Data Compliance and Legal Governance: GDPR, the EU AI Act, and Corporate Liability

by Juil 12, 2026International Expertise, Uncategorized

Data compliance and legal governance GDPR EU AI Act

Data compliance is no longer a topic confined to legal or the DPO — it has become a board-level issue, for a simple reason: between GDPR and the EU AI Act, the sanctions and personal liabilities at stake have changed scale. An executive who discovers, after the fact, that an HR or marketing AI tool deployed in the company is classified « high-risk » with no supporting documentation can no longer hide behind technical ignorance.

This guide is for executives, DPOs, legal counsel, and data leaders who need to translate these two regulatory frameworks into operational governance — not just a compliance binder gathering dust.

1. Why data compliance became a board-level topic

Three developments explain this shift. First, the scale of GDPR fines, which can reach 4% of global annual turnover — an amount that immediately captures a board’s attention. Second, the proliferation of AI tools deployed across the business without central validation, often purchased directly by business units (marketing, HR, sales) without IT or legal sign-off. Third, the progressive rollout of the EU AI Act, which introduces a risk classification directly enforceable against the deploying company, not just the technology vendor.

The concrete outcome seen in engagements: executive committees discovering, often during an audit or a divestiture due diligence, that they’ve been using a scoring or recommendation tool for months that no one ever evaluated for regulatory classification.

2. GDPR fundamentals companies still get wrong

Nearly eight years after it took effect, GDPR remains poorly applied on fundamental points in many organizations. The legal basis for each processing activity is rarely documented activity by activity — many companies default to « legitimate interest » without a documented balancing test. Data minimization is systematically neglected: data is collected « just in case » rather than what’s strictly necessary for the stated purpose. Retention periods are rarely enforced automatically, letting risk-bearing data volumes grow without justification. And data subject rights (access, rectification, objection, portability) are often handled manually without a formalized process, extending legal response deadlines.

These gaps aren’t limited to small businesses: they show up regularly in sizeable groups, simply because data governance was never built systematically, processing activity by processing activity.

3. The EU AI Act: risk classification explained

The EU AI Act structures AI systems into four risk tiers: unacceptable (banned, such as generalized social scoring), high risk (subject to enhanced obligations), limited risk (transparency obligations), and minimal risk (no specific obligation). The « high-risk » classification notably covers systems used for recruitment, employee evaluation, credit granting, creditworthiness assessment, and certain uses in education and healthcare.

What fundamentally changes compared to GDPR: the AI Act imposes obligations not only on the technology provider, but also on the deployer — meaning the company using the tool, even if it didn’t develop it. An SME that buys an HR scoring tool from a third-party vendor remains responsible for its own usage documentation.

4. High-risk AI systems: what actually changes

For a system classified as high-risk, the deploying company must notably: ensure effective (not merely theoretical) human oversight over generated decisions, document the use cases and limitations of the system, inform affected individuals when a decision significantly impacts them, and maintain decision traceability enabling after-the-fact review.

Concretely, this means a CV pre-screening tool can’t run on full autopilot without documented human intervention at a checkpoint in the process, and the company must be able to demonstrate, in case of a challenge, the basis on which the system generated its recommendation.

5. Personal liability for executives

An often underestimated point: compliance liability for data doesn’t stop at the corporate entity. Depending on jurisdiction and the severity of the breach, an executive’s personal liability can be engaged, particularly in cases of characterized and repeated non-compliance, or a failure to implement corrective measures after a documented warning (DPO, internal audit, whistleblower report).

This dimension changes the nature of the issue: it’s no longer just a financial risk for the company, but a personal risk for executives who haven’t put minimal governance in place and haven’t acted on documented warnings.

6. Records of processing and DPIAs

The record of processing activities (GDPR Article 30) remains the reference document, but it must now be complemented by a Data Protection Impact Assessment (DPIA) for any processing activity likely to result in a high risk to individuals’ rights — which mechanically includes most AI systems classified as high-risk under the AI Act. A well-conducted DPIA documents the purpose, proportionality, identified risks, and mitigation measures adopted — before deployment, not after.

