AI Act and GDPR, explained without the scare tactics

The EU AI Act is the first broad European law that regulates how artificial intelligence may be developed and used. In practice, it does not treat all AI the same way: it sorts systems by how much risk they pose to people, and attaches obligations to the riskier ones. Most everyday business tools — a chatbot, a writing assistant, a forecasting model — fall into the lighter categories, where the main duties are about transparency and basic governance, not heavy paperwork.

It is a regulation, so it applies directly across the EU without each country re-writing it. It reaches you both if you build AI and, more commonly for an SME, if you simply use it. The point is proportionality: the law asks more from a system that screens job applicants than from one that drafts your newsletter.

In general, for a typical small company the AI Act is manageable once you know which of your tools sit in which category.

GiBSeS — We help you read the AI Act through the lens of your actual tools, not the headlines, so you know what genuinely applies. A first exploratory conversation is free. This is informative content, not legal advice.

For most SMEs, the AI Act applies because you are a 'deployer' — you use AI systems rather than build them. That role is lighter than the manufacturer's, but it is not zero. In general you are expected to use systems as intended, keep a basic grip on what they do, ensure staff have a reasonable level of AI awareness, and be transparent with people where the rules require it.

The heavy obligations — conformity assessments, technical documentation, registration — mostly sit with whoever develops or markets the system, not with you as a user. The Act also explicitly tries to ease the load on SMEs, for example through simplified arrangements and support measures.

What changes for you depends almost entirely on what your AI actually does and on the data behind it. A marketing assistant is a different conversation from a tool that decides who gets hired or how much credit someone gets.

GiBSeS — We start by sorting your tools into 'barely affected' and 'needs attention', so you spend effort only where it matters. The first conversation is free. Informative content, not legal advice.

The AI Act groups systems into four bands. Prohibited uses are banned outright — things like social scoring of citizens or manipulative systems that exploit vulnerable people. High-risk covers AI used in sensitive areas such as recruitment, credit scoring, critical infrastructure or certain safety components; these carry the strongest obligations. Limited-risk covers systems that interact with people or generate content, where the main duty is transparency — telling people they are dealing with AI. Minimal-risk covers everything else, like spam filters or most productivity tools, with essentially no specific obligations.

The practical lesson for an SME is that the category is decided by what the system is used for, not by how clever it is. The same underlying model can be minimal-risk in one job and high-risk in another.

In general, most small-business tooling lands in the limited or minimal bands, which keeps the compliance effort modest.

GiBSeS — We classify each of your use cases into the right band so you are not over-engineering compliance for a tool that barely needs it. Free first conversation. Informative content, not legal advice.

In several cases, yes. The AI Act sets transparency duties for limited-risk systems. In general, if people interact directly with an AI — a chatbot, a voice agent — they should be made aware they are talking to a machine, unless that is already obvious. Content that is artificially generated or manipulated, such as deepfakes or AI-written articles published as information, generally has to be labelled as such. Emotion-recognition or biometric-categorisation systems also trigger disclosure duties toward the people exposed to them.

The spirit is honesty, not bureaucracy: people should not be misled about whether they are dealing with a human or a machine. For most SMEs this is straightforward — a short notice on a chat widget, a line in a footer, a clear label on synthetic media.

In most cases you do not need to disclose every internal use of AI, for example a tool that only helps your staff draft text behind the scenes.

GiBSeS — We help you write the few disclosures you genuinely need — clear, honest, not legalese — and skip the ones you don't. The first conversation is free. Informative content, not legal advice.

Article 4 of the AI Act asks providers and deployers of AI to ensure a sufficient level of 'AI literacy' among the staff who operate these systems on their behalf. In plain terms: the people using AI in your company should understand, at a level appropriate to their role, what the tool does, what it can get wrong, and how to use it sensibly. It is one of the few obligations that lands directly on you as a user, and it has applied since early 2025.

It is not a certification scheme and there is no official exam. For a small company, meeting it can be as simple as a short, documented internal briefing: what tools we use, what they're good and bad at, what data must never go in, who to ask when unsure.

In general, treating this as basic staff awareness rather than a compliance project keeps it light and genuinely useful.

GiBSeS — We can run a short, practical AI-literacy session for your team and leave you a simple record of it — useful first, compliant as a bonus. Free first conversation. Informative content, not legal advice.

