Quick answer

GDPR and the EU AI Act are separate regulations with overlapping requirements. For high-risk AI systems processing personal data, you need both a Data Protection Impact Assessment (GDPR Article 35) and a Fundamental Rights Impact Assessment (AI Act Article 27). Done right, you run them as a single combined workflow — they share 60%+ of the evidence.

Where they overlap

Automated decision-making — GDPR Article 22 and AI Act high-risk obligations both apply.
Data governance — GDPR data-minimisation vs AI Act Article 10 training-data quality.
Transparency — GDPR Articles 13/14 and AI Act Article 13.
Human oversight — GDPR Article 22 safeguards and AI Act Article 14.
Accuracy — GDPR Article 5(1)(d) and AI Act Article 15.

Where they diverge

Scope: GDPR covers personal data only; AI Act covers AI systems whether or not they process personal data.
Lawful basis: GDPR requires Article 6 lawful basis; AI Act does not.
Sanctions: GDPR up to 4% global turnover; AI Act up to 7%.
Territorial reach: Different extraterritorial triggers.

The combined DPIA + FRIA workflow

Scope: define the AI system and the personal data it processes.
Necessity and proportionality: why the AI system, why this data.
Risk identification: both to data subjects (GDPR) and fundamental rights (AI Act).
Risk measures: technical and organisational safeguards.
Consultation with DPO and data subjects where required.
Signed by controller (GDPR) and deployer (AI Act) — often the same entity.
Notified to the market surveillance authority (AI Act) and kept on file (GDPR).

Practical tips

Run them together. Don't let separate teams run separate processes.
Use a shared template. The GDPR checklist and the FRIA guide share most evidence.
Document the exercise. Regulators ask for it.