Toward Integrated Compliance with GDPR and the EU AI Act Based on Empirical Findings
Authors/Creators
Description
Abstract: This paper explores how the European Union is shaping rules for data and artificial intelligence (AI) through two key regulations: the General Data Protection Regulation (GDPR) and the EU Artificial Intelligence Act (AI Act). Those two regulations cover data topics, focusing on different aspects, both bringing challenges for organizations and individuals. This paper includes a survey conducted among data protection professionals to understand better how organizations deal with these challenges in practice. The results show that many organizations still have areas for improvement, especially when combining privacy and AI responsibilities. Based on this, the paper offers a simple and practical framework that helps organizations follow the GDPR and the AI Act in a transparent and integrated way. The goal is to support better decision-making, reduce legal and technical risks, and help with the responsible and trusted use of data and AI in the EU.
Originally published in: International Journal of Innovative Solutions in Engineering (IJISE), Vol. 1, No. 2, 2025. Official URL: https://ijise.ba/article/11/
Files
Vol.-1-No.-2-Article-11.pdf
Files
(557.8 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:518814225ed694c712152bfa38006178
|
557.8 kB | Preview Download |
Additional details
Identifiers
Related works
- Is identical to
- Journal article: https://ijise.ba/article/11/ (URL)
- Is published in
- Journal: 3029-3200 (ISSN)
References
- M. Veale and F. Z. Borgesius, "Demystifying the Draft EU Artificial Intelligence Act — Analysing the good, the bad, and the unclear elements of the proposed approach," Computer Law Review International, vol. 22, no. 4, pp. 97–112, Aug. 2021, doi: https://doi.org/10.9785/CRI-2021-220402.
- S. Wachter, B. Mittelstadt, and L. Floridi, "Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation," International Data Privacy Law, vol. 7, no. 2, pp. 76–99, May 2017, doi: https://doi.org/10.1093/IDPL/IPX005.
- D. Clifford, M. Richardson, and N. Witzleb, "Artificial intelligence and sensitive inferences: new challenges for data protection laws in: Regulatory Insights on Artificial Intelligence," 2022. doi: https://doi.org/10.4337/9781800880788.00008.
- "Guidelines European Data Protection Board." Accessed: Mar. 23, 2025. [Online]. Available: https://www.edpb.europa.eu/our-work-tools/our-documents/publication-type/guidelines_en
- "Regulation - EU - 2024/1689 - EN - EUR-Lex." Accessed: Mar. 23, 2025. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
- "Regulation - 2016/679 - EN - gdpr - EUR-Lex." Accessed: Mar. 23, 2025. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
- "State of Privacy 2025 Report ISACA." Accessed: Jun. 23, 2025. [Online]. Available: https://www.isaca.org/resources/reports/state-of-privacy-2025
- A. D. Selbst and S. Barocas, "The Intuitive Appeal of Explainable Machines," Fordham Law Rev, vol. 87, no. 3, pp. 1085–1139, 2018, doi: https://doi.org/10.2139/SSRN.3126971.
- M. E. Kaminski, "Binary Governance: Lessons from the GDPR's Approach to Algorithmic Accountability," South Calif Law Rev, Jan. 2019, [Online]. Available: https://scholar.law.colorado.edu/faculty-articles/1265
- R. Knyrim, "Binding Corporate Rules: Corporate Self-Regulation of Global Data Transfers," International Data Privacy Law, vol. 5, no. 2, pp. 156–157, May 2015, doi: https://doi.org/10.1093/IDPL/IPV002.
- A. Mantelero and M. S. Esposito, "An evidence-based methodology for human rights impact assessment (HRIA) in the development of AI data-intensive systems," Computer Law & Security Review, vol. 41, p. 105561, Jul. 2021, doi: https://doi.org/10.1016/J.CLSR.2021.105561.
- H. Hijmans, "The European Union as Guardian of Internet Privacy," vol. 31, 2016, doi: https://doi.org/10.1007/978-3-319-34090-6.
- G. González Fuster, "The Emergence of Personal Data Protection as a Fundamental Right of the EU," vol. 16, 2014, doi: https://doi.org/10.1007/978-3-319-05023-2.
- N. Rieke et al., "The future of digital health with federated learning," NPJ Digit Med, vol. 3, no. 1, pp. 1–7, Dec. 2020, doi: https://doi.org/10.1038/S41746-020-00323-1.
- C. Troncoso, M. Isaakidis, G. Danezis, and H. Halpin, "Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments," Proceedings on Privacy Enhancing Technologies, vol. 2017, no. 4, pp. 404–426, Jun. 2017, doi: https://doi.org/10.1515/popets-2017-0056.
- D. Hartmann, J. R. L. de Pereira, C. Streitbörger, and B. Berendt, "Addressing the regulatory gap: moving towards an EU AI audit ecosystem beyond the AI Act by including civil society," AI and Ethics, Aug. 2024, doi: https://doi.org/10.1007/S43681-024-00595-3.
- R. N. Nwabueze and M. White, "Privacy law and the dead – a reappraisal," Journal of Media Law, vol. 16, no. 2, pp. 468–502, Jul. 2024, doi: https://doi.org/10.1080/17577632.2024.2438395.
- M. M. Maas, "AI, Governance Displacement, and the (De)Fragmentation of International Law," in ISA Annual Convention, Mar. 2021. [Online]. Available: https://papers.ssrn.com/abstract=3806624