Plain English Guides
EU AI Act vs GDPR — What's the Difference?
The EU AI Act and GDPR regulate different things. GDPR governs the processing of personal data. The EU AI Act governs the development, supply, and use of artificial intelligence systems. A single AI activity can fall under both laws at the same time.
Complying with GDPR does not automatically satisfy the AI Act, and an AI Act assessment does not replace a GDPR review.
What GDPR asks
GDPR starts with personal data. If your AI system collects, stores, infers, or otherwise processes information relating to an identifiable person, GDPR may apply.
Typical questions include:
- What is the lawful basis?
- Was the person given clear privacy information?
- Is the data limited to what is necessary?
- How long is it retained?
- Is it transferred outside the relevant jurisdiction?
- Can the organisation answer access, deletion, and objection requests?
- Is a data protection impact assessment required?
Automated decision-making and profiling can trigger additional GDPR rules, especially where a decision has legal or similarly significant effects.
What the EU AI Act asks
The EU AI Act starts with the AI system, the organisation's role, and the use case. It distinguishes providers, deployers, importers, distributors, and certain product manufacturers.
It prohibits specified practices, imposes detailed controls on defined high-risk systems, and creates targeted transparency duties. It also requires relevant AI literacy measures.
An AI system can fall under the AI Act even when it processes no personal data. A machine-vision system inspecting manufactured parts may still be an AI system even if no individual is identifiable.
Where the laws overlap
The overlap is strongest when AI uses personal data about people. Consider an AI recruitment system:
GDPR asks whether candidate data is used lawfully, transparently, securely, and fairly. It may require a data protection impact assessment and safeguards around automated decisions.
The AI Act asks whether the system is high risk, whether the organisation is a provider or deployer, and whether the required instructions, logs, monitoring, human oversight, and other controls are in place.
One project therefore needs a joined-up review rather than two disconnected checklists.
Transparency is not the same under both laws
GDPR privacy information explains personal-data processing: what data is collected, why it is used, who receives it, and what rights the person has.
Article 50 of the AI Act contains transparency duties for specified AI uses. These include telling people when they interact directly with AI and disclosures for certain synthetic or manipulated content.
A privacy policy does not necessarily provide an Article 50 notice at the right moment. A chatbot may need a visible AI disclosure at the start of the interaction as well as a link to privacy information.
Risk assessments serve different purposes
A GDPR data protection impact assessment examines high risks to people's data-protection rights. An AI Act assessment examines the system against the AI Act's categories and actor-specific duties.
The evidence can overlap. Data sources, affected groups, bias testing, security controls, human review, and incident procedures may support both. That is cross-compliance: reusing evidence without pretending the legal tests are identical.
Does one law take priority?
Neither law generally replaces the other. The AI Act states that EU data-protection law continues to apply. If both cover the activity, the organisation must satisfy both.
The relevant regulator and enforcement route can also differ. Data protection authorities enforce GDPR. AI Act enforcement is allocated through the Act and national arrangements, with responsibilities depending on the system and market.
A practical combined checklist
For each AI system:
- Record the purpose, provider, owner, users, and affected people.
- Identify any personal data and lawful basis.
- Classify the AI use and your role.
- Complete the relevant privacy and AI risk assessments.
- Provide privacy information and AI notices at the right time.
- Define human review, security, monitoring, and incident handling.
- Retain evidence and review it when the system changes.
Run the free audit to identify the AI Act side of the work, then connect it to your existing GDPR records.
This article provides general information, not legal advice.
Check your AI Act and GDPR obligations →
Check my tools →