AI Act vs. GDPR: What's Different About AI Compliance?
How the AI Act and GDPR interact, where they overlap on automated decisions, and what organisations already GDPR-compliant need to do differently.
If your organisation is already GDPR-compliant, you might reasonably ask: how much of the AI Act is genuinely new ground, and how much is territory we have already covered?
It is a fair question. Both regulations deal with technology, data, and the rights of individuals. There are real overlaps, particularly around automated decision-making. But the AI Act is not an extension of GDPR. It is a fundamentally different type of regulation — product safety law rather than data protection law — and it creates obligations that GDPR compliance does not satisfy.
Understanding exactly where these two frameworks converge, where they diverge, and where they create compounding obligations is essential for any compliance, legal, or L&D team planning for August 2026.
Two Regulations, Two Different Logics
The simplest way to understand the difference is to look at what each regulation is trying to protect.
GDPR protects personal data. Its logic centres on the processing of information about identifiable individuals — how that data is collected, stored, used, shared, and deleted. Every obligation in GDPR flows from the relationship between a data controller, a data processor, and the data subject. The regulation is technology-neutral by design. It does not care whether you process data with a spreadsheet or a neural network. It cares about what you do with personal data.
The AI Act protects people from harmful AI systems. Its logic centres on the AI system itself — how it is designed, tested, deployed, monitored, and governed. The regulation is technology-specific by design. It applies to AI systems regardless of whether they process personal data. An AI system that classifies industrial components on a manufacturing line and never touches personal data is still within scope if it meets the definition in Article 3.
This distinction matters because it means the two regulations operate on different axes. GDPR asks: what are you doing with people's data? The AI Act asks: what is your AI system doing, and could it cause harm?
An organisation can be fully GDPR-compliant and entirely non-compliant with the AI Act. The reverse is also true, though less likely in practice since most AI systems that interact with people will involve personal data at some point.
Where They Overlap: Automated Decision-Making
The clearest point of convergence is automated decision-making.
GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects. Where such decisions are made, the data controller must provide meaningful information about the logic involved, the significance of the processing, and the envisaged consequences.
The AI Act goes further. For high-risk AI systems — which include many automated decision-making tools used in employment, credit, insurance, and access to essential services — it imposes requirements on the system itself: risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity.
Here is the practical difference. Under GDPR, if you use an AI-powered recruitment screening tool, you need to:
- Have a lawful basis for processing candidates' personal data
- Inform candidates that automated decision-making is involved
- Provide meaningful information about the logic used
- Offer the right to human review of the decision
- Conduct a Data Protection Impact Assessment (DPIA) if the processing is high-risk
Under the AI Act, the same tool also requires:
- A conformity assessment before the system is placed on the market or put into service
- A risk management system that operates throughout the AI system's lifecycle
- Data governance measures ensuring training data is relevant, representative, and free from errors
- Technical documentation covering the system's intended purpose, accuracy levels, and known limitations
- Transparency obligations so deployers understand what the system does and how to use it properly
- Human oversight measures designed to minimise risks — not just the right to request human review, but proactive measures built into the system's operation
- Ongoing monitoring for accuracy, robustness, and cybersecurity throughout the system's use
The AI Act obligations apply to the system, not just the data processing. This is a layer of compliance that GDPR does not address.
Where the AI Act Goes Further: Risk Classification
GDPR does not classify technologies by risk level. It classifies processing activities — a DPIA is required when processing is "likely to result in a high risk to the rights and freedoms of natural persons," but this is assessed case by case.
The AI Act introduces a fixed classification framework. Certain uses of AI are categorised as high-risk by default, listed explicitly in Annex III:
- AI in recruitment, promotion, task allocation, and monitoring of workers
- AI in credit scoring and creditworthiness assessment
- AI in insurance risk assessment and pricing
- AI used to evaluate access to essential public and private services
- AI in education for scoring, admissions, or monitoring
- AI in law enforcement, migration management, and justice administration
If your organisation deploys AI in any of these areas, the system is high-risk regardless of your own assessment. There is no equivalent mechanism in GDPR — no annex that says "these processing activities are always high-risk." Under GDPR, you assess risk. Under the AI Act, for certain use cases, risk is assigned.
This has practical consequences for compliance teams. You cannot argue that your recruitment AI poses minimal risk because you have good data governance practices. If it falls within Annex III, it is high-risk, and the full set of high-risk obligations applies.
Where the AI Act Goes Further: Literacy Requirements
GDPR does not contain an explicit training or literacy requirement. Article 39 mentions that the Data Protection Officer should be involved in "awareness-raising and training of staff involved in processing operations," but this is an obligation on the DPO role, not a direct obligation on the organisation to ensure a defined level of literacy across its workforce.
