How does AI governance relate to GDPR?

Where GDPR and AI Act obligations overlap

GDPR and the EU AI Act overlap most significantly in the area of automated decision-making. GDPR Article 22 gives individuals the right not to be subject to solely automated decisions that produce legal or similarly significant effects — and requires human review, the ability to contest decisions, and transparency about the logic involved. The AI Act's human oversight requirements for high-risk AI systems reinforce and extend this. Both frameworks require transparency: telling people when and how their data is being processed by automated systems. Both require data minimisation and purpose limitation. And both require organisations to conduct risk assessments before deploying systems — GDPR through Data Protection Impact Assessments, the AI Act through its conformity assessment regime. For Irish organisations, these obligations are complementary rather than duplicative.

Where the AI Act goes beyond GDPR

The EU AI Act goes beyond GDPR in several important respects. It applies not just to AI that processes personal data, but to AI systems more broadly — including systems that make decisions about physical infrastructure, safety-critical applications, and non-personal-data contexts. It introduces risk classification as a mandatory framework, requiring organisations to classify their AI systems and apply different obligations depending on risk tier. It requires conformity assessments for high-risk AI systems that go far beyond a DPIA. It mandates specific technical documentation standards. And it creates obligations around AI literacy (Article 4) and transparency labelling for AI-generated content that have no direct GDPR equivalent. For Irish organisations, managing AI governance means managing both frameworks — which is why Acuity AI's approach integrates GDPR and AI Act obligations rather than treating them separately.