Privacy & AI: GDPR Compliance and AI Act Readiness

BMC’s privacy and AI practice advises companies on GDPR compliance, the management of risks arising from AI systems, and adaptation to the EU AI Act. We cover the full spectrum — from outsourced DPO services to AI Act compliance, data protection impact assessments, and data breach response.

Data protection and privacy: the GDPR framework in Spain

The General Data Protection Regulation (GDPR, EU Regulation 2016/679), complemented in Spain by the LOPDGDD (Organic Law 3/2018), establishes a comprehensive framework of rights and obligations that applies to any organisation processing personal data. The AEPD is Spain’s national supervisory authority and maintains an active enforcement record, with fines of up to €20 million or 4% of global annual turnover for the most serious infringements.

Core obligations for businesses include: identifying a legal basis for each processing activity, maintaining an up-to-date Record of Processing Activities, implementing appropriate technical and organisational security measures, managing data subject rights (access, rectification, erasure, portability), and notifying data breaches within the prescribed timeframes.

For complex, high-risk, or special category data processing, the law additionally requires designation of an AEPD-registered DPO, conducting impact assessments before processing begins, and applying privacy by design and by default principles.

Artificial intelligence: the AI Act and its business impact

The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive AI regulatory framework. It classifies AI systems into four risk categories (unacceptable, high, limited, and minimal) and imposes differentiated obligations on providers, deployers, and importers of AI systems.

Businesses using AI in recruitment, credit assessment, education, or healthcare have been subject to high-risk AI requirements since August 2026: conformity assessment, technical documentation, human oversight, risk management, and registration. Businesses developing general-purpose AI (GPAI) systems must also comply with Article 53 obligations.

The intersection between the GDPR and the AI Act is particularly significant: AI systems making decisions about individuals are simultaneously subject to AI regulation (risk classification, technical documentation) and the GDPR (legal basis, purpose limitation, the right not to be subject to automated decisions with legal effects under Art. 22).

Privacy, data protection, and AI services

Data protection and GDPR

• Outsourced DPO: Externally appointed Data Protection Officer, registered with the AEPD, providing periodic audits, data subject rights management, compliance advisory, and incident supervision.
• Data Protection Impact Assessment (DPIA): Systematic risk analysis for data subject rights under Art. 35 GDPR, with mitigation measures and documentation for the Record of Processing Activities.
• Data breach response: Incident management for security events affecting personal data: breach analysis, risk probability assessment, AEPD notification within 72 hours, and communication to affected data subjects.
• International data transfers: Advisory on Standard Contractual Clauses (SCCs), Binding Corporate Rules, Transfer Impact Assessments (TIA), and alternatives for non-EEA providers.
• Cookie compliance: Cookie audit and policy design under the GDPR and AEPD guidelines: cookie classification, Consent Management Platform (CMP) configuration, and legal cookie notice review.
• Privacy by design and by default: Integration of data protection principles into product and service development cycles, data-minimising architectures, and default privacy settings under Art. 25 GDPR.

Artificial intelligence and AI Act

• AI Act compliance: AI system inventory diagnosis, risk classification, compliance plan, technical documentation, and preparation for the EU registry of high-risk AI systems.
• High-risk AI systems: Advisory on Annex III AI Act obligations for AI systems in HR, credit, education, essential services, and critical infrastructure.
• AI governance: Design of ethical AI use policies, human oversight frameworks, algorithm audit procedures, and accountability structures for organisations that develop or deploy AI systems.
• Compliance risk mapping: Cross-cutting assessment of regulatory compliance risks (GDPR, AI Act, NIS2, DORA) with prioritisation by exposure level and a gap closure plan.

When to contact the privacy and AI team

We recommend consulting our team when:

• Your company has suffered a data breach and needs to manage the AEPD notification within the 72-hour deadline.
• You are developing or deploying AI systems and need to assess whether they are subject to the AI Act and which obligations apply.
• You need to appoint or renew an outsourced DPO registered with the AEPD.
• You are launching a new product or service involving large-scale or special category data processing.
• You use cloud providers, analytics tools, or SaaS platforms outside the EEA and need to formalise international data transfers.
• You have received a request from the AEPD or a data subject rights exercise.

An initial consultation allows us to assess your current compliance status, identify priority risks, and establish a realistic action plan.

The GDPR–AI Act intersection: the defining compliance challenge of 2026

The phased entry into force of the AI Act represents the most significant shift in the digital compliance landscape since the GDPR in 2018. For businesses that already have a mature data protection programme, the transition is more manageable: many AI Act obligations — documentation, risk management, human oversight — are natural extensions of what the GDPR already requires for personal data processing.

For businesses without a mature data protection programme, the AI Act adds a second layer of complexity that cannot be managed in isolation. AI systems making decisions about individuals are simultaneously subject to AI regulation (risk classification, technical documentation) and the GDPR (legal basis, purpose limitation, data minimisation, the right not to be subject to automated decisions). The cost of failing to address both regulations in a coordinated manner will multiply once supervisors begin cross-referencing AI Act incident reports with AEPD breach records.

Our team manages the GDPR–AI Act intersection in an integrated manner, coordinating with the cybersecurity practice when AI systems fall within the NIS2 or DORA scope.