EU AI Act vs. GDPR: How They Work Together

Two Regulations, One Compliance Challenge

If you are responsible for AI governance in a European organization, you are likely already familiar with the General Data Protection Regulation (GDPR). Now, with the EU AI Act (Regulation 2024/1689), you face a second major regulatory framework — and the question on every DPO's mind is: how do these two regulations fit together?

The short answer: they are complementary, not competing. The AI Act explicitly states that it is "without prejudice" to GDPR (Article 2(7)). This means both regulations apply simultaneously to AI systems that process personal data. You need to comply with both — but understanding where they overlap can save you significant effort.

Key Differences in Scope and Approach

What They Regulate

GDPR regulates the processing of personal data. Its scope is determined by whether personal data is involved, regardless of the technology used. It applies to any organization processing personal data of EU residents.

The EU AI Act regulates AI systems themselves. Its scope is determined by the nature and risk level of the AI system, regardless of whether personal data is processed. An AI system processing only non-personal data can still be high-risk under the AI Act.

Risk Assessment Approaches

GDPR uses risk as a principle throughout (data protection by design, DPIAs for high-risk processing) but does not define risk categories the way the AI Act does. The obligation to conduct a Data Protection Impact Assessment (DPIA) under Article 35 applies when processing is "likely to result in a high risk to the rights and freedoms of natural persons."

The EU AI Act defines explicit risk categories — prohibited, high-risk, limited, and minimal — with specific, prescriptive obligations for each tier. Risk classification under the AI Act is based on the system's intended purpose and the sector in which it operates, following Articles 5, 6, 7, and Annex III.

Where They Overlap

Data Governance

This is the most significant area of overlap. GDPR's principles of data minimization, purpose limitation, accuracy, and storage limitation (Article 5 GDPR) align closely with the AI Act's data governance requirements for high-risk systems (Article 10 AI Act). Both require:

• Documented data quality measures
• Relevant, representative, and error-free training data
• Appropriate data governance and management practices
• Assessment of potential biases in data

If you have robust GDPR data governance in place, you have a strong foundation for AI Act compliance — but the AI Act adds specific requirements around training, validation, and testing datasets that go beyond GDPR.

Impact Assessments: DPIA vs. FRIA

GDPR requires a Data Protection Impact Assessment (DPIA) for high-risk processing (Article 35 GDPR). The AI Act requires a Fundamental Rights Impact Assessment (FRIA) for deployers of high-risk AI systems (Article 27 AI Act).

These assessments are related but not identical:

• DPIA scope: Focuses on risks to data protection rights — privacy, data security, and the rights of data subjects.
• FRIA scope: Broader — covers fundamental rights including non-discrimination, privacy, freedom of expression, human dignity, access to justice, and other EU Charter rights.

For AI systems that process personal data (which is most of them), you will need both assessments. The good news: there is significant overlap in the data collection and analysis. A well-structured process can conduct both assessments in parallel, reusing information about the system, its purpose, its data processing, and its potential impacts.

Article 27(4) of the AI Act explicitly states that where a DPIA has been carried out under GDPR, the FRIA "shall complement that assessment." This confirms the intent for these assessments to work together, not create duplicate work.

Transparency and Information Rights

Both regulations require transparency, but from different angles:

• GDPR requires informing data subjects about the processing of their personal data, including the existence of automated decision-making (Articles 13(2)(f) and 14(2)(g) GDPR) and meaningful information about the logic involved.
• The AI Act requires transparency about the AI system itself — disclosing that users are interacting with AI (Article 50), and providing deployers with instructions for use (Article 13).

GDPR Article 22 also provides the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. The AI Act's human oversight requirements (Article 14) effectively operationalize this right by requiring meaningful human review capabilities.

Accountability and Documentation

GDPR's accountability principle (Article 5(2)) requires that controllers can demonstrate compliance. Similarly, the AI Act requires comprehensive documentation — Annex IV technical documentation, quality management systems, audit trails, and conformity assessments. Both regulations expect organizations to maintain thorough records that demonstrate compliance upon request by authorities.

Where They Differ

Legal Basis

GDPR requires a legal basis for processing personal data (consent, contract, legitimate interest, etc.). The AI Act has no equivalent concept — it does not require a "legal basis" for deploying an AI system. Instead, it regulates the characteristics and governance of the system itself.

Individual Rights

GDPR grants individuals extensive rights: access, rectification, erasure, portability, restriction, and objection. The AI Act does not create equivalent individual rights. Instead, it protects individuals indirectly through system-level requirements (accuracy, robustness, human oversight) and through the FRIA requirement.

Enforcement Structure

GDPR is enforced by Data Protection Authorities (DPAs) in each Member State. The AI Act will be enforced by newly designated national competent authorities and market surveillance authorities, with the European AI Office coordinating at the EU level. In some Member States, these may be the same body as the DPA; in others, they will be separate.

Practical Guidance: Managing Both Regulations

1. Integrated Governance Framework

Do not build separate compliance programs for GDPR and the AI Act. Instead, create an integrated AI governance framework that addresses both. Your data protection team and your AI governance team should work together — or, ideally, be the same team with expanded responsibilities.

2. Combined Impact Assessments

Where an AI system processes personal data and is classified as high-risk, conduct DPIA and FRIA as a combined process. Start with the DPIA (which you may already be required to do), then extend it to cover the broader fundamental rights analysis required by the FRIA. Our platform's multi-framework risk mapping tool is designed for exactly this purpose.

3. Unified Documentation

GDPR requires Records of Processing Activities (ROPA). The AI Act requires an AI system registry and Annex IV technical documentation. Structure your documentation to serve both purposes — a well-organized AI system registry that includes data processing details can satisfy requirements under both frameworks.

4. Leverage Your GDPR Investment

If your organization has mature GDPR compliance, you have a significant head start on AI Act compliance. Your data governance practices, documentation habits, impact assessment methodology, and accountability culture all transfer directly. The gap is primarily in AI-specific technical requirements (risk management, accuracy, robustness) and the formal classification and conformity assessment process.

5. Watch for Regulatory Guidance

The European Data Protection Board (EDPB) and the European AI Office are expected to issue joint guidance on the relationship between GDPR and the AI Act. This guidance will be particularly important for clarifying how DPIAs and FRIAs should interact, and how enforcement will be coordinated between DPAs and AI Act authorities.

What DPOs Should Do Now

If you are a Data Protection Officer (DPO), you are uniquely positioned to lead your organization's AI Act compliance effort. Here is what we recommend:

• Map your AI systems against both GDPR processing records and AI Act risk categories
• Identify overlap between existing DPIAs and required FRIAs
• Extend your governance framework to include AI Act requirements
• Upskill your team on AI Act specifics — leverage your existing regulatory expertise
• Use integrated tooling that handles both frameworks simultaneously

Our DPO solution is designed specifically for data protection professionals who need to bridge GDPR and AI Act compliance. Start with a free risk assessment to see where your AI systems fall under both frameworks.