EU AI Act guide for Data Protection Officers

EU AI Act guide for Data Protection Officers

The EU AI Act sits alongside GDPR rather than replacing it, and for Data Protection Officers the intersection between the two frameworks is where your most important work lives. AI systems that process personal data face obligations under both regimes simultaneously, and the documentation, oversight, and accountability requirements in the AI Act map closely onto concepts you already manage. As DPO, you are well-positioned to lead or co-lead your organisation's AI Act compliance program, particularly for high-risk systems.

What the EU AI Act requires

For high-risk AI systems (Annex III), Article 10 sets detailed requirements for training data governance: datasets must be relevant, representative, free of errors where possible, and subject to appropriate data governance practices. This language is deliberately aligned with GDPR data minimisation and accuracy principles, but it goes further by requiring documented examination of data bias and known limitations. Article 9 requires a risk management system that is ongoing throughout the system lifecycle, not a one-time assessment. Article 17 requires a quality management system covering data governance, documentation, and post-market monitoring. Article 13 (transparency) requires that high-risk systems are accompanied by instructions enabling deployers to make informed use, including information about data inputs the system relies on. GPAI model providers face additional obligations under Article 53, including maintaining technical documentation, providing information to downstream deployers, and publishing summaries of training data. These obligations apply from August 2, 2026.

What this means for your business

For most organisations, the AI Act creates three new touchpoints for the DPO function. First, Data Protection Impact Assessments (DPIAs) under GDPR Article 35 should now be run in parallel with AI Act risk assessments under Article 9. Many of the inputs are shared: what data is processed, for what purpose, with what safeguards. Running them together avoids duplication and creates a single audit-ready record. Second, the Article 10 data governance requirements mean that data pipelines feeding AI models need the same scrutiny as data processing activities under GDPR. If your organisation uses third-party training datasets, provenance and bias documentation must be obtained from the provider. Third, the AI Act's human oversight requirement (Article 14) has direct implications for automated decision-making. GDPR Article 22 already restricts solely automated decisions with significant effects. Article 14 of the AI Act adds a technical requirement to build in override capability, creating a stronger legal foundation for your GDPR Article 22 compliance.

Steps to get compliant

1. Map every AI system that processes personal data and cross-reference it against Annex III. For each high-risk system, run a combined DPIA and Article 9 risk assessment.
2. Review your Records of Processing Activities (RoPA) to ensure AI-powered processing activities are captured with sufficient granularity to satisfy Article 11 technical documentation requirements.
3. Engage your AI or engineering teams on Article 10 dataset documentation. Request evidence of bias examination, dataset composition, and data governance practices from any third-party model providers.
4. Update your incident response and post-market monitoring procedures (Article 17) to cover AI-specific risks, including model drift, unexpected outputs, and data quality degradation over time.

Free EU AI Act risk assessment

Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener