EU AI Act vs GDPR: How They Overlap, Where They Don't, and What This Means for Your Business

A few weeks ago I had a call with the founder of a fintech startup based in Frankfurt. He'd seen the launch posts about the AI Act and wanted to know whether his company needed to do anything. His position, summarized: "We've been GDPR compliant for years. We know how to handle data, we have a DPO, we run DPIAs. The AI Act is basically GDPR for AI, right?"

It's not. The two regulations cover different things, ask for different documentation, and create different obligations. Yes, they overlap in places. No, GDPR compliance does not make you AI Act compliant.

This guide walks through exactly how the two regulations relate. Where they overlap. Where they don't. And the specific work you need to do for AI Act compliance that GDPR alone doesn't cover.

If you've been operating under the assumption that your GDPR posture has you covered, the next ten minutes will tell you what you're missing.

What each regulation actually covers

Start with the basics, because the founders who confuse them usually don't have a clear mental model of either.

GDPR (General Data Protection Regulation)

In force since 2018. Covers the processing of personal data of individuals in the EU. Its core questions are about:

• What personal data are you collecting?
• What's your lawful basis for processing it?
• How are you protecting it?
• What rights do individuals have over their data?
• How do you respond to data subject requests?
• What happens if there's a breach?

GDPR cares about the data and how you handle it. It's data-centric.

EU AI Act

In force as of August 2024 with full enforcement on August 2, 2026. Covers the development, deployment, and use of AI systems in the EU. Its core questions are about:

• What does your AI system do?
• What category of risk does it create?
• What controls do you have in place over the system itself?
• How do you ensure it's accurate, robust, and fair?
• How do humans oversee its operation?
• How do you monitor it after deployment?

The AI Act cares about the AI system as a system. Its data handling, its design, its operation, its outputs. It's system-centric.

Same domain (technology affecting people), different focus (data vs system).

Where they overlap

There are real areas of overlap where work for one regulation contributes to the other. These are worth understanding so you don't duplicate effort.

Personal data processing

If your AI system processes personal data, both regulations apply. GDPR governs the data handling. The AI Act governs the system that does the processing. You need to satisfy both.

This is where most AI-using companies live. Recruitment AI, credit scoring AI, content moderation AI, recommendation engines. They all process personal data. They're all governed by both regulations simultaneously.

Lawful basis requirements

GDPR requires a lawful basis for processing personal data (consent, legitimate interest, contract, legal obligation, vital interest, public task). The AI Act doesn't override this. If your AI processes personal data, you still need a GDPR-valid lawful basis.

The AI Act adds requirements around how you justify and document AI-specific uses (Article 10 data governance, Article 12 record-keeping), but it builds on GDPR foundations.

Data subject rights

GDPR gives individuals rights: access, rectification, erasure, portability, objection, restriction. These continue to apply to data processed by AI systems. The AI Act adds specific rights for affected individuals under Article 26 (information about AI-assisted decisions, right to human review for high-risk systems), but the underlying data rights from GDPR remain in force.

Automated decision-making

GDPR Article 22 limits automated decision-making with legal or similarly significant effects, requiring meaningful human involvement, transparency, and the right to contest. The AI Act's high-risk obligations (especially Article 14 human oversight and Article 26 information to affected persons) extend and operationalize this, but Article 22 is still the underlying foundation.

If you're doing automated decision-making, both apply.

Documentation and accountability

GDPR's accountability principle requires you to demonstrate compliance through documentation. The AI Act's documentation requirements (especially Article 11 technical documentation) are essentially the AI-specific version of this. You're not doing different documentation. You're doing more documentation that includes the AI-specific elements.

DPIA and risk management

GDPR requires Data Protection Impact Assessments for high-risk processing. The AI Act requires a Risk Management Plan under Article 9 for high-risk AI systems. These overlap significantly. A well-done DPIA covers most of what the AI Act risk management plan asks for, but not all.

Privacy by design

GDPR Article 25 requires data protection by design and default. The AI Act requires similar principles built into the AI system's architecture (data minimization in Article 10, technical robustness in Article 15). The mindset and approach overlap, but the AI Act adds requirements specific to AI risks.

Where they diverge

This is the more important section. The areas where the AI Act asks for things GDPR doesn't.

System-level documentation

GDPR requires you to document data flows, processing activities, lawful bases. The AI Act's Article 11 technical documentation is much more extensive and AI-specific:

• Detailed system architecture
• Training methodology
• Performance metrics, including across demographic groups
• Known limitations
• Validation procedures
• Cybersecurity measures
• Post-market monitoring plan

A GDPR record of processing activities (ROPA) doesn't satisfy this. The AI Act wants something fundamentally different: a technical document about the system itself, not just about how data flows through it.

