AI meets GDPR: how companies should prepare for dual compliance

AI meets GDPR: how companies should prepare for dual compliance

The EU AI Act, which entered into force on 1 August 2024, has already begun to apply in stages: with the prohibitions on certain AI systems and requirements on AI literacy (February 2025), obligations for general-purpose AI models (August 2025) and the next major milestone coming in August 2026, when the remainder of the AI Act starts to apply, except for Article 6(1).

At the same time, the Belgian Data Protection Authority is intensifying awareness around AI-driven data processing under the GDPR. It issued formal guidance titled “Artificial Intelligence Systems and the GDPR – A Data Protection Perspective (December 2024 version) ”emphasising that Belgian compagnies deploying AI systems which process personal data must already align with GDPR principles such as lawfulness, transparency, purpose limitation, data minimisation, accuracy and security. It highlights specific risks such as bias, unfair automated decision-making and lack of human oversight. As for accountability, companies must document legal bases, perform impact assessments (including fundamental-rights impact assessments under the AI-Act for high-risk systems), implement adequate technical and organisational measures and ensure human oversight throughout the AI lifecycle. Finally, it targets a broad audience (legal professionals, DPOs, technical stakeholders, controllers/processors) and aims to bridge legal and technical perspectives to help Belgian companies embed data-protection-by-design in AI system development and deployment. While we notice that full enforcement of the AI Act in Belgium is still rolling out, companies should treat this as a signal that data-protection authorities are increasingly alert to AI-related risks.

Together, these two frameworks mark the beginning of a dual compliance era: AI governance and data-protection accountability.

While the GDPR governs how data is collected, processed, and shared, the AI Act introduces a risk-based approach to technology itself. AI systems are classified from unacceptable to high-risk or limited-risk, each triggering duties such as transparency, documentation, and human oversight. In practice, any company using AI for recruitment, marketing analytics, or automated decision-making must ensure that algorithms comply with both GDPR and AI Act standards.

How can you act? 

1. Map your AI uses — identify all tools processing or generating personal data.
2. Integrate AI into your compliance program — align GDPR DPIAs with AI Act risk assessments.
3. Update governance and contracts — clearly allocate roles between controllers, processors, and AI suppliers.
4. Train management and staff — awareness and documentation are the first lines of defence.

AI may be (relatively) new, but good governance isn’t. Companies that act early will build not just compliance, but trust and resilience in an AI-driven society.