Compliance Guides
In-depth, plain-English guides to EU AI Act and GDPR compliance — written for the people who have to actually do the work.
EU AI Act Explained: Complete Guide 2026
The four risk tiers, enforcement timeline, and obligations for providers and deployers.
EU AI ActEU AI Act Fines & Penalties 2026
The full penalty structure — €35M / 7% down to €7.5M / 1% — and how fines are actually calculated.
EU AI ActEU AI Act Deadlines & Compliance Timeline
Every enforcement date from August 2025 to August 2027 and what you must finish before each one.
EU AI ActWhat Is High-Risk AI?
How Annex I and Annex III define high-risk AI, with concrete examples and the exemption test.
EU AI ActEU AI Act Conformity Assessment: Step-by-Step
How to run an internal or notified-body conformity assessment and earn the CE marking.
EU AI ActAnnex IV Technical Documentation Guide
The nine sections of mandatory high-risk AI documentation, explained with a build order.
EU AI ActDoes the EU AI Act Apply to US Companies?
The extraterritorial reach test, the EU representative requirement, and a US compliance roadmap.
GovernanceAI Governance Framework for Business
Build an AI governance programme that satisfies the EU AI Act, ISO 42001, and the NIST AI RMF.
EU AI ActAI Compliance Checklist
A practical, step-by-step checklist to move an AI system from idea to compliant deployment.
GDPRGDPR Compliance for Small Business
A no-jargon GDPR roadmap for SMEs: the seven principles, the records you need, and a 30-day plan.
GDPRGDPR Data Processing Agreement (DPA) Guide
When you need a DPA, the Article 28 clauses it must contain, and how to handle sub-processors.
GDPRGDPR Penalty Calculator
How GDPR fines are calculated under the EDPB methodology, with worked examples.
GDPRGDPR vs UK GDPR
The real differences after Brexit: supervisory authorities, fine caps, transfers, and AI.
GDPRGDPR Compliance Checklist
How to comply with GDPR in 10 steps — RoPA, lawful basis, privacy notice, DPIAs, and 72-hour breach response.
DSADSA Compliance Checklist
How to comply with the Digital Services Act: tier classification, notice-and-action, transparency, and VLOP duties.
Compliance — frequently asked questions
What is the difference between GDPR and CCPA?
GDPR protects the personal data of people in the EU/EEA and applies to any organisation processing that data, wherever the organisation is based; the CCPA protects the personal information of California residents and only applies to businesses meeting its thresholds (broadly, over $25m annual revenue, or handling the personal information of large numbers of California consumers, or earning significant revenue from selling/sharing it). GDPR is consent-and-lawful-basis led with fines up to €20m or 4% of global annual turnover (Article 83); the CCPA is disclosure-and-opt-out led. Many businesses must comply with both.
Does the EU AI Act replace GDPR?
No. The EU AI Act and GDPR apply together and cover different things. GDPR governs the protection and processing of personal data; the EU AI Act governs the development, provision, and use of AI systems and general-purpose AI models placed on the EU market. An AI system that processes personal data must satisfy both at once — the AI Act does not exempt you from GDPR, and GDPR does not by itself cover AI-specific risks like prohibited practices or high-risk-system obligations.
Which data protection law applies to my business?
Work through where your users and operations are: if you process the personal data of anyone in the EU/EEA, GDPR applies (regardless of where you are based); if you handle the personal information of California residents and meet the CCPA thresholds, the CCPA applies; if you develop, deploy, or place an AI system on the EU market, the EU AI Act applies; and if you run an online platform or intermediary serving EU users, the DSA may apply. These overlap — most online businesses fall under more than one, so map each before assuming you are covered.
What is the difference between the EU AI Act and the DSA?
The EU AI Act regulates AI systems themselves — banning certain practices, imposing obligations on high-risk systems and general-purpose AI models, and setting transparency duties for things like chatbots and synthetic media. The Digital Services Act (DSA) regulates online platforms and intermediaries — how they handle illegal content, notice-and-action, advertising transparency, and (for very large platforms) systemic-risk assessments. One targets the AI you build or use; the other targets the platform you run. A company can fall under both, for example an online marketplace that also uses an AI recommender.
Do I need to comply with GDPR if my business is not in the EU?
Quite possibly, yes. GDPR has extraterritorial reach: it applies to any organisation, anywhere, that offers goods or services to people in the EU/EEA or monitors their behaviour. A US or UK company with EU customers, EU website visitors it tracks, or EU users it markets to generally falls in scope. Being outside the EU does not exempt you; if you target or monitor people in the EU, you need a lawful basis, transparency, and the data-subject-rights processes GDPR requires.
Can complying with GDPR make me compliant with CCPA too?
Partly, but not automatically. A strong GDPR programme covers much of what the CCPA needs — data inventories, transparency notices, and individual rights handling — so it is a head start. But the CCPA has distinct requirements GDPR does not, notably a clear 'Do Not Sell or Share My Personal Information' mechanism, specific notice-at-collection wording, and its own definitions and thresholds. Treat GDPR compliance as a foundation, then close the CCPA-specific gaps rather than assuming one covers the other.
Need it done, not just explained?
Our fixed-scope AI Act + GDPR sprint delivers production-ready documentation in 5–15 business days.