Bias testing and fairness

GDPR has principles like fairness and accuracy, but doesn't prescriptively require demographic bias testing. The AI Act does. Article 10 explicitly requires:

• Bias detection in training, validation, and testing data
• Measures to identify and mitigate possible biases
• Procedures for handling under-representation in datasets
• Documentation showing this was done

This is new compliance work for most companies. GDPR didn't require you to test your AI for racial, gender, or age bias across demographic groups. The AI Act does.

Post-market monitoring

GDPR has breach notification (Article 33) but doesn't require ongoing performance monitoring of the systems that process data. The AI Act's Article 72 explicitly requires post-market monitoring:

• Ongoing performance tracking after deployment
• Collection of real-world performance data
• Systematic review of unexpected outcomes
• Triggering re-assessment when performance drifts

This is operational compliance work that GDPR doesn't address. You can be perfectly GDPR-compliant and have no post-market monitoring infrastructure. The AI Act requires you to build it.

Human oversight

GDPR Article 22 addresses automated decision-making and requires human involvement in significant decisions, but the AI Act's Article 14 goes further:

• Specific design requirements that enable meaningful human oversight
• Specific training requirements for the humans doing oversight
• Specific authority to intervene, override, and disable
• Specific monitoring of whether oversight is actually meaningful

GDPR says "involve humans in significant automated decisions." The AI Act says "design the entire system to support meaningful human oversight, train the humans, give them the tools to actually intervene, and verify it's working."

Technical robustness and cybersecurity

GDPR Article 32 requires appropriate technical and organizational measures for security. The AI Act's Article 15 is more specific to AI risks:

• Accuracy consistency over time
• Robustness to errors, faults, and inconsistencies
• Resilience against adversarial attacks (data poisoning, model evasion, model stealing)
• Specific cybersecurity measures designed for AI systems

A GDPR-compliant security posture doesn't automatically cover AI-specific threats like adversarial examples or training data poisoning. The AI Act requires you to address these.

EU database registration

GDPR doesn't require you to register your systems in a central EU database. The AI Act does for high-risk systems under Article 49. This is a new requirement that doesn't map to anything in GDPR.

Conformity assessment

For high-risk AI systems, the AI Act requires a conformity assessment before market deployment. This is a procedure to verify the system meets requirements before placing it on the market. GDPR has nothing comparable.

For most systems, the conformity assessment is internal (self-assessment). For some categories (biometric identification, critical infrastructure), it requires a third-party body to assess.

CE marking

High-risk AI systems must carry a CE mark indicating conformity. This is a product marking concept that doesn't exist in GDPR.

General-purpose AI provisions

If you're providing or using a general-purpose AI model (GPT, Claude, Llama, Gemini), the AI Act's Articles 51-55 create specific obligations. GDPR has nothing comparable for foundation models specifically.

The fines comparison

Both regulations have serious fines, but they're structured differently and the AI Act fines are generally higher.

GDPR fines:

• Up to €20M or 4% of global annual turnover (whichever higher)
• Two tiers: less severe violations capped at €10M or 2%, more severe at €20M or 4%

EU AI Act fines:

• Up to €35M or 7% of global annual turnover for prohibited practices and data governance violations
• Up to €15M or 3% for general non-compliance
• Up to €7.5M or 1% for incorrect or misleading information to authorities

The AI Act top fine is significantly higher than GDPR's. The €35M / 7% cap applies specifically to prohibited practices (Article 5) and certain governance failures. Most violations sit at the €15M / 3% level.

In practice, regulators have shown willingness to impose substantial GDPR fines. We don't yet have AI Act enforcement history but the framework is designed to be at least as aggressive.

What this means concretely for your business

The practical implications fall into three categories, depending on where you sit today.

If you're fully GDPR-compliant with mature processes

Good news: a lot of foundational work is done. Your data governance, lawful basis documentation, security posture, and DPIA practices give you a head start.

What you still need to do for AI Act compliance:

• Add system-level technical documentation (Article 11)
• Add bias testing procedures and documentation (Article 10)
• Add post-market monitoring infrastructure (Article 72)
• Add human oversight design and training (Article 14)
• Add specific cybersecurity measures for AI threats (Article 15)
• Register high-risk systems in the EU database (Article 49)
• Conduct conformity assessments before deployment

Realistic time investment: 60-100 hours of work spread across compliance, product, and engineering teams. Less if you're a small team with simple systems.

If you're partially GDPR-compliant

Most companies. You have a privacy policy, some lawful basis documentation, basic data subject request handling, but governance isn't deeply embedded.

For you, AI Act compliance is going to surface gaps in your GDPR posture too. You'll find that to do the AI Act work properly, you need to firm up GDPR foundations first. Plan for this. It's not double work, but it's serial work.

Realistic time investment: 120-200 hours of work, potentially including some GDPR remediation along the way.