GPAI means 'general-purpose AI' — large models, like the ones behind popular chat assistants, that aren't built for one narrow task but can do many. The AI Act sets specific obligations for the companies that make and distribute these models: technical documentation, transparency about training data at a summary level, copyright compliance, and extra duties for the very largest models judged to carry 'systemic risk'.

The key point for an SME is that almost all of these obligations sit with the model provider, not with you as a user. When you use such a model through a normal product or API, the provider is the one carrying the GPAI duties. Your responsibilities come from how you deploy it — transparency, data protection, AI literacy — not from the model's internals.

In most cases you don't need to track the GPAI rules in detail; you need to choose providers who clearly take them seriously.

GiBSeS — When we compare tools for you, provider seriousness on GPAI duties is one of the things we check, so you don't inherit someone else's compliance gap. The first conversation is free. Informative content, not legal advice.

Often yes, but not by default and not with every kind of data. The GDPR doesn't ban AI tools; it governs what happens to personal data. The questions that decide it are: are you putting personal data in, on what legal basis, under what contract with the provider, and where does that data end up. Many providers now offer business or enterprise tiers that, in general, don't train on your inputs and offer data-processing terms suited to professional use — which is a very different situation from a free consumer account.

The practical rules are mundane: don't paste personal or confidential data into tools you haven't vetted, prefer business plans with proper contracts, and write down which tools are approved for which data.

In most cases the safe path isn't 'never use it' but 'use the right version, with the right settings, for the right data'. For anything sensitive, a quick check with a data-protection professional is worth it.

GiBSeS — We help you set simple, written rules on what data goes into which tool — the kind your team will actually follow. Free first conversation. Informative content, not legal advice.

It depends entirely on the tool and the plan, which is exactly why it's worth checking before you commit. With a typical cloud AI service, your prompts and uploads are sent to the provider's servers, processed, and a response comes back. The things that vary — and that you can usually find in the documentation — are whether your inputs are used to train future models, how long they're retained, where the servers physically are, and who the provider's own sub-processors are.

Consumer free tiers and business tiers often behave very differently here. Business and enterprise plans typically promise no training on your data, shorter retention and clearer contractual terms; free tiers are frequently looser.

In general, before trusting a tool with anything that matters, you should be able to answer three questions: is my input used for training, how long is it kept, and in which country is it processed. If the provider won't tell you clearly, that's a signal in itself.

GiBSeS — Reading the boring data clauses so you don't have to is part of how we vet tools — we flag the ones that won't answer those three questions. The first conversation is free. Informative content, not legal advice.

Sometimes. A DPIA is a structured assessment the GDPR requires before processing that is 'likely to result in a high risk' to people's rights — for example large-scale profiling, systematic monitoring, or processing of sensitive data. Plugging AI into such processing can push you over that threshold; using a chatbot to draft marketing copy almost certainly doesn't.

In general, the trigger isn't 'we use AI' but 'what we're doing with personal data'. If your AI use case involves automated decisions about people, profiling at scale, or sensitive categories of data, a DPIA is likely warranted and is genuinely useful — it forces you to think through risks before they bite. For ordinary productivity uses it usually isn't required.

In most cases an SME has only one or two use cases that might need a DPIA, if any. Where it's a close call, that's a good moment to involve a data-protection professional rather than guess.

GiBSeS — We help you spot which of your use cases might cross the DPIA threshold so you neither skip a real one nor build paperwork you don't need. Free first conversation. Informative content, not legal advice.

No, consent is not the only option and often not the best one. Under the GDPR, every processing of personal data needs a legal basis, and there are several: consent, performance of a contract, a legal obligation, vital interests, a public task, or 'legitimate interests'. For many ordinary business uses, contract or legitimate interests fit better than consent, which is fragile because it can be withdrawn at any time.

Using AI doesn't change the menu of legal bases; it just means you apply the same logic to whatever personal data the AI touches. If you were already processing customer data on a valid basis, running part of that process through an AI tool generally doesn't require a fresh basis — though it may change what you tell people about how the data is handled.

In general, the mistake to avoid is reflexively asking for consent everywhere. Pick the basis that genuinely matches the purpose, and document the reasoning.

GiBSeS — We help you map each AI use case to a sensible legal basis and update your privacy notice accordingly — without drowning customers in consent banners. The first conversation is free. Informative content, not legal advice.

