GDPR and AI Act: What Companies Need to Know in 2026

In today’s digital economy, companies of all sizes must comply with an evolving landscape of European Union (EU) regulations. The EU General Data Protection Regulation (GDPR) and the EU Artificial Intelligence (AI) Act are two key regulatory frameworks that influence how companies collect, process, and utilize personal data and artificial intelligence. Although these regulations differ in scope, they intersect in critical areas such as data protection, transparency, and accountability.

While the GDPR has been in force since 2018, the AI Act is being rolled out in phases.[1] Some provisions, such as prohibitions on certain AI practices, AI literacy requirements, and rules for general-purpose AI models, are already applicable since 1 August 2024. However, on 19 November 2025, the European Commission proposed an amendment to delay stricter obligations for high-risk AI systems, pushing the original deadline from August 2026 to December 2027.[2] This proposal, which forms part of the Digital Omnibus initiative, aims to simplify compliance processes, ease administrative burdens, and address industry concerns, particularly for small-to-medium sized enterprises (SMEs).[2] It also proposes changes to the GDPR, such as clarifying the use of personal data for the purpose of ensuring bias detection and correction in AI systems and models.[1] Therefore, understanding the intersection between these regulations is essential for companies to ensure compliance.

Where the GDPR and the AI Act Intersect

1. Processing of Personal Data

The GDPR sets the standard for lawful, transparent, and secure processing of personal data. The AI Act complements these rules by imposing specific requirements for AI systems that process personal data. Under the AI Act, organizations must ensure that their AI systems adhere to GDPR’s core principles, including lawful data collection, purpose limitation, data minimization, accuracy, storage limitation, and confidentiality.

This means that if your AI systems handle personal data, they must fully comply with both the GDPR and the AI Act’s data protection obligations, such as maintaining clear records of data sources, processing activities, and safeguards to protect individuals' rights. Since AI development often involves processing personal data, GDPR compliance is foundational, and the AI Act reinforces this alignment by requiring providers of high-risk AI systems to include a declaration of conformity explicitly stating GDPR compliance when personal data is involved.

2. Transparency

Transparency is a fundamental principle under both the GDPR and the AI Act, ensuring that individuals receive clear and accessible information about how their personal data is processed and how AI systems impact them.

Under the GDPR individuals must be informed about the purposes, legal basis, recipients, storage periods, and their rights regarding the processing of their personal data. The AI Act extends transparency to AI systems, by requiring deployers to provide instructions for the use of high-risk AI systems and to inform individuals when they are interacting with an AI system, unless it is already obvious from the context.

For companies, this means not only disclosing data processing activities but also explaining how AI systems operate and influence decisions. By aligning GDPR’s transparency requirements with the AI Act’s obligations, businesses can ensure that individuals understand both how their personal data is used and the AI-driven outcomes that affect them.

3. Accountability

Both the GDPR and the  AI Act require organizations to document their processes and decisions to demonstrate compliance.

The GDPR mandates Data Protection Impact Assessments (DPIAs) in specific cases where data processing is likely to result in high risk to individuals' rights and freedoms. It also requires Data Processing Agreements (DPAs) between controllers and processors to ensure responsible handling of personal data.

In the context of the AI Act, a DPIA will also need to be conducted by deployers using high-risk AI systems. Additionally, the AI Act also introduces the Fundamental Rights Impact Assessments (FRIAs) for certain high-risk AI systems. However, if the DPIA already meets some of the FRIA’s requirements, the FRIA will complement it. Additionally, the AI Act requires detailed documentation of the development process for high-risk AI systems and general-purpose AI models.

Example

Consider a CEO of a MedTech firm using ClaudeCowork, an AI assistant integrated into their systems to process patient data, e.g., medical records or diagnostic inputs. Under the GDPR, the company must ensure lawful, transparent, and secure processing, adhering to principles like purpose limitation, data minimization, and confidentiality, while the AI Act requires maintaining clear records of data sources, processing activities, and safeguards, including a declaration of conformity for GDPR compliance when personal data is involved. Additionally, transparency demands that patients be informed about how their data is processed, purposes, legal basis, recipients, storage periods, and rights under GDPR, and when they interact with ClaudeCowork, under the AI Act, with clear instructions for its use. For accountability, the company must document processes, conduct DPIAs, and FRIAs for high-risk AI, and ensure DPAs are in place with vendors. Without these measures, the company risks violating both frameworks, e.g., if ClaudeCowork processes data without consent, bypasses security protocols, or lacks required documentation, exposing it to fines and reputational damage. 