7. Governing vendors and international transfers

Compliance doesn’t stop at the company’s borders: every processor (cloud host, SaaS vendor, AI provider) must be covered by a GDPR Article 28-compliant data processing agreement, and any data transfer outside the EU must rest on a valid legal mechanism (standard contractual clauses, adequacy decision). Many companies discover late that a SaaS tool used daily actually hosts data on non-EU servers without a documented transfer mechanism.

8. Building a compliance matrix

An operational compliance matrix cross-references, for each system or processing activity: GDPR classification (legal basis, data categories), AI Act classification where applicable (risk level), the business owner, the DPO or legal referent, and compliance status (compliant, in progress, to be addressed). This matrix, updated with every new tool deployment, enables continuous steering rather than a one-off audit every two or three years that discovers problems too late.

9. Preparing for a regulatory audit

A regulatory audit, whether triggered by a complaint, a report, or a sector-wide priority theme for the year, is prepared upstream, not at the moment of notification. The elements that make the difference: a record of processing activities that’s current and consistent with actual operations (not just what was documented during the initial GDPR compliance push years ago), the ability to demonstrate security measures actually in place, and traceability of data governance decisions.

10. A realistic compliance roadmap

The roadmap that works on the ground always starts with an honest assessment: mapping existing processing activities, including those never formally documented. Next comes risk-based prioritization — addressing high-risk processing activities and AI systems classified as such before lower-stakes compliance topics. Finally, establishing continuous governance (a review committee for new tools, a living compliance matrix) rather than a one-off exercise that becomes obsolete the following quarter.

Expert perspective

On data governance engagements across multi-country environments, the first warning sign I look for isn’t technical — it’s asking who, in the organization, has the real authority to block a new tool’s deployment until its compliance is validated. If the answer is « no one » or « it depends, » governance exists on paper but not in practice — and that’s exactly the kind of situation a regulatory audit or litigation reveals after the fact, at the worst possible moment.

FAQ

Is an SME subject to the EU AI Act the same way a large group is?
Yes, obligations apply based on the classification of the system used, not company size — an SME deploying a high-risk system has the same documentation and human oversight obligations as a large group.

Who should own EU AI Act compliance internally?
Ideally a joint DPO, legal, and IT committee, with mandatory sign-off before deploying any new AI-enabled tool, regardless of which business unit requested it.

How long does full compliance take?
An initial mapping and risk prioritization takes 2 to 3 months. Full compliance, including necessary DPIAs, typically spans 6 to 18 months depending on the number of systems involved.

Can an executive really be held personally liable?
Yes, particularly in cases of characterized non-compliance and failure to act on a documented warning — recognized as an aggravating factor in several European jurisdictions.

Next steps

If your company has deployed AI tools without centralized compliance validation, the risk grows with every new use case. Check out our Data Governance in the Age of Agentic AI e-book, or contact us for a GDPR and EU AI Act compliance audit.

References

Notoriti — field experience from data governance and regulatory compliance engagements across multi-country environments. General Data Protection Regulation (EU) 2016/679. EU Artificial Intelligence Act (EU) 2024/1689.

Steeve Vignissy

Senior consultant and Director in digital strategy and data, During 15 years, I have supported numerous companies in their transformation in France and internationally. Throughout my missions, I have managed projects at the crossroads of information systems, marketing, and data, ensuring alignment between business needs and technical constraints. I design, redesign, and implement integrated digital solutions (ERP, CRM, BI, AI) with a pragmatic, performance-driven approach focused on simplicity and tangible value creation. Known for my rigor and result-oriented mindset, I ensure each project contributes meaningfully to organizational growth and digital modernization.

Notoriti Decision Intelligence, Data & AI Strategy Designing decision-making frameworks powered by data, BI and AI.

Be the first to discover our news

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!