Your processing register is already 70% of your AI Act dossier, here's how to connect them
GDPR, AI Act, Compliance
You have a processing register. Mandatory under Article 30 GDPR, and you have probably spent a couple of afternoons fighting with it. Now the AI Act is on its way. It feels like you have to start from zero again.
You don't.
Roughly speaking, your processing register already covers about 70% of what the AI Act asks. Purpose, data, subjects, supplier, retention period: it's all in there. The AI Act asks for a handful of extra fields on top of what you already have. That's it.
Below I'll show which fields overlap, which ones you're still missing, and how to keep both dossiers running in one workflow.
Why do the GDPR and AI Act overlap so heavily?
Both laws sit on the same foundation: transparency, risk management, and accountability. The GDPR is about personal data, the AI Act is about AI systems. The moment your AI system processes personal data (a chatbot, a recruitment tool, a prediction model), you're inside both frameworks at once.
That's not an accident. The AI Act references the GDPR in several places, and you'll recognize plenty of concepts you already know: data minimization, purpose limitation, documentation duty. The AI Act builds on the GDPR. It doesn't replace it.
Translation: you have more in hand than you think.
The five most important overlaps
Here are five core AI Act obligations, and which field in your processing register already speaks to them.
| AI Act obligation | What it means | Which GDPR field already covers this? | |---|---|---| | Article 13: Transparency to users | People must know they are dealing with an AI system and what it does | Article 13 and 14 GDPR: information duty to data subjects, purpose of processing | | Article 9: Risk management system | Map risks to health, safety, and fundamental rights | DPIA (Article 35 GDPR): risk assessment for high-risk processing | | Article 17: Quality management system | Document how you develop, test, and maintain the AI system | Accountability (Article 5(2) GDPR): documentation of measures | | Article 12: Logging and monitoring | Track how the AI system is used and what the outcomes are | Audit trail (Articles 30 and 32 GDPR): registration of access and processing | | Article 4: AI literacy | Employees working with AI must understand how it works and what the risks are | Awareness and training (Article 39 GDPR): informing staff about privacy |
Five obligations you're already partly answering from your GDPR documentation. Not because the legislator was lazy, but because the legislator didn't want businesses redoing the same work twice.
What's already in your processing register?
Pull yours up. For every processing activity, you almost certainly have:
- Name and purpose of the processing
- Categories of personal data
- Categories of data subjects
- Recipients and transfers
- Retention period
- Security measures
- Supplier and data processing agreement (Verwerkersovereenkomst)
For any AI tool that processes personal data, you can reuse these fields almost unchanged for your AI Act dossier. Quick example: you use an AI tool for CV screening. Your register probably already says something like:
- Purpose: pre-selection of applicants
- Data: CVs, cover letters, contact details
- Subjects: job applicants
- Supplier: name of the tool, processing agreement signed
- Retention period: four weeks after the recruitment process ends
That covers a decent chunk of your AI Act documentation. The rest is AI-specific.
What do you still need to add for the AI Act?
The remaining 30% lives in five fields that only apply to AI systems:
- Risk class: does the system fall under unacceptable, high, limited, or minimal risk? For CV screening: high risk (HR category, Annex III).
- Purpose and context of the AI system: what does it do, in which situations, for which decisions is it used?
- Human oversight: who reviews the outputs, how often, and with what authority to intervene?
- Quality measures: how do you know the system works as intended? Bias tests, accuracy checks, periodic evaluations.
- Logging and incident registration: how do you record what the system does and what goes wrong?
Five fields, not fifty. For most small and mid-sized businesses, this is a few hours of work per AI tool. Not a brand-new project.
A workflow that covers both
Practically, you tackle it like this:
Step 1: Inventory the AI tools you use. List every AI system in your organization. Cast a wide net. Employee ChatGPT accounts, an AI spam filter, the chatbot on your website, recruitment software, prediction models inside your CRM.
Step 2: Check which ones are already in your processing register. Many AI tools that process personal data should be in there already. If not, add them through your normal GDPR workflow.
Step 3: Determine the risk class per AI system. Use the AI Act risk classification for SMBs as a guide. Most tools fall into limited or minimal risk. The occasional one sits in high risk.
Step 4: Fill in the five AI Act fields. Per AI tool. For low-risk tools, this is a short note. For high-risk tools it gets more detailed.
Step 5: Keep one source of truth. Don't work with two separate registers you have to maintain in parallel. One system, two views.
That last step is where it falls apart in a lot of organizations. An Excel file for GDPR, a second one for the AI Act, and nobody keeping them in sync. Three months later, neither one is right.
Why one linked register works
Say you swap your old AI chatbot for a new one. In a split setup you update three places: your processing register, your AI register, and your internal documentation. In a linked register you change it once and the rest follows automatically.
Time savings are nice, but the real value is elsewhere: it stops your registers from drifting out of sync. The Dutch DPA (Autoriteit Persoonsgegevens) and the upcoming AI regulator will check whether your records line up. If your processing register says four weeks of retention and your AI dossier says six months, you've got a problem before they even look at the content.
One source, two views. That's the idea.
How ComplianceHive solves this
In ComplianceHive, you add an AI tool to your processing register and the AI Act fields are suggested automatically based on what you already entered. Purpose, data, supplier, and subjects carry over. You only fill in the AI-specific fields yourself: risk class, human oversight, quality measures.
The result: one linked register that works for both your GDPR audit and your AI Act compliance. No duplicate admin, no Excel sheets to maintain on the side.
FAQ
Do the AI Act and GDPR overlap?
Yes, significantly. Both laws require transparency, risk assessment, documentation, and accountability. If your AI systems process personal data (which is almost always the case), you fall under both frameworks. Our estimate: about 70% of the information you need for your AI Act dossier is already in your GDPR processing register.
Should I include AI tools in my processing register?
Yes. If an AI tool processes personal data, it belongs in your GDPR processing register under Article 30 GDPR. Think of ChatGPT for customer service, an AI recruitment tool, or a customer behavior prediction model. The AI Act adds extra requirements, but the processing register remains the starting point.
What's the difference between an AI register and a processing register?
A processing register documents how you process personal data (GDPR). An AI register documents which AI systems you use and at what risk level (AI Act). The fields overlap for about 70%: purpose, data subjects, data categories, supplier, and retention period appear in both. The AI Act adds risk classification, human oversight, and AI-specific transparency.
How do I save time by doing GDPR and AI Act together?
Start with your existing processing register and expand it with five AI-specific fields: risk class, AI system purpose, human oversight, quality measures, and logging. This prevents duplicate work and keeps you working from one source of truth. A tool that links both registers (like ComplianceHive) automatically populates AI Act fields when you add an AI tool to your processing register.
Get started
Ready to link your processing register to your AI Act dossier?
- Start here: Manage your AI System Register
- Or begin with the basics: Set up your GDPR Processing Register
That's how you handle GDPR and the AI Act in one workflow, without having to keep two separate administrations alive.
This article is general information and not legal advice. For specific questions about your situation, we recommend contacting a specialized lawyer or your national data protection authority.