What the AI Act Postponement Means for Companies

The EU Commission’s decision to delay the full implementation of the AI Act does not reduce its importance. Rather, it provides companies additional time to prepare. This postponement recognizes the complexity of the regulatory environment but does not eliminate the need for proactive compliance efforts.

The key takeaway from this should be that the postponement affects enforcement timing for, and not the requirements themselves. Companies should use this period to:

• Assess the AI systems they use for compliance with both the GDPR and the AI Act by conducting gap assessments.
• Strengthen transparency practices, by for example updating privacy policies to explicitly include processing of personal data by AI systems.
• Prepare for the AI Act’s stricter obligations for high-risk AI systems by conducting assessments, documenting the use of AI in all business processes, and ensuring that all vendors have DPAs in place and are compliant with the GDPR. 

For SMEs, this extension provides a valuable opportunity to align AI systems with the GDPR, ensuring a smoother transition when the AI Act’s provisions take full effect.

Pragmatic Steps for Companies 

Must-Have actions

• Data mapping: Identify and document all personal data processed by your AI systems, including its source, type, purpose, and lifecycle (e.g. in the Register of Processing Activities).
• Transparency notices: Clearly inform users when AI systems process personal data or make decisions that impact them (e.g., via privacy policy updates or dedicated AI disclosures).
• AI literacy: Ensure that employees have sufficient knowledge and skills on AI use (e.g., through a 1-hour workshop on GDPR, AI Act, and company-specific rules).
• Human oversight: Implement processes for human review of AI decisions, especially in high-risk areas, such as HR, customer service, or financial assessments (e.g., manual validation of AI-generated outputs).

Should-Have actions

• Bias and quality checks: Regularly audit AI training data to ensure it is representative, accurate, and free from bias, particularly for high-risk use cases (e.g., using open-source tools like Fairlearn or IBM AI Fairness 360).
• Vendor compliance: If your business uses third-party AI tools, verify that you have a DPAs with the vendors, and that they take measures to comply with the GDPR and AI Act (e.g. by checking GDPR/AI Act compliance documentation). 
• Documentation: Maintain detailed records of your AI systems’ design, training data, and decision-making logic in a centralized repository (for providers of AI systems and models).
• Risk assessments: Conduct DPIAs, conformity assessments, and FRIAs for high-risk AI applications to identify and mitigate potential risks (e.g. using Anove's insAIght) 

Nice-to-Have actions

• Regulatory sandboxes: Participate in national or EU regulatory sandboxes to test AI systems in a controlled environment and identify issues early (e.g. Dutch AI Sandbox)
• Team training: Invest in ongoing training on AI ethics, data protection, and regulatory updates to keep your team informed and prepared (e.g. via Anove's Expert Support function)

How Anove’s insAIght Simplifies Compliance for Companies

Anove’s AI Management System insAIght is a platform designed to help companies navigate the complexities of the GDPR and the AI Act. By leveraging AI-driven insights and automation, insAIght simplifies compliance and risk management, allowing businesses to focus on innovation rather than administrative challenges. 

With insAIght, companies can:

• Automate compliance documentation by generating reports and evidence, reducing manual workload.
• Automatically scan for shadow AI use within their company, identifying unauthorized or unmanaged AI tools and applications.
• Conduct risk assessments to identify and evaluate risks related to AI models, data privacy, and ethics, with actionable recommendations.
• Monitor AI systems continuously for regulatory compliance, including open-source AI models.
• Ensure AI infrastructure security by managing security assets and aligning them with best practices.
• Streamline business processes and workflows to align AI applications with organizational goals.
• Utilize real-time risk and compliance management with customizable dashboards for insights and analytics.
• Integrate seamlessly with existing systems via APIs for an efficient compliance process.
• Define and track ownership of AI assets and associated risks for enhanced accountability.

Anove supports companies in reducing administrative overhead, ensuring audit readiness, and turning compliance into a competitive advantage.