Spell-check for privacy
Blog
GDPR and workplace AI 9 min read

What does the AI Act mean for my business, alongside the GDPR?

The AI Act and the GDPR apply side by side. The GDPR covers personal data, the AI Act covers the AI system itself. Here are the facts that count and what most organisations must arrange now.

Legal advisor reviewing AI Act obligations for an organisation
Quick answer

The AI Act and the GDPR complement each other. The GDPR governs how you handle personal data, the AI Act governs how safe the AI system itself is, based on risk. For most organisations, two things are already required now: AI literacy for staff who work with AI (since 2 February 2025) and a GDPR basis for personal data in AI tools. From 2 August 2026, extra obligations apply to high-risk AI systems, such as human oversight, informing workers, and often a DPIA. An everyday chatbot used for text work is usually not a high-risk system, but the GDPR still applies in full.

01

The GDPR is about personal data, the AI Act is about the AI system itself: they stack

02

AI literacy has been required since 2 February 2025 for anyone working with AI

03

From 2 August 2026 the obligations for high-risk AI systems apply

04

A chatbot used for text work is usually not high-risk, but the GDPR still applies

05

Practical to arrange now: AI register, short AI policy, data processing agreement, DPIA

Many business owners hear "AI Act" and think: another law to deal with. The practical question is simpler: what do I have to arrange now, and what later? The answer starts with understanding that the AI Act and the GDPR regulate two different things, and apply side by side.

GDPR and AI Act: two laws, two questions

The GDPR asks a question about data: do you process personal data lawfully, with a basis, purpose limitation, and data minimisation? That law applies as soon as personal data is involved, including in an AI tool.

The AI Act asks a question about the system: how risky is this AI system, and which safeguards belong to it? That law looks at the system itself, regardless of whether it contains personal data.

If you use AI with personal data, you must meet both. They do not replace each other. The GDPR says what may happen to the data, the AI Act says how safe and transparent the system must be.

The AI Act works with risk levels

The AI Act sorts AI systems by risk:

  • Prohibited. A short list of practices that are not allowed, such as social scoring by governments. Prohibited since 2 February 2025.
  • High risk. AI used for things with major consequences for people, for example hiring and selection, assessment, or access to services. These carry the heaviest obligations.
  • Limited risk. Here a transparency duty mainly applies, such as making clear that someone is talking to AI or that content was made by AI.
  • Minimal risk. Most everyday uses, with few extra obligations.

Important for most organisations: a general chatbot you use to write or summarise text usually does not fall under high risk. It changes as soon as you use AI for decisions with major consequences for people.

The timeline: what applies when

The AI Act entered into force on 1 August 2024 and is phased in:

  • 2 February 2025: prohibited AI practices and the AI literacy obligation.
  • 2 August 2025: obligations for providers of general-purpose AI models.
  • 2 August 2026: the obligations for high-risk AI systems and the general rules for deployers (users).

What most organisations must arrange now

Two things apply regardless of whether you use high-risk AI.

1. AI literacy (since 2 February 2025). Organisations must ensure that staff who work with AI systems have enough knowledge and skills to use them responsibly. It does not need to be a formal qualification, but you must be able to demonstrate it. In practice this means explaining what AI may and may not do, and which data does not belong in a prompt. Our guide on what you can and cannot share with AI is a usable part of that.

2. A GDPR basis for personal data in AI. If you use AI with personal data, you need a lawful basis, purpose limitation, and data minimisation, and often a data processing agreement with the vendor. This does not change because of the AI Act, it was already in the GDPR.

What is added for high-risk AI

If you deploy a high-risk AI system, extra duties apply to the user from 2 August 2026, including:

  • Human oversight of how the system works.
  • Informing workers. An employer must inform worker representatives and the affected workers before a high-risk AI system is put into use in the workplace.
  • A DPIA, and in certain cases an additional assessment of the impact on fundamental rights (FRIA), complementing the DPIA.
  • Transparency towards people affected by the system.

Practical: the short checklist

For most small business and organisation contexts, it comes down to:

  1. AI register. Track which AI tools are in use and for what.
  2. Short AI policy. A few pages with the rules for staff is often enough. See enforcing an AI policy.
  3. Data processing agreement. Arrange with each AI vendor what may happen to personal data.
  4. DPIA where needed. Especially for sensitive processing or monitoring.
  5. AI literacy. Make sure people know what they can and cannot share.

Where BeeSensible fits

The AI Act and the GDPR call for demonstrable control, but most of the risk arises on the work floor: an employee pastes customer or patient data into a prompt. A ban often backfires and leads to shadow AI.

BeeSensible helps at the source. Sensitive data gets a highlight while someone types in browser-based AI tools, so it can be removed, replaced, or masked before the prompt is sent. For compliance, that delivers two things: it supports data minimisation under the GDPR, and it makes AI literacy concrete at the moment it counts. The infrastructure BeeSensible runs on is ISO 27001 certified; BeeSensible itself is not.

Further reading: GDPR and workplace AI and GDPR and AI tools in the workplace.

FAQ

Common questions

What is the difference between the AI Act and the GDPR?

The GDPR protects personal data and applies as soon as you process it. The AI Act regulates AI systems based on risk, regardless of whether they contain personal data. They apply side by side: if you use AI with personal data, you must meet both.

Is AI literacy really required?

Yes. Since 2 February 2025, organisations must ensure that staff working with AI systems have enough knowledge and skills to use them responsibly. It does not have to be a formal course, but you must be able to demonstrate it.

Is ChatGPT classed as high-risk AI?

A general chatbot used for text work is usually not a high-risk AI system. It changes if you use AI for decisions with major consequences, such as hiring, assessment, or credit decisions. Then the high-risk obligations may apply.

What changes on 2 August 2026?

From that date, the obligations for high-risk AI systems apply, such as human oversight, logging, informing workers and their representatives, and in many cases a DPIA. The AI Act itself has been in force since 1 August 2024 and is phased in over time.

Do I need an AI policy and an AI register?

For most organisations that is sensible and often practically necessary. An AI register shows which AI you use and why. An AI policy sets the rules for staff. For many small and mid-sized businesses, a document of a few pages is enough.

How high are the fines under the AI Act?

The heaviest AI Act fines, for prohibited AI practices, can reach 35 million euros or 7 percent of global annual turnover. The GDPR has a separate fine regime of up to 20 million euros or 4 percent of turnover.