The EU AI Act is now fully operational in 2026, and compliance programmes that treated it as a future project are now running against live obligations. At the same time, the UK Information Commissioner’s Office has issued new guidance on automated decision-making, and the EU’s own GDPR reform agenda continues to advance. The result is that organisations operating on both sides of the Channel are managing three overlapping regulatory shifts at once.
The AI Act is no longer a planning exercise
With the AI Act in force, providers and deployers face concrete requirements around risk management, data governance, transparency, human oversight and record-keeping. High-risk systems must have quality management systems, post-market monitoring and incident reporting. General-purpose AI model providers must meet obligations on training data, model evaluation and systemic-risk mitigation. These are not guidelines. They are directly applicable law.
For many firms, the AI Act has absorbed the bulk of the compliance budget over the past year. That is understandable, but it creates a risk: GDPR and UK data-protection obligations do not pause while AI teams finalise their conformity assessments.
The ICO’s automated decision-making guidance
The ICO’s updated guidance on automated decision-making sharpens the picture in the UK. It restates that Article 22 of the UK GDPR restricts solely automated decisions with legal or similarly significant effects unless an exception applies. It also clarifies what counts as “meaningful human involvement” and when human review must occur before, not after, the decision is made.
For AI deployments that score customers, triage job applicants, approve loans or flag benefits claims, this guidance is directly relevant. A system that produces a recommendation a human rubber-stamps may still be caught by Article 22 if the human is not genuinely exercising judgment. The ICO has made clear that putting a person in the loop is not a compliance shortcut if that person has no real discretion.
GDPR reform adds another variable
The EU’s GDPR reform package, including the AI Act’s relationship with data protection law, is still evolving. Proposals around enforcement, cross-border procedures and the use of personal data for AI training are being debated. Firms should not build their AI governance around assumptions about where reform will land, because the final shape is uncertain.
What is certain is that GDPR principles — lawfulness, fairness, transparency, purpose limitation, data minimisation and accuracy — continue to apply to AI processing. The AI Act does not displace them. In some areas, such as training data documentation and bias monitoring, the two regimes reinforce each other.
How to keep the two regimes aligned
The most efficient approach is to treat AI governance and data-protection governance as a single programme, not two parallel workstreams.
Map AI systems to GDPR legal bases. Every AI system that processes personal data should have a documented legal basis, and that basis should be consistent with the purpose described in the AI Act risk assessment.
Align DPIAs and AI conformity assessments. A data protection impact assessment and an AI Act risk assessment often cover the same ground. Running them separately produces duplicate work and inconsistent conclusions.
Clarify human-in-the-loop roles. Define exactly what a human reviewer can change, what they must check, and what records they must keep. Vague assurances of oversight will not satisfy either regulator.
Watch the UK-EU divergence. The UK is increasingly charting its own course on both AI and data protection. A policy that works in one jurisdiction may need adjustment in the other.
The bottom line
The AI Act’s entry into force is a milestone, not a finish line. Firms that treat it in isolation from GDPR and ICO guidance will find themselves rebuilding their compliance architecture a second time. Better to design once for both regimes and adapt as reform settles.