Toward Integrated Compliance with GDPR and the EU AI Act Based on Empirical Findings

Tonći Kaleb; Ivan Markić

doi:https://doi.org/10.47960/3029-3200.2025.1.2.54

Research Article

DOI: https://doi.org/10.47960/3029-3200.2025.1.2.54

Tonći Kaleb* and Ivan Markić

*CA	tonci.kaleb@isaca.hr
	ivan.markic@fsre.sum.ba

Full text:

Vol. 1 No. 2 Article 11

This article belongs to Vol. 1 No. 2, 2025

T. Kaleb and I. Markić, “Toward Integrated Compliance with GDPR and the EU AI Act Based on Empirical Findings,” International Journal of Innovative Solutions in Engineering, vol. 1, no. 2, pp. 54–64, Jul. 2025, doi: 10.47960/3029-3200.2025.1.2.54.

pages 54-64

Download a citation file:

Vol. 1 No. 2 Article 11 Download

Preview and download a citation file in BibTex format that can be imported by citation management software, including Mendeley, EndNote, ProCite, RefWorks, and Reference Manager.

This article is archived in Zenodo

Abstract

This paper explores how the European Union is shaping rules for data and artificial intelligence (AI) through two key regulations: the General Data Protection Regulation (GDPR) and the EU Artificial Intelligence Act (AI Act). Those two regulations cover data topics, focusing on different aspects, both bringing challenges for organizations and individuals. This paper includes a survey conducted among data protection professionals to understand better how organizations deal with these challenges in practice. The results show that many organizations still have areas for improvement, especially when combining privacy and AI responsibilities. Based on this, the paper offers a simple and practical framework that helps organizations follow the GDPR and the AI Act in a transparent and integrated way. The goal is to support better decision-making, reduce legal and technical risks, and help with the responsible and trusted use of data and AI in the EU.

Keywords

GDPR, AI Act, Data Governance, Risk Management, Privacy, Compliance, EU Regulation

ijise ID

11

URI

https://ijise.ba/article/11/

Publication Date

Jul. 17, 2025

References

M. Veale and F. Z. Borgesius, “Demystifying the Draft EU Artificial Intelligence Act — Analysing the good, the bad, and the unclear elements of the proposed approach,” Computer Law Review International, vol. 22, no. 4, pp. 97–112, Aug. 2021, doi: https://doi.org/10.9785/CRI-2021-220402.
S. Wachter, B. Mittelstadt, and L. Floridi, “Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation,” International Data Privacy Law, vol. 7, no. 2, pp. 76–99, May 2017, doi: https://doi.org/10.1093/IDPL/IPX005.
D. Clifford, M. Richardson, and N. Witzleb, “Artificial intelligence and sensitive inferences: new challenges for data protection laws in: Regulatory Insights on Artificial Intelligence,” 2022. doi: https://doi.org/10.4337/9781800880788.00008.
“Guidelines European Data Protection Board.” Accessed: Mar. 23, 2025. [Online]. Available: https://www.edpb.europa.eu/our-work-tools/our-documents/publication-type/guidelines_en
“Regulation – EU – 2024/1689 – EN – EUR-Lex.” Accessed: Mar. 23, 2025. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
“Regulation – 2016/679 – EN – gdpr – EUR-Lex.” Accessed: Mar. 23, 2025. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
“State of Privacy 2025 Report ISACA.” Accessed: Jun. 23, 2025. [Online]. Available: https://www.isaca.org/resources/reports/state-of-privacy-2025
A. D. Selbst and S. Barocas, “The Intuitive Appeal of Explainable Machines,” Fordham Law Rev, vol. 87, no. 3, pp. 1085–1139, 2018, doi: https://doi.org/10.2139/SSRN.3126971.
M. E. Kaminski, “Binary Governance: Lessons from the GDPR’s Approach to Algorithmic Accountability,” South Calif Law Rev, Jan. 2019, [Online]. Available: https://scholar.law.colorado.edu/faculty-articles/1265
R. Knyrim, “Binding Corporate Rules: Corporate Self-Regulation of Global Data Transfers,” International Data Privacy Law, vol. 5, no. 2, pp. 156–157, May 2015, doi: https://doi.org/10.1093/IDPL/IPV002.
A. Mantelero and M. S. Esposito, “An evidence-based methodology for human rights impact assessment (HRIA) in the development of AI data-intensive systems,” Computer Law & Security Review, vol. 41, p. 105561, Jul. 2021, doi: https://doi.org/10.1016/J.CLSR.2021.105561.
H. Hijmans, “The European Union as Guardian of Internet Privacy,” vol. 31, 2016, doi: https://doi.org/10.1007/978-3-319-34090-6.
G. González Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of the EU,” vol. 16, 2014, doi: https://doi.org/10.1007/978-3-319-05023-2.
N. Rieke et al., “The future of digital health with federated learning,” NPJ Digit Med, vol. 3, no. 1, pp. 1–7, Dec. 2020, doi: https://doi.org/10.1038/S41746-020-00323-1.
C. Troncoso, M. Isaakidis, G. Danezis, and H. Halpin, “Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments,” Proceedings on Privacy Enhancing Technologies, vol. 2017, no. 4, pp. 404–426, Jun. 2017, doi: https://doi.org/10.1515/popets-2017-0056.
D. Hartmann, J. R. L. de Pereira, C. Streitbörger, and B. Berendt, “Addressing the regulatory gap: moving towards an EU AI audit ecosystem beyond the AI Act by including civil society,” AI and Ethics, Aug. 2024, doi: https://doi.org/10.1007/S43681-024-00595-3.
R. N. Nwabueze and M. White, “Privacy law and the dead – a reappraisal,” Journal of Media Law, vol. 16, no. 2, pp. 468–502, Jul. 2024, doi: https://doi.org/10.1080/17577632.2024.2438395.
M. M. Maas, “AI, Governance Displacement, and the (De)Fragmentation of International Law,” in ISA Annual Convention, Mar. 2021. [Online]. Available: https://papers.ssrn.com/abstract=3806624