GDPR and the EU AI Act overlap in significant ways for Irish organisations — but they are not the same framework. Understanding where they interact is essential for compliance.
Irish organisations have spent years building GDPR compliance infrastructure. The EU AI Act now adds a second layer of obligations that overlaps with GDPR in important places — but is not satisfied by it. Understanding the relationship between the two frameworks is essential before designing any AI compliance programme.
What GDPR and the EU AI Act share
Both frameworks are concerned with protecting individuals from the misuse of technology. Both apply to organisations operating in the EU, both impose documentation obligations, and both require human oversight of automated decisions. Many of the AI use cases that trigger EU AI Act obligations — HR tools, credit scoring, automated customer decisions — are also subject to GDPR's Article 22 restrictions on automated decision-making.
For Irish organisations, the Data Protection Commission is the lead regulator under GDPR for many of the world's largest technology companies. Ireland has significant regulatory infrastructure already in place. That experience is relevant but not transferable wholesale to the EU AI Act.
Where they diverge
GDPR is fundamentally about personal data — how it is collected, processed, stored and used. The EU AI Act is about AI systems — how they function, what decisions they drive, what risks they create. An AI system can create significant obligations under the EU AI Act without processing personal data at all. Conversely, GDPR's automated decision-making rules do not capture all of the scenarios that concern the EU AI Act.
The EU AI Act's risk classification framework — unacceptable, high-risk, limited, minimal — has no GDPR equivalent. The documentation requirements for high-risk AI systems under the Act go beyond anything GDPR requires. And the EU AI Act's conformity assessment obligations for certain high-risk systems are an entirely new compliance mechanism.
Practical implications for Irish organisations
Organisations that have mature GDPR compliance programmes have a head start. The disciplines of data mapping, impact assessment, documentation and oversight are directly relevant. But the EU AI Act requires a separate exercise: an inventory of AI systems in use, risk classification of each, and assessment of deployer obligations specific to the Act.
The two frameworks need to be addressed together. An AI system that processes personal data in an automated decision-making context must satisfy both GDPR's Article 22 requirements and — if it falls into a high-risk category — the EU AI Act's technical documentation, human oversight and accuracy obligations. Designing a compliance programme for one without considering the other creates gaps.
The Data Protection Commission and the AI Office
Ireland's Data Protection Commission is one of the most active GDPR regulators in Europe. Ireland's AI Office, operational from August 2026, will be the national competent authority for the EU AI Act. The two bodies have distinct but overlapping remits. Organisations that have engaged with the DPC on AI-related data protection matters should expect that the AI Office will be looking at the same use cases through a different lens.
What to do now
The most effective approach is a unified compliance review that maps your AI use against both frameworks simultaneously. This avoids duplication, identifies genuine gaps, and produces a compliance roadmap that satisfies both regulators rather than two separate programmes that may contradict each other.
If you are an Irish organisation using AI in regulated contexts — financial services, HR, public administration, customer-facing decisions — a combined GDPR and EU AI Act readiness review is the right starting point. Contact Acuity AI Advisory to discuss your position.