Skip to main content

Compliance Guides

In-depth, plain-English guides to EU AI Act and GDPR compliance — written for the people who have to actually do the work.

EU AI Act

EU AI Act Explained: Complete Guide 2026

The four risk tiers, enforcement timeline, and obligations for providers and deployers.

EU AI Act

EU AI Act Fines & Penalties 2026

The full penalty structure — €35M / 7% down to €7.5M / 1% — and how fines are actually calculated.

EU AI Act

EU AI Act Deadlines & Compliance Timeline

Every enforcement date from August 2025 to August 2027 and what you must finish before each one.

EU AI Act

What Is High-Risk AI?

How Annex I and Annex III define high-risk AI, with concrete examples and the exemption test.

EU AI Act

EU AI Act Conformity Assessment: Step-by-Step

How to run an internal or notified-body conformity assessment and earn the CE marking.

EU AI Act

Annex IV Technical Documentation Guide

The nine sections of mandatory high-risk AI documentation, explained with a build order.

EU AI Act

Does the EU AI Act Apply to US Companies?

The extraterritorial reach test, the EU representative requirement, and a US compliance roadmap.

Governance

AI Governance Framework for Business

Build an AI governance programme that satisfies the EU AI Act, ISO 42001, and the NIST AI RMF.

EU AI Act

AI Compliance Checklist

A practical, step-by-step checklist to move an AI system from idea to compliant deployment.

GDPR

GDPR Compliance for Small Business

A no-jargon GDPR roadmap for SMEs: the seven principles, the records you need, and a 30-day plan.

GDPR

GDPR Data Processing Agreement (DPA) Guide

When you need a DPA, the Article 28 clauses it must contain, and how to handle sub-processors.

GDPR

GDPR Penalty Calculator

How GDPR fines are calculated under the EDPB methodology, with worked examples.

GDPR

GDPR vs UK GDPR

The real differences after Brexit: supervisory authorities, fine caps, transfers, and AI.

GDPR

GDPR Compliance Checklist

How to comply with GDPR in 10 steps — RoPA, lawful basis, privacy notice, DPIAs, and 72-hour breach response.

DSA

DSA Compliance Checklist

How to comply with the Digital Services Act: tier classification, notice-and-action, transparency, and VLOP duties.

Compliance — frequently asked questions

What is the difference between GDPR and CCPA?

GDPR protects the personal data of people in the EU/EEA and applies to any organisation processing that data, wherever the organisation is based; the CCPA protects the personal information of California residents and only applies to businesses meeting its thresholds (broadly, over $25m annual revenue, or handling the personal information of large numbers of California consumers, or earning significant revenue from selling/sharing it). GDPR is consent-and-lawful-basis led with fines up to €20m or 4% of global annual turnover (Article 83); the CCPA is disclosure-and-opt-out led. Many businesses must comply with both.

Does the EU AI Act replace GDPR?

No. The EU AI Act and GDPR apply together and cover different things. GDPR governs the protection and processing of personal data; the EU AI Act governs the development, provision, and use of AI systems and general-purpose AI models placed on the EU market. An AI system that processes personal data must satisfy both at once — the AI Act does not exempt you from GDPR, and GDPR does not by itself cover AI-specific risks like prohibited practices or high-risk-system obligations.

Which data protection law applies to my business?

Work through where your users and operations are: if you process the personal data of anyone in the EU/EEA, GDPR applies (regardless of where you are based); if you handle the personal information of California residents and meet the CCPA thresholds, the CCPA applies; if you develop, deploy, or place an AI system on the EU market, the EU AI Act applies; and if you run an online platform or intermediary serving EU users, the DSA may apply. These overlap — most online businesses fall under more than one, so map each before assuming you are covered.

What is the difference between the EU AI Act and the DSA?

The EU AI Act regulates AI systems themselves — banning certain practices, imposing obligations on high-risk systems and general-purpose AI models, and setting transparency duties for things like chatbots and synthetic media. The Digital Services Act (DSA) regulates online platforms and intermediaries — how they handle illegal content, notice-and-action, advertising transparency, and (for very large platforms) systemic-risk assessments. One targets the AI you build or use; the other targets the platform you run. A company can fall under both, for example an online marketplace that also uses an AI recommender.

Do I need to comply with GDPR if my business is not in the EU?

Quite possibly, yes. GDPR has extraterritorial reach: it applies to any organisation, anywhere, that offers goods or services to people in the EU/EEA or monitors their behaviour. A US or UK company with EU customers, EU website visitors it tracks, or EU users it markets to generally falls in scope. Being outside the EU does not exempt you; if you target or monitor people in the EU, you need a lawful basis, transparency, and the data-subject-rights processes GDPR requires.

Can complying with GDPR make me compliant with CCPA too?

Partly, but not automatically. A strong GDPR programme covers much of what the CCPA needs — data inventories, transparency notices, and individual rights handling — so it is a head start. But the CCPA has distinct requirements GDPR does not, notably a clear 'Do Not Sell or Share My Personal Information' mechanism, specific notice-at-collection wording, and its own definitions and thresholds. Treat GDPR compliance as a foundation, then close the CCPA-specific gaps rather than assuming one covers the other.

Need it done, not just explained?

Our fixed-scope AI Act + GDPR sprint delivers production-ready documentation in 5–15 business days.