If you've been ignoring GDPR or treating it as box-ticking

A significant chunk of European SMEs sit here. GDPR is "we have a privacy policy on our site" and not much else.

The AI Act will force a reckoning. You can't do AI Act compliance properly while ignoring GDPR foundations. You'll need to do both, more or less in parallel.

This sounds intimidating but it's actually an opportunity. You can build clean, well-documented compliance from the ground up rather than retrofitting onto an inadequate base. Companies in this position who handle it well end up with stronger overall data and AI governance than companies who built their GDPR compliance piecemeal over years.

Realistic time investment: 200-400 hours over 3-4 months. Substantial but bounded.

The overlap math: how much GDPR work counts toward AI Act

Roughly, here's how the documentation overlaps:

AI Act requirement	GDPR contribution	Net new work
Risk Management Plan (Art. 9)	~50% (DPIA)	Add AI-specific risks, bias considerations
Data Governance (Art. 10)	~40% (data inventory)	Add bias testing, AI training data documentation
Technical Documentation (Art. 11)	~10%	Mostly net new
Record-keeping (Art. 12)	~30% (audit logs)	Add AI-specific logging
Transparency (Art. 13)	~20%	Add AI-specific user-facing info
Human Oversight (Art. 14)	~20% (Art. 22)	Add design and training requirements
Accuracy/Robustness (Art. 15)	~30% (security)	Add AI-specific threat models
Post-market Monitoring (Art. 72)	~10%	Mostly net new
Information to Affected Persons (Art. 26)	~40% (data subject rights)	Add AI-specific decision info

On average, a strong GDPR posture gives you maybe 25-30% of the work toward AI Act compliance done. The rest is genuinely new work.

The strategic angle: do them together, not separately

If you're starting AI Act compliance now, do it in a way that strengthens your GDPR posture at the same time. The opposite is also true: if you're upgrading your GDPR posture (due to new business activities, audits, or growth), think about AI Act requirements at the same time.

Doing them together has real efficiency gains:

• Shared documentation infrastructure
• Shared risk assessment methodology
• Shared monitoring and audit processes
• Shared employee training
• Shared customer-facing transparency materials

A company that handles both regulations as a unified compliance posture spends roughly 60-70% of what it would cost to handle them separately. The mental model is "data and AI governance" not "GDPR" and "AI Act" as separate work streams.

What to do this week

If you're realizing your GDPR compliance doesn't carry you on the AI Act, here's a sensible path:

1. Inventory your AI systems. You probably have more than you think.
2. Classify each one. Most that touch personal data and affect individuals will be high-risk.
3. Map what your existing GDPR documentation covers and what gaps remain.
4. Build a unified compliance plan that addresses both, prioritized by what's due first.
5. The AI Act has the closer deadline (August 2, 2026), so AI-specific work that's not already covered by GDPR gets priority.

The companies that handle this well in 2026 will end up with stronger overall compliance postures than they had before. The regulatory environment is increasingly demanding sophisticated data and AI governance. The companies that build it properly now have a real competitive advantage in regulated markets going forward.

Run the free classifier to start your AI Act assessment →

---

Common questions

Do I need a DPO for AI Act compliance? The AI Act doesn't introduce a DPO requirement. GDPR's DPO requirements (based on processing activities) continue to apply. You may also need to designate specific compliance roles for the AI Act, but it's not the same as a DPO.

Does the AI Act override GDPR? No. Both apply. The AI Act builds on GDPR's foundations and adds AI-specific requirements. Where they say similar things, you need to satisfy the stricter standard.

What about DPIAs for AI systems? You still need a DPIA under GDPR if your AI processes personal data in ways that pose high risks to individuals. The AI Act adds a separate Risk Management Plan requirement. There's overlap but they're not the same document. Best practice is to do them together, recognizing both regulatory frameworks.

Does my data residency strategy under GDPR affect AI Act compliance? Not directly. The AI Act doesn't have specific data residency requirements. Your training data, model deployment, and inference can be located wherever it's legally permissible under GDPR. The AI Act is more concerned with what the AI does than where its data sits.

Are there sector-specific overlaps? Yes. For financial services, the AI Act overlaps with DORA, the Digital Operational Resilience Act, and various banking regulations. For healthcare, with the MDR and IVDR. Each sector creates its own multi-regulation compliance puzzle. Plan accordingly.

Can I use my GDPR consent flows for AI Act transparency? Partially. AI Act Article 50 transparency for limited-risk systems requires informing users they're interacting with AI. This is different from GDPR consent for data processing. You may need to update consent flows to cover both.

---

Start your AI Act classification →

Related guides:

• Is My AI System High-Risk Under the EU AI Act?
• The EU AI Act for HR Tech: A Vertical Guide
• Article 6(3) Exemption: When Annex III Doesn't Mean High-Risk
• The 2026 EU AI Act Compliance Checklist