The AI Act and GDPR: how they fit together
The AI Act does not replace the GDPR. If your AI touches personal data, and most does, you are working under both at once. The good news is they pull in the same direction.
Two laws, two angles
The GDPR governs how you process personal data. The AI Act governs how AI systems are built and used. They are separate laws with separate regulators, and you can be subject to both at the same time for the same tool.
A recruitment tool is the clearest example: the GDPR applies because it processes applicant data, and the AI Act applies because screening applicants is a high-risk use. Neither law cancels the other out; they stack.
Where they meet: the DPIA
For high-risk uses involving personal data, the AI Act points you to the GDPR's data protection impact assessment, and expects the provider's information about the system to help you complete it. One piece of work serves both regimes.
So if a high-risk system processes personal data, do not treat the AI Act and GDPR steps as two separate projects. The DPIA is the natural place they come together.
Automated decisions
The GDPR already gives people rights around decisions made solely by automated means, including a right to meaningful human involvement in significant ones. The AI Act's transparency and human oversight duties reinforce the same idea from a different angle.
Read together, the message is consistent: tell people when AI is involved in a decision about them, and keep a capable human genuinely in the loop rather than rubber-stamping the output.
Data governance
Both laws care about the data going in. The AI Act asks deployers to mind the input data they control for high-risk systems, so it is relevant and representative. The GDPR asks for a lawful basis, accuracy, and keeping data to what you actually need.
In practice the same discipline, knowing where your data comes from and keeping it fit for purpose, goes a long way to satisfying both.
The practical takeaway
Treat them as one programme rather than two. Doing the AI Act work well, inventory, classification, oversight, and records, makes the GDPR side easier, and a mature GDPR practice gives you a head start on the AI Act.
For anything specific to personal data, involve whoever owns your GDPR compliance early, so the two strands are handled together rather than colliding later.
This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.
Put it into practice
Classify your AI systems against the Act and generate the documents this guide describes.