EU AI Act vs GDPR: what is the difference?
- The GDPR governs personal data; the EU AI Act governs AI systems by risk tier.
- They often apply to the same system, and complying with one does not satisfy the other.
- Their impact assessments (DPIA and FRIA) overlap and are often run together.
- The efficient approach is to capture the facts once per system and generate both sets of evidence from it.
- Current as of June 2026. This is general information, not legal advice.
What each law governs
- GDPR (Regulation 2016/679): Protects the personal data of individuals in the EU. It sets rules for lawful processing, data subject rights, security, and accountability, and it includes specific provisions on automated decision-making.
- EU AI Act (Regulation 2024/1689): Regulates AI systems by risk tier, with obligations on providers and deployers covering risk management, data governance, documentation, oversight, and conformity for high-risk systems.
The key differences
The two regimes differ in focus, trigger, core unit, main obligations, and what brings you into scope:
| Dimension | GDPR | EU AI Act |
|---|---|---|
| Focus | Personal data | AI systems |
| Trigger | Processing personal data | Building or using AI, by risk tier |
| Core unit | The data and the data subject | The AI system and its risk |
| Main obligations | Lawful basis, rights, security, DPIA | Risk management, documentation, oversight, conformity |
| Applies if | You process EU personal data | Your AI reaches the EU market or its output is used in the EU |
Where they overlap
The overlap is significant. An AI system that makes decisions about people usually processes personal data, so both laws apply. The GDPR's rules on automated decision-making and its requirement for a data protection impact assessment sit alongside the AI Act's requirements for high-risk systems and, for some deployers, a fundamental rights impact assessment. In practice the two assessments cover related ground and are often run together.
Why you usually need both
Because they govern different things, complying with one does not satisfy the other. A system can be GDPR-compliant in how it handles data yet fail the AI Act's requirements for risk management or human oversight, and vice versa. For most organisations deploying AI that touches people, the practical answer is a single governance approach that satisfies both: data handling that meets the GDPR, and system governance that meets the AI Act, with shared documentation where the two overlap.
The efficient way to handle both
Running two separate compliance efforts duplicates work, because the underlying facts (what the system does, what data it uses, who it affects, how it is overseen) are the same. The efficient approach is to capture those facts once, per system, and generate the GDPR and AI Act evidence from the same source. That avoids contradictory records and the cost of maintaining two parallel paper trails.
Key terms
- GDPR
- Regulation (EU) 2016/679, the EU's general data protection law governing personal data.
- Automated decision-making
- Decisions about a person produced solely by automated means, addressed by GDPR Article 22.
- DPIA
- Data protection impact assessment required under the GDPR for high-risk processing of personal data.
- FRIA
- Fundamental rights impact assessment required of certain deployers under the EU AI Act.
- Overlap
- The shared territory where both the GDPR and the AI Act apply to the same AI system and processing.