Your GDPR processing register is already your AI Act dossier: you are 70% done
AI Act, GDPR, Compliance
You spent months on your GDPR documentation. Processing register set up, data processing agreements in place, legal bases documented. Then the AI Act enters your field of vision and you think: another entire project on top of everything else.
It is less daunting than it looks. Chances are you have already done most of the work.
This article explains why your existing GDPR documentation is the starting point for AI Act compliance, what you can reuse directly, and what still needs to be added.
Why your processing register is already 70% correct
The AI Act places obligations on organisations that use AI systems. Those obligations centre on three core questions: what does the system do, which data does it process, and who is responsible?
Those three questions you have already answered in your processing register.
Look at what you already record for GDPR:
The purpose of processing is already there. The AI Act asks the same: what do you use this system for? You can copy the formulation directly or adapt it slightly.
The responsible person is already there. The AI Act requires an accountable party per AI system. In most SMB organisations, that is the same person as the controller in your GDPR register.
The categories of personal data are already there. If an AI system processes personal data, you have already documented those data categories for your processing register. That information forms the direct foundation for your AI Act dossier.
The processors and vendors are already there. The AI Act requires information about the provider of the AI system. If you use a system from a vendor, you have already recorded the vendor details.
This is not accidental overlap. The EU deliberately designed the AI Act with GDPR as a reference point. Organisations that are already GDPR-compliant do not start from zero.
What you can concretely reuse
Take your processing register and identify the entries where an AI tool is involved. That is your starting point for your AI Act documentation.
For each AI system that processes personal data, you can directly copy or reuse the following fields:
Purpose of processing, name and contact details of the controller, categories of personal data involved, retention periods, name and contact details of processors and sub-processors. You already complete this information for your GDPR register and it is directly reusable.
This saves not only effort. It also ensures that both registers are consistent, which supervisory authorities expect.
What you still need to add
The processing register covers the GDPR side. For the AI Act there are additional fields you do not yet have.
Risk class. The AI Act classifies AI systems into four categories: unacceptable risk (prohibited), high risk, limited risk and minimal risk. This is the first thing to determine per system. For most AI tools that SMBs use, the answer is reassuring: email tools, calendar assistants and search functionality typically fall into minimal risk.
AI type. The AI Act distinguishes between types of AI systems based on how they work: machine learning, deep learning, pattern recognition. You document this per system.
Human oversight. The AI Act requires high-risk AI systems to have structured human oversight: someone who can review and correct the system's decisions. If your system falls in the high-risk category, describe who exercises that oversight and how.
Technical documentation (for high risk only). High-risk AI systems require additional documentation on accuracy, robustness and cybersecurity measures. This is more extensive than what you already have, but affects most SMBs minimally: the majority of AI tools you use as a deployer do not fall in the high-risk category.
The 30% difference in perspective
The 70% you already have covers the broad documentation base: what you process, for what purpose, who is responsible, which parties are involved. That is the foundation on which supervisory authorities assess whether you take compliance seriously.
The 30% you add is largely risk class determination and AI type. For most SMB organisations, that is an afternoon's work, not a months-long project.
The exception is if you use high-risk AI systems, such as tools for personnel selection, credit assessment or biometric identification. The technical documentation is more extensive in those cases. But you likely already know this: these are systems you knew were sensitive when you adopted them.
How to approach this practically
Step 1: Map your AI systems. List all AI tools your organisation uses. Ask employees to actively contribute, because AI use spreads quickly across departments. Our article on building an AI inventory gives you a structured approach.
Step 2: Match against your processing register. For each AI system, check whether it processes personal data. If yes: find that processing entry in your register. That is your starting point for the AI Act entry of this system.
Step 3: Add the AI Act fields. Determine the risk class, the AI type and the responsible person for oversight. Read our article on determining AI Act risk class if you are unsure which category applies.
Step 4: Document human oversight. For each high-risk system, write down who reviews the system's decisions, how that works in practice, and how a decision can be corrected.
Step 5: Keep both registers current. GDPR and AI Act are living documents. When you adopt a new AI system, add it to your processing register (if it processes personal data) and your AI register at the same time.
A living register works better than a one-time document
The biggest risk with compliance documentation is that it becomes a project rather than a habit. You set it up, archive it and only revisit it when an audit looms.
That does not work for GDPR. It works even less for the AI Act, because the AI landscape moves fast. Tools your team uses today may not exist in six months. New tools come in. Risk classes can shift as a tool's functionality expands.
A living register grows with your organisation. You update it when something changes, not only when scrutiny threatens. You can show it to a customer asking for proof of compliance.
ComplianceHive combines your processing register and your AI systems register in one platform. You record an AI system that processes personal data once, and it appears automatically in both registers. This way you maintain both obligations without doing the work twice. Try it free for 30 days.
Frequently Asked Questions
Can you use your existing GDPR processing register for the AI Act?
Yes, as a starting point. Information about purpose, responsible person, processing activities and data categories is directly reusable for your AI Act documentation. What you add: the risk class of the AI system, the AI type, human oversight arrangements and technical documentation requirements.
Which fields from my processing register do I need for the AI Act?
Purpose of processing, categories of personal data, name and contact details of the controller, retention periods and information about processors. All the fields you already complete for your GDPR register form the foundation for your AI Act documentation.
What do I need to document additionally for the AI Act?
For AI systems that fall under the AI Act, you add: the risk class, the AI type, a description of human oversight, and for high-risk systems technical documentation on accuracy, robustness and cybersecurity.
Do I need a separate AI register alongside my processing register?
Yes. The processing register and the AI register serve different supervisory authorities and have partially different fields. ComplianceHive records AI systems that process personal data in both registers simultaneously, so you do not need to enter the same information twice.
What is the most practical starting point for AI Act compliance as an SMB?
Take out your existing processing register. Identify which processing activities involve AI systems. Determine the risk class per system. Add the AI Act fields to those entries. This way you build your AI Act documentation on work you have already done.