For European compliance teams, 2026 means managing two major regulatory frameworks simultaneously. GDPR has been live since 2018, and organizations have built processes, roles, and tooling around it. The EU AI Act introduces a structurally different framework with different logic, different supervisory authorities, and different compliance levers — and it overlaps with GDPR in ways that create both synergies and friction.
This post maps out the key differences, explains where the two regulations intersect, and gives compliance teams and DPOs practical guidance for managing both without duplicating effort or missing obligations.
Fundamental Difference in Regulatory Logic
The starting point for understanding the two regulations is recognizing that they solve different problems with different instruments.
GDPR is about data. It regulates how personal data about individuals is collected, stored, processed, and used. The central question GDPR asks is: what are you doing with people’s data, and does that processing comply with the rights and principles the regulation establishes? GDPR applies based on the subject matter — personal data — regardless of the technology involved.
The EU AI Act is about systems and risk. It regulates AI systems based on what they do and the harm they could cause. The central question is: what decisions or outputs does this AI system produce, and could those outputs cause serious harm to people? The Act applies based on system function and risk level, not based on whether personal data is processed.
This distinction matters practically. An AI system that processes no personal data can still be high-risk under the AI Act (an industrial control system with machine vision, for example). A system that processes vast amounts of personal data may have minimal AI Act obligations if its AI functions are genuinely low-risk. The two frameworks do not map onto each other neatly.
Scope Comparison
Who Is Covered
GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is established. A US company with no EU employees or offices must comply with GDPR if it processes data about EU users.
EU AI Act applies to providers (developers) and deployers (users) of AI systems placed on the EU market or used in the EU, plus providers of general-purpose AI models. Like GDPR, it has extraterritorial reach — a US company selling AI-powered software to European businesses must comply.
For most mid-market European companies, both regulations apply. The practical difference is that AI Act obligations attach to specific AI systems, while GDPR obligations attach to specific processing activities.
What Is Covered
GDPR covers any processing of personal data — defined broadly as any information relating to an identified or identifiable natural person. The regulation does not care what technology is used to process that data.
EU AI Act covers AI systems — defined as machine-based systems that operate with varying levels of autonomy and produce outputs such as predictions, recommendations, decisions, or content. Not all software is an AI system under the Act’s definition, and not all AI systems trigger significant obligations (only high-risk ones do).
Compliance Obligations: Where They Differ
Documentation Requirements
Under GDPR, the primary documentation obligation is the Record of Processing Activities (RoPA) — a structured inventory of all personal data processing activities, their legal bases, and their data flows. This is a relatively compact document maintained at the organizational level.
Under the EU AI Act, Annex IV technical documentation for each high-risk AI system is a substantially more intensive obligation. A single system’s documentation package covers development methodology, training data governance, testing results, human oversight design, and post-market monitoring plans. For a detailed breakdown, see our Annex IV documentation checklist.
The practical implication: AI Act documentation is system-level and technical. GDPR documentation is process-level and organizational. Both are required for high-risk AI systems that process personal data — and they are not substitutes for each other.
Impact Assessments
GDPR requires a Data Protection Impact Assessment (DPIA) when processing is likely to result in high risk to individuals — typically when processing is systematic, large-scale, or involves sensitive categories of data. DPIAs focus on data flows, risks to data subjects, and mitigating measures.
EU AI Act requires a Fundamental Rights Impact Assessment (FRIA) for deployers of certain high-risk AI systems — specifically those used by public authorities and operators of essential services. The FRIA is broader than a DPIA: it assesses not just data protection risks but potential impacts on the full range of fundamental rights, including freedom of expression, non-discrimination, and access to justice.
Many organizations processing personal data with high-risk AI systems will need to conduct both. The good news is that the two assessments share significant structural overlap — particularly around bias, discrimination risk, and data governance — and can be conducted as integrated exercises.
Legal Basis for Processing
GDPR requires a legal basis for every processing activity. Common bases include consent, legitimate interest, contract performance, legal obligation, and vital interests. High-risk AI systems that process personal data need a GDPR legal basis for that processing.
The EU AI Act does not use the legal basis concept. It does not grant permission to process data — it governs how AI systems are designed, documented, and operated regardless of the GDPR basis for underlying data processing. The two frameworks operate in parallel, not in sequence.
Rights of Individuals
GDPR grants individuals robust rights over their personal data: access, rectification, erasure, restriction, portability, and objection to automated decision-making.
Article 22 GDPR specifically addresses automated decision-making — giving individuals the right not to be subject to solely automated decisions that produce legal or similarly significant effects, unless specific conditions are met. When high-risk AI systems are involved in consequential decisions, Article 22 is likely engaged.
The EU AI Act addresses individual rights differently, through transparency obligations (individuals must be informed when interacting with AI in certain contexts) and human oversight requirements (high-risk AI decisions must be reviewable by humans). The Act creates structural protections rather than individual rights to exercise.