This is one of the most common AI compliance questions, because many popular tools are run by US companies. The GDPR allows transfers outside the EU, but only with safeguards. In general, a transfer to the US is covered if the provider is certified under the EU-US Data Privacy Framework, or if you rely on Standard Contractual Clauses plus, where needed, additional measures. The provider's documentation usually states which mechanism applies.

For an SME the practical task is modest: check that your provider offers a valid transfer mechanism and, ideally, an EU data-processing region if one is available. Many business-tier services now do.

In most cases you don't have to avoid US tools entirely — you have to choose ones that handle transfers properly and say so clearly. Because the legal framework here has shifted before, it's a reasonable area to keep an eye on and to confirm with a professional if the data is sensitive.

GiBSeS — We check the transfer mechanism and data-region options when we shortlist tools for you, so cross-border data isn't a surprise later. Free first conversation. Informative content, not legal advice.

For most SMEs using AI, you are the data 'controller': you decide why and how personal data is processed. The AI vendor is usually the 'processor', acting on your instructions, and the chain may include their own sub-processors. The distinction matters because the controller carries the primary accountability — you're the one your customers and regulators look to.

In practice this means a few concrete things. You should have a data-processing agreement (DPA) in place with the AI provider, you should know who their sub-processors are, and you remain responsible for choosing a provider that offers adequate guarantees. The vendor handling the data doesn't transfer your responsibility away; it shares part of the operational duty.

In general, an SME's job here is straightforward: make sure each AI provider you use has signed a proper DPA and that you understand, at a high level, who touches the data downstream.

GiBSeS — We help you check that each tool comes with a real data-processing agreement and a clear sub-processor list — the basics that are easy to overlook. The first conversation is free. Informative content, not legal advice.

Both regimes carry fines scaled to turnover, which sounds alarming but is worth seeing in proportion. Under the GDPR, the heaviest breaches can reach up to 4% of global annual turnover or 20 million euro, whichever is higher. The AI Act sets its own tiers, with the steepest penalties — up to 7% of turnover or 35 million euro — reserved for using prohibited AI systems, and lower bands for other breaches.

These headline maxima are aimed at serious, often deliberate violations by large players, not at a small company that made a good-faith mistake with a chatbot. Regulators generally weigh the nature, gravity and intent of a breach. Who pays depends on role: the deployer for deployment failings, the provider for product failings.

In general, for an SME acting reasonably the realistic risk is far smaller than the headline numbers, but the duty to act reasonably is real. If you're unsure where you stand, a professional check is sensible.

GiBSeS — We help you focus on the handful of things that actually reduce risk, rather than fearing a fine designed for very different companies. Free first conversation. Informative content, not legal advice.

The Cyber Resilience Act (CRA) is a separate EU law about the cybersecurity of products with digital elements — broadly, software and connected devices placed on the market. It puts security duties mainly on manufacturers: secure-by-design development, vulnerability handling, and security updates over a product's lifetime.

For an SME that uses AI rather than sells software products, the CRA mostly reaches you indirectly: it pushes the tools and devices you buy to be more secure, which is good news. You become directly subject to it chiefly if you develop and place digital products on the market yourself. Where AI is embedded in a product, the CRA's security obligations and the AI Act's obligations can overlap and have to be read together.

In general, for a typical SME user the CRA is a reason to prefer vendors who take product security seriously, rather than a heavy new duty of your own.

GiBSeS — Vendor security posture is part of what we look at when we help you choose tools, so CRA-driven quality works in your favour. The first conversation is free. Informative content, not legal advice.

The AI Act doesn't switch on all at once; it phases in. It entered into force in 2024, and different obligations apply on a staggered timeline. In general terms, the bans on prohibited uses and the AI-literacy duty came first, in early 2025. Obligations for general-purpose AI models followed during 2025. The bulk of the high-risk system rules apply later, with key dates in 2026 and a longer runway into 2027 for certain categories tied to existing product-safety legislation.

For an SME the practical implication is that you don't face one cliff-edge deadline; you face a sequence, and most of what affects ordinary users — transparency and AI literacy — is already live. The heavier high-risk obligations, which most small companies won't trigger at all, arrive later.

In most cases the sensible move is to handle the duties already in force now, and revisit the timeline as the later phases approach rather than rushing to over-comply early.

GiBSeS — We help you act on what's already required and calmly plan for what's coming, instead of treating every deadline as an emergency. Free first conversation. Informative content, not legal advice.

