial intelligence to simplify decisions and automate processes, often using that same data. This brings GDPR and AI into the spotlight. What is the impact of GDPR on artificial intelligence, and how do GDPR vs AI Act align in practice?

Understanding where these frameworks align and where they differ is key to building responsible and compliant AI systems.

GDPR and the AI Act regulate different things, but they often overlap. The former focuses on personal data, while the latter governs the use of Artificial Intelligence systems. The overlap arises when AI systems process personal data. In such cases, GDPR and AI Act apply together, meaning organisations must address both data protection and AI-related risks. Here are the details.

General Data Protection Regulation (GDPR)

The General Data Protection Act (GDPR) applies to any organisation that processes personal data of natural persons in the EU, regardless of where the organisation is established.

Its core object is the protection of the fundamental right to data protection. So, if your organisation collects, stores, analyses, or shares data relating to an identified or identifiable person, GDPR applies.

GDPR and AI intersect wherever AI systems process personal data. The regulation is anchored in enforceable individual rights: access, rectification, erasure, objection, and the right to be informed. Every processing activity requires a lawful basis under Art. 6.

Key obligations under GDPR: 

• Controllers must implement data protection by design and by default
• Follow data protection principles and have a legal basis for processing
• Personal data breaches must be reported to supervisory authorities within 72 hours
• Data subjects must be provided with clear and transparent privacy notices
• Organisations must maintain records of processing activities (Art. 30)
• A Data Protection Officer (DPO) must be appointed where processing involves large-scale systematic monitoring or special category data
• Data transfers outside the EEA are only permitted where adequate safeguards exist, such as Standard Contractual Clauses or an adequacy decision

Non-compliance fines:

• Up to €20 million, or
• Four percent of global annual turnover

EU Artificial Intelligence Act (AI Act)

The EU AI Act applies to providers, deployers, importers, and distributors of AI systems placed on the market or put into service in the European Union.

Its core object is the protection of fundamental rights, health, and safety from harm caused by Artificial Intelligence.

The regulation classifies AI systems into four risk tiers, with obligations scaling accordingly:

• unacceptable risk (prohibited)
• high-risk
• limited risk, and
• minimal risk 

AI Act applies whether or not the AI system processes personal data. And, the law ensures AI systems are safe, transparent, and non-discriminatory. Imagine hiring software that filters candidates. The AI Act ensures it doesn’t silently introduce bias.

Both regulations have extraterritorial effect, but the triggers differ: GDPR looks at data subjects in the EU; the AI Act looks at AI systems deployed or made available in the EU. 

Key obligations under the EU AI Act include:

• Providers of high-risk AI systems must undergo conformity assessments (Art. 43) and register those systems in the EU database prior to placing them on the market or putting them into service (Art. 49)
• High-risk AI systems must meet requirements on data governance, technical documentation, transparency, human oversight, accuracy, and robustness (Art. 9–15)
• Providers must establish a risk management system that operates on a continuous basis throughout the AI system’s lifecycle (Art. 9)
• Deployers of high-risk AI systems must ensure human oversight measures are implemented during use (Art. 26)
• General-purpose AI (GPAI) model providers must maintain technical documentation and comply with copyright law, with additional obligations for models posing systemic risk (Art. 53–55)
• Prohibited AI practices such as social scoring, real-time remote biometric identification in public spaces, and subliminal manipulation are banned outright (Art. 5)
• AI systems interacting with humans must be transparent about their AI nature (Art. 50).

When comparing GDPR vs EU AI Act, the structural differences are significant. The table below summarises the core distinctions.

Primary object: data vs. AI systems

GDPR protects the fundamental right to data protection or data privacy. Whereas the AI Act protects a broader set of fundamental rights from AI-caused harms like non-discrimination, dignity, and safety. An AI system that makes decisions without processing personal data still falls under the AI Act.

Risk logic: data sensitivity vs. AI risk tiers

Under GDPR, the level of regulatory obligation scales with the sensitivity of the data and the nature of processing. Under the AI Act, obligations depend on which risk tier the AI system falls into (Art. 6, Annex III). A minimal-risk AI chatbot has few obligations. A high-risk AI system used in employment decisions has extensive ones.

Supervisory authorities and enforcement bodies

GDPR enforcement sits with national Data Protection Authorities (DPAs), with the lead supervisory authority mechanism for cross-border cases (Art. 51, Art. 55, Art. 56). AI Act enforcement sits with National Market Surveillance Authorities designated by each member state, with the European AI Office overseeing general-purpose AI models(Art. 70, Art. 88). Different bodies may investigate the same organisation under each law simultaneously.

Significant overlap exists wherever AI systems process personal data. Several core obligations under each framework reinforce each other.

Transparency and explainability obligations

Both GDPR and AI Act require transparency toward individuals.

GDPR

Under GDPR, transparency is fundamentally about informing individuals of what personal data is being processed and why. Controllers must disclose:

• Categories of personal data collected (e.g., identity data, contact details, location data, behavioural data)
• Specific purposes for which the data is processed, and the lawful basis relied upon for each purpose
• Where processing is based on legitimate interests, the controller must also explain what those interests are. 
• How long will their data be retained?
• Who it will be shared with or transferred to (including any third-country recipients)
• Whether it will be used for automated decision-making or profiling. 

This information must be provided in a concise, intelligible, and easily accessible form at the time data is collected, where data is obtained from third parties, within a reasonable period. 

AI Act

The EU AI Act’s transparency obligations under Art 50 are system-centric rather than data-centric, focusing on the nature and behaviour of the AI system itself. 

