Many business owners hear "AI Act" and think: another law to deal with. The practical question is simpler: what do I have to arrange now, and what later? The answer starts with understanding that the AI Act and the GDPR regulate two different things, and apply side by side.
GDPR and AI Act: two laws, two questions
The GDPR asks a question about data: do you process personal data lawfully, with a basis, purpose limitation, and data minimisation? That law applies as soon as personal data is involved, including in an AI tool.
The AI Act asks a question about the system: how risky is this AI system, and which safeguards belong to it? That law looks at the system itself, regardless of whether it contains personal data.
If you use AI with personal data, you must meet both. They do not replace each other. The GDPR says what may happen to the data, the AI Act says how safe and transparent the system must be.
The AI Act works with risk levels
The AI Act sorts AI systems by risk:
- Prohibited. A short list of practices that are not allowed, such as social scoring by governments. Prohibited since 2 February 2025.
- High risk. AI used for things with major consequences for people, for example hiring and selection, assessment, or access to services. These carry the heaviest obligations.
- Limited risk. Here a transparency duty mainly applies, such as making clear that someone is talking to AI or that content was made by AI.
- Minimal risk. Most everyday uses, with few extra obligations.
Important for most organisations: a general chatbot you use to write or summarise text usually does not fall under high risk. It changes as soon as you use AI for decisions with major consequences for people.
The timeline: what applies when
The AI Act entered into force on 1 August 2024 and is phased in:
- 2 February 2025: prohibited AI practices and the AI literacy obligation.
- 2 August 2025: obligations for providers of general-purpose AI models.
- 2 August 2026: the obligations for high-risk AI systems and the general rules for deployers (users).
What most organisations must arrange now
Two things apply regardless of whether you use high-risk AI.
1. AI literacy (since 2 February 2025). Organisations must ensure that staff who work with AI systems have enough knowledge and skills to use them responsibly. It does not need to be a formal qualification, but you must be able to demonstrate it. In practice this means explaining what AI may and may not do, and which data does not belong in a prompt. Our guide on what you can and cannot share with AI is a usable part of that.
2. A GDPR basis for personal data in AI. If you use AI with personal data, you need a lawful basis, purpose limitation, and data minimisation, and often a data processing agreement with the vendor. This does not change because of the AI Act, it was already in the GDPR.
What is added for high-risk AI
If you deploy a high-risk AI system, extra duties apply to the user from 2 August 2026, including:
- Human oversight of how the system works.
- Informing workers. An employer must inform worker representatives and the affected workers before a high-risk AI system is put into use in the workplace.
- A DPIA, and in certain cases an additional assessment of the impact on fundamental rights (FRIA), complementing the DPIA.
- Transparency towards people affected by the system.
Practical: the short checklist
For most small business and organisation contexts, it comes down to:
- AI register. Track which AI tools are in use and for what.
- Short AI policy. A few pages with the rules for staff is often enough. See enforcing an AI policy.
- Data processing agreement. Arrange with each AI vendor what may happen to personal data.
- DPIA where needed. Especially for sensitive processing or monitoring.
- AI literacy. Make sure people know what they can and cannot share.
Where BeeSensible fits
The AI Act and the GDPR call for demonstrable control, but most of the risk arises on the work floor: an employee pastes customer or patient data into a prompt. A ban often backfires and leads to shadow AI.
BeeSensible helps at the source. Sensitive data gets a highlight while someone types in browser-based AI tools, so it can be removed, replaced, or masked before the prompt is sent. For compliance, that delivers two things: it supports data minimisation under the GDPR, and it makes AI literacy concrete at the moment it counts. The infrastructure BeeSensible runs on is ISO 27001 certified; BeeSensible itself is not.
Further reading: GDPR and workplace AI and GDPR and AI tools in the workplace.