It can help with specific concerns, but it isn't a magic compliance switch. Running models on your own servers, or on EU-based 'sovereign' infrastructure, keeps data physically closer and can simplify questions about transfers, retention and who has access. For genuinely sensitive data — health, legal, certain trade secrets — that control is a real advantage and sometimes the deciding factor.

The trade-offs are honest ones: on-premise AI costs more to set up and maintain, the open models you can run yourself are often less capable than the best cloud ones, and 'sovereign' is a label, not a guarantee — you still have to check what it actually delivers. Compliance also depends on how you use the system, not just where it runs.

In general, on-premise is worth it when data sensitivity or sovereignty requirements clearly justify the extra cost, and overkill when they don't. It's a tool, not a default answer.

GiBSeS — We help you judge honestly whether on-premise is justified for your data, or whether a well-chosen cloud setup is enough — no in-house bias either way. The first conversation is free. Informative content, not legal advice.

Accountability is a core GDPR principle: you should not only comply but be able to show you comply. For AI use that means keeping a light but real record — which tools you use, for what, on what data, on what legal basis, and what you decided about risks. It's the difference between 'we think we're fine' and 'here's why we're fine'.

An audit trail in the technical sense — logs of what a system did and when — matters most for higher-risk uses, especially anything that affects people's rights, where being able to reconstruct a decision is important. For ordinary productivity tools, the record can be far lighter: a simple internal register is usually enough.

In general, the goal isn't bureaucracy for its own sake; it's being able to answer, calmly and quickly, 'what are we doing, and why is it reasonable'. For an SME a single living document often covers most of this.

GiBSeS — We help you set up a one-page register that satisfies accountability without turning into a paperwork project. Free first conversation. Informative content, not legal advice.

Individuals keep all their usual GDPR rights even when AI is in the picture: access to their data, rectification, erasure, objection, and so on. Using an AI tool doesn't suspend any of this. In practice this means you must still be able to find, correct or delete someone's personal data, including data that has passed through an AI system, and to explain in general terms how it's used.

There is one extra right worth knowing: in general, people have the right not to be subject to a decision based solely on automated processing that produces significant effects on them — think fully automated hiring or credit rejections — without safeguards such as meaningful human involvement. The fix is usually to keep a human genuinely in the loop for consequential decisions.

In most cases, ordinary AI-assisted work doesn't trigger this, because a person is still making the call. The duty bites when the machine decides alone and the stakes are high.

GiBSeS — We help you design consequential processes so a human stays genuinely in the loop and individual rights remain easy to honour. The first conversation is free. Informative content, not legal advice.

In general, the responsibility for how AI output is used sits with the business that uses it, not with the tool. If an AI assistant drafts a wrong figure and you send it to a client, that's your output — much as a junior's draft becomes your responsibility once you sign it off. This is precisely why human review matters for anything that carries consequences.

Where a fault clearly lies in a defective product or a provider's breach of contract, liability can shift partly toward the provider, and EU rules on product and AI liability are evolving to clarify these chains. But for everyday mistakes — a hallucinated fact, a clumsy email — the realistic answer is that you own what you publish, decide or send.

In most cases the practical safeguard is simple and unglamorous: treat AI output as a draft, review what matters, and don't let a machine's confidence substitute for your judgment. For disputes involving real harm, this is squarely a question for a lawyer.

GiBSeS — We help you decide which outputs need human sign-off and which don't, so responsibility stays clear and manageable. Free first conversation. Informative content, not legal advice.

A short list covers most of the real danger. Don't paste personal, confidential or client data into unvetted free tools — that's the single most common mistake. Don't use AI for the prohibited purposes the AI Act bans, such as manipulative systems or social scoring. Don't let AI make consequential decisions about people — hiring, firing, credit, benefits — with no human involvement. Don't publish AI-generated content as if a human checked it when nobody did. Don't pretend a chatbot is a human when the rules say to disclose. And don't assume 'the vendor handles compliance' absolves you as the user.

None of these require deep legal knowledge; they're mostly common sense made explicit. The companies that get into trouble usually skipped the obvious, not the obscure.

In general, if a use case feels like it could seriously affect a person or expose sensitive data, slow down and check it — that instinct is usually right.

GiBSeS — We help you turn this 'don't' list into a one-page internal policy your team can actually remember. The first conversation is free. Informative content, not legal advice.