• Providers of AI systems designed to interact directly with natural persons, such as chatbots or virtual assistants, must ensure the system discloses that it is an AI, unless this is obvious from context.
• Those generating synthetic content, including AI-generated images, audio, video, or text, must ensure outputs are machine-readable marked as artificially generated or manipulated.
• Deployers of emotion-recognition systems or biometric categorisation systems must inform exposed persons that such a system is in operation. 
• Deployers of deep-fake or synthetic media must also disclose the artificial origin of the content.

Critically, these AI disclosure obligations apply regardless of whether any personal data is involved: a chatbot that collects no personal data still triggers Art. 50. 

Automated decision-making and human oversight

GDPR Article 22 gives data subjects the right not to be subject to solely automated decisions with legal or similarly significant effects, with the right to obtain human intervention on request. The AI Act mandates human oversight as a built-in design requirement for all high-risk AI systems (Art. 14).

Where both GDPR and AI apply, organisations must meet both standards: the data subject’s individual right under GDPR and the systemic design requirement under the AI Act.

Record-keeping and accountability

GDPR mandates Records of Processing Activities (RoPA) under Article 30. The AI Act requires technical documentation (Art. 11), record-keeping (Art. 12), and quality management systems (Art. 17) for high-risk AI systems. As recent data privacy statistics confirm, documentation and accountability are increasingly central to enforcement across all privacy frameworks.

Data minimisation and purpose limitation align with the AI Act’s requirement that high-risk AI systems use training, validation, and testing data that is relevant, representative, and free of errors (Art. 10). 

Finally, both frameworks embed accountability: GDPR through Article 5(2); the AI Act through conformity assessments and post-market monitoring obligations (Art. 9, Art. 72).

Impact assessments: DPIAs and FRIAs

One of the most concrete overlaps between the two frameworks involves impact assessments. Both GDPR and AI law require structured risk evaluations, but with different scopes and triggers.

GDPR: Article 35 requires a Data Protection Impact Assessment when processing is likely to result in a high risk to the rights and freedoms of individuals. This includes large-scale processing of special category data, systematic monitoring, and automated decision-making that produces legal or significant effects. Organisations unfamiliar with this process can follow a structured approach on how to conduct a GDPR compliance audit.

AI Act: Article 27 requires deployers of high-risk AI systems that are bodies governed by public law, or private entities providing public services, to conduct a Fundamental Rights Impact Assessment (FRIA) before putting the system into use. The FRIA must assess impacts on privacy, non-discrimination, dignity, and other fundamental rights. Its scope goes well beyond the data-focused lens of a DPIA.

Aligning both assessments in practice

Where an AI system processes personal data and qualifies as high-risk, both a DPIA and a FRIA may be required. The AI Act explicitly acknowledges this overlap [Art. 27(4)] and allows organisations to conduct them together where appropriate.

GDPR

GDPR imposes fines of up to 20 million euros or 4% of global annual turnover for the most serious infringements, and up to 10 million euros or 2% for less serious ones (Art. 83). Enforcement is well-established, with DPAs across member states issuing significant penalties since 2018.

AI Act

The AI Act imposes fines of up to:

• 35 million euros or 7% of global annual turnover for placing prohibited AI systems on the market
• 15 million euros or 3% for other violations; and
• 7.5 million euros or 1% for supplying incorrect information.

Fines for SMEs and startups are capped at the lower of the percentage-based or fixed-amount thresholds.

Enforcement is phased. Prohibited AI practices apply from 2 February 2025, general-purpose AI obligations from 2 August 2025, and high-risk AI requirements from 2 August 2026, with some extending to 2027. Different authorities may enforce each law, so organisations must manage parallel regulatory oversight.

If you are already GDPR-compliant, it’s a great start. Here is what helps, and what to improve:

Leveraging existing GDPR processes

Organisations with mature GDPR compliance already have foundational elements in place: documented processing activities, data minimisation practices, impact assessment procedures, and vendor management frameworks. The key GDPR documents your organisation maintains — RoPA, DPIAs, processor agreements serve as starting points for AI Act compliance.

What needs to change for the AI Act

GDPR consent mechanisms and privacy notices must be reviewed to ensure they cover the specific transparency disclosures required by the AI Act.

The AI Act introduces obligations that go beyond data protection into product safety, bias testing, and technical robustness. Vendor due diligence processes built for GDPR processor agreements under Article 28 should be extended to assess AI providers’ conformity with the AI Act, including requests for technical documentation and declarations of conformity.

The evolving role of the DPO in AI governance

DPOs are well-positioned to expand their remit into AI governance. That said, the AI Act’s requirements for conformity assessments, bias monitoring, and post-market surveillance may require dedicated AI governance expertise that supplements the DPO function. Organisations should assess honestly whether additional roles or resources are needed.

A structured approach to dual compliance reduces duplication and ensures no obligations fall through the gaps.

• Start by identifying all AI systems in use and classify them under the AI Act risk categories. Cross-check these systems with your GDPR RoPA. Where AI systems process personal data, both GDPR and AI Act apply, so documentation should be aligned and consistent.
• Use a combined approach to impact assessments. A single DPIA can be expanded to cover AI Act requirements by including broader risks such as bias, discrimination, and safety. Avoid duplicating assessments where the same system is in scope.
• Review how data is collected and used. If personal data from cookies or tracking tools is used for AI training, ensure this purpose is clearly covered by your legal basis and privacy disclosures.
• Determine whether your AI systems fall under high-risk categories. If they do, additional obligations apply, so you need to prepare for that.
• Assign clear ownership across teams. Legal, product, and technical functions should work together to manage GDPR and AI Act obligations in a coordinated way