The practical implication: a person affected by an AI-driven HR decision has GDPR rights to access information about automated processing and to seek human review. The AI Act ensures the system was designed with meaningful human oversight to enable that review.
Supervisory Authorities: Two Different Enforcement Ecosystems
GDPR Enforcement
GDPR is enforced by Data Protection Authorities (DPAs) in each EU member state — the ICO (UK), CNIL (France), BfDI (Germany), AP (Netherlands), and their equivalents. The DPA of the member state where an organization is established typically acts as Lead Supervisory Authority under the one-stop-shop mechanism, coordinating with DPAs in other member states where affected individuals reside.
AI Act Enforcement
The EU AI Act creates a new enforcement infrastructure. Each member state must designate one or more national competent authorities as market surveillance authority for AI Act purposes. In many countries, this is being organized as a new function distinct from the DPA.
At EU level, the AI Office within the European Commission has direct supervisory authority over general-purpose AI models and coordinates national enforcement for high-risk systems.
Critically: a single AI system that processes personal data could be subject to investigation by both a national DPA (under GDPR) and a national market surveillance authority (under the AI Act). These investigations may run in parallel, with different focuses, different information requests, and different outcomes. Organizations should not assume that GDPR compliance protects them from AI Act enforcement.
DPO and Compliance Team Roles
Data Protection Officers are required under GDPR for certain organizations — public authorities, those whose core activities involve large-scale systematic monitoring, or those processing special categories of data at scale. DPOs advise on GDPR obligations and monitor compliance.
The EU AI Act does not create an equivalent mandatory role, but it creates compliance functions that require dedicated ownership: AI system inventory management, risk classification, technical documentation, ongoing monitoring, and incident reporting. Whether these functions sit with the DPO, a new AI compliance officer, or a cross-functional team depends on organizational structure.
For most mid-market companies, the pragmatic answer is to extend the DPO’s remit to cover AI Act obligations where the overlap with data governance is significant, while ensuring that technical documentation and monitoring functions are owned by people with AI system expertise — which is a different skill set from data protection law.
Where the Two Regulations Overlap and Reinforce Each Other
Training Data and Data Minimization
The EU AI Act requires documentation of training data governance, including examination of datasets for bias and representational gaps. GDPR’s data minimization principle requires that personal data used in training is limited to what is necessary. Together, these requirements push toward disciplined data curation — a practice that improves both regulatory compliance and model quality.
Transparency
Both regulations require transparency with individuals about how AI affects them. GDPR’s Article 13/14 notices must disclose when AI is used in significant decisions. The AI Act requires transparency disclosures when interacting with AI systems. For organizations operating high-risk AI, these requirements can be addressed through unified transparency notices that satisfy both frameworks.
Accuracy and Data Quality
GDPR’s accuracy principle requires that personal data is kept accurate and up to date. The AI Act’s requirements for testing and validation of high-risk AI systems extend this concern into model performance — accurate underlying data is necessary but not sufficient; the system built from that data must also perform accurately.
Bias and Non-Discrimination
GDPR’s fairness principle and the EU Charter’s non-discrimination provisions set a floor. The AI Act’s requirements for examining training data for bias and documenting disaggregated performance metrics provide the methodology for demonstrating compliance with that floor.
Managing Both Simultaneously: Practical Guidance
Map your AI systems to both frameworks in a single exercise. When conducting your AI system inventory and risk classification under the AI Act, simultaneously identify which systems process personal data and what GDPR legal bases apply. This avoids duplicating the discovery work.
Integrate your impact assessments. Where both a DPIA and FRIA are required for the same system, conduct them as a single integrated assessment with two outputs. The shared analytical work (data flows, risk identification, mitigation design) needs to happen once.
Align documentation timelines. Both GDPR processing records and Annex IV technical documentation need to be updated when systems change. Establish a single change management trigger that initiates updates to both.
Do not assume your DPA has AI Act authority. National enforcement structures vary. Know which authority will supervise AI Act compliance in your jurisdiction, and monitor their guidance publications independently from DPA guidance.
Use your GDPR compliance infrastructure as a foundation. Data governance practices, privacy by design processes, and DPA relationships built for GDPR are valuable inputs to AI Act compliance — but they are inputs, not equivalents. Build on what you have; do not assume it is sufficient.
For context on AI Act deadlines and what compliance requires before August 2, 2026, see our EU AI Act deadline guide. For guidance on classifying which of your AI systems are high-risk, see our risk classification explainer.
Managing both the EU AI Act and GDPR across your AI systems? The Aikraft Risk Quiz maps your AI systems against AI Act risk categories and flags where GDPR obligations intersect — giving your compliance team a clear view of combined exposure.