Start with an inventory, not a lawyer. List the AI tools you actually use and what each one does. For each, note two things: does it touch personal data, and does it make or heavily influence decisions about people. That single pass sorts almost everything into 'low concern' and 'needs attention'.

From there, the first practical steps are usually modest: choose business-tier tools with proper data-processing agreements, write simple internal rules on what data goes where, run a short AI-literacy briefing for staff, and keep a one-page register of it all. For the handful of use cases that touch sensitive data or automated decisions, that's where a DPIA or a professional review earns its keep.

In general, compliance for an SME is less about big projects and more about a few good habits, written down. You don't need to do everything at once; you need to know what you have and tackle the riskier bits first.

GiBSeS — We can run this inventory with you in one session and hand you a clear, prioritised list of what to do — and what you can safely ignore. Free first conversation, no obligation. Informative content, not legal advice.

Not fundamentally — it mostly applies the same old principles to new tools. The GDPR has required lawful, transparent, minimised and secure processing of personal data for years. AI doesn't rewrite those principles; it just adds a few new places to apply them: what goes into a prompt, where the provider sends it, whether your inputs train someone's model.

The genuinely new wrinkles are modest for most SMEs: being careful about pasting personal data into tools, picking providers with sound data terms, and watching automated decisions. If your data house was reasonably in order before AI, extending that order to AI tools is an incremental step, not a rebuild.

In general, the companies that struggle are usually those that were already loose with personal data; AI just makes existing gaps more visible. Tightening the basics is the highest-value move, and it pays off well beyond AI.

GiBSeS — We help you extend your existing data practices to cover AI tools, building on what you already have rather than starting over. The first conversation is free. Informative content, not legal advice.

Treat it as a starting point, not a conclusion. No single product can make you compliant, because a large part of compliance depends on how you use it and on your own role as controller and deployer. A vendor can be compliant as a product and you can still be non-compliant in how you deploy it — for example by feeding it data you shouldn't, or using it for a purpose it wasn't designed for.

Useful claims are specific and verifiable: a named transfer mechanism, a real data-processing agreement, a clear sub-processor list, documented retention, no training on your data. Vague badges like 'GDPR-ready' or 'AI Act compliant' with nothing behind them are marketing, and sometimes a red flag.

In general, a serious vendor will happily show you the documents; one that won't is telling you something. The responsibility for the overall picture stays with you, which is exactly why independent scrutiny helps.

GiBSeS — Cutting through compliance marketing to the documents that actually matter is core to how we vet tools — independent, with nothing to sell you ourselves. Free first conversation. Informative content, not legal advice.

High-risk isn't about how powerful the AI feels; it's about the use case. The AI Act lists the areas that count as high-risk, and they cluster around decisions with real consequences for people: recruitment and worker management, access to education, creditworthiness and essential services, certain critical infrastructure and safety components, law enforcement and migration, and a few others. If your AI sits in one of those areas, it's likely high-risk and carries the heaviest obligations.

For most SMEs, the honest answer is that none of their tools are high-risk — drafting, summarising, scheduling and analysis usually aren't. The moment to pay attention is when AI starts screening people or gating access to something important.

In general, ask one question of each tool: does it help decide something significant about a specific person? If yes, look closely; if no, you're almost certainly in the lighter bands. Where it's borderline, that's a good point to get professional input.

GiBSeS — We help you check whether any of your use cases stray into high-risk territory, so you're neither caught out nor over-burdened. The first conversation is free. Informative content, not legal advice.

Each has different risks, and bigger isn't automatically safer. Large providers tend to have mature data-processing agreements, formal transfer mechanisms and clear documentation — which lowers your compliance friction. But they can also be less flexible, harder to get answers from, and they process data at vast scale. A smaller, specialised vendor may give you closer support and clearer answers, but might lack robust contracts, proper sub-processor transparency, or staying power.

The real question isn't size; it's whether the provider can answer the basics: where data goes, whether it trains on your inputs, what contract they offer, who their sub-processors are, and whether they'll still exist next year. A small vendor that answers crisply can be a safer bet than a giant that buries you in legalese.

In general, judge providers on transparency and contractual substance, not logo size — and don't put irreplaceable data with anyone whose continuity you doubt.

GiBSeS — We assess providers of any size on the things that actually protect you, so you choose on substance rather than reputation alone. Free first conversation. Informative content, not legal advice.