The AI Act's Article 4 is different. It creates a direct obligation on providers and deployers to ensure that their staff and other persons dealing with AI systems on their behalf have "a sufficient level of AI literacy." This obligation takes into account the technical knowledge, experience, education, and training of those persons, the context in which the AI systems are used, and the persons or groups on whom the systems will be used.
This is not a suggestion. It is a legal requirement with its own compliance timeline — August 2026 — and it applies broadly. Every organisation that deploys AI systems needs to demonstrate that the people who use those systems understand them well enough to use them appropriately.
For L&D teams, this is the most significant new obligation the AI Act creates relative to GDPR. It means that AI literacy training is not a nice-to-have or a corporate development initiative. It is a regulatory requirement, and it needs to be evidenced.
Our deep dive on AI Act Article 4 employee training requirements covers exactly what "sufficient AI literacy" means in practice and how to build training programmes that satisfy the obligation.
Practical Implications for GDPR-Compliant Organisations
If your organisation has mature GDPR compliance, you have a head start — but it is a head start, not a finish line. Here is what you can carry across and where you need to build new capabilities.
What transfers well:
- Data governance practices. The AI Act requires data governance for high-risk systems, and your existing GDPR data governance framework provides a strong foundation. Data quality, minimisation, and bias assessment are areas where GDPR experience is directly relevant.
- Impact assessment methodology. If your team is experienced in running DPIAs, the methodology translates well to AI Act conformity assessments and risk management, even though the specific requirements differ.
- Documentation culture. GDPR compliance demands thorough documentation. The AI Act demands even more. But organisations that already document their processing activities, legal bases, and risk assessments are culturally better prepared than those starting from scratch.
- Rights-based thinking. Understanding that individuals have rights in relation to how technology affects them is fundamental to both regulations. Teams that think in terms of transparency, fairness, and accountability are better positioned to meet AI Act obligations.
What you need to build:
- AI system inventory. GDPR requires a record of processing activities. The AI Act requires something different — a comprehensive inventory of AI systems, their risk classifications, and their deployment contexts. Your Records of Processing Activity (RoPA) will not serve as an AI inventory, though they may help you identify AI systems that process personal data.
- Risk classification capability. You need people who can assess AI systems against the AI Act's framework and assign risk levels correctly. This is a different skill from GDPR risk assessment.
- Technical oversight. The AI Act requires ongoing monitoring of AI system performance — accuracy, robustness, drift. This is operational, not just procedural.
- AI literacy training programme. This is net new. GDPR awareness training does not satisfy Article 4. You need a dedicated programme that covers AI literacy at a level appropriate to each person's role.
- Vendor due diligence for AI. Your existing vendor assessment processes need to expand to cover AI Act requirements — particularly for AI systems you deploy but did not build.
Building a Combined Compliance Approach
The most efficient path forward is not to treat GDPR and the AI Act as separate compliance workstreams. They will often apply to the same systems, involve the same teams, and require overlapping documentation.
Consider a unified approach:
Joint system register. Maintain a single register that captures both GDPR processing activities and AI Act system classifications. For systems that fall under both regulations, document the relevant obligations side by side.
Integrated impact assessments. When a new AI system is proposed, run a combined assessment that covers GDPR data protection impacts and AI Act risk classification in a single process. This reduces duplication and ensures neither set of obligations is missed.
Combined training. For staff who use AI systems that process personal data — which is most of them — design training that addresses both GDPR responsibilities and AI literacy in one programme. This is more efficient and more realistic than expecting people to complete separate modules for each regulation.
Coordinated governance. Ensure that your DPO, your AI Act compliance lead (however that role is defined in your organisation), and your L&D team are working together, not in parallel. The information each needs overlaps significantly.
If you are building this combined approach and want to assess where the gaps are, our free diagnostic evaluates your readiness across both data protection and AI compliance dimensions.
For the training component specifically, our AI Act course is designed to sit alongside existing GDPR awareness programmes — building on the compliance foundations your teams already have rather than duplicating them.
The Bottom Line
GDPR and the AI Act are complementary, not interchangeable. GDPR-compliant organisations have real advantages — mature governance, documentation habits, rights-based thinking — but they also have real gaps to fill, particularly around AI system inventories, risk classification, and the Article 4 literacy obligation.
The organisations that navigate this transition most effectively will be those that treat it as an extension of their existing compliance architecture, not a separate initiative built from scratch. The regulatory logic is different, but the organisational muscles are similar: assess, document, train, evidence, review.
The August 2026 deadline applies regardless of how mature your GDPR programme is. The question is not whether you are already compliant. The question is how much of the new ground you have covered.