GDPR fines are almost never paid, will the AI Act be different?

EU
Image credit: Pixabay (Image credit: Pixabay)

Anyone who’s been in a customer facing role in the last five years or so should be in some way familiar with General Data Protection Regulation (GDPR) and how it shapes the way organizations handle customer information. Well, from 2026, new EU regulation - the AI Act will come into force, and it’s making some firms anxious.

But it shouldn't. Or at least, that’s what this data privacy expert said. Speaking at the recent ISACA conference in Dublin, Dr Valerie Lyons - author of The Privacy Leader, shared her thoughts on the new regulations and the changes they might bring.

“I don't really see that much additional in the AI act to what GDPR already provides. The principles are exactly the same, principles of transparency, security, and consent” she said.

It's the thought that counts

There’s a significant overlap between the two pieces of legislation, mostly due to the extensive amount of data that AI systems store and process, and because the AI Act uses a very broad definition of Artificial Intelligence.

GDPR compliance is not an exact science, she explains, and it’s likely the AI Act will use similar “principles of necessity and proportionality”, Lyons says.

It’s important to understand the context and intentions behind the regulations, noting, “If I look back to GDPR, Giovanni Buttarelli, who's kind of father of GDPR, he said that you can adhere to the spirit of the law, or the letter of the law. If we adhere to the letter of the law of GDPR, it will never work. You must adhere to the spirit of the law”

Speakers at ISACA conference

(Image credit: Future)

Who's paying?

We hear a lot about firms being handed giant fines for non-compliance of the GDPR, but we’re not getting the full story, Lyons suggests.

“You know, the fines, they're not working because actually no one's paying them, so the exchequer isn't even getting the money," she says. "I mean, it looks to everybody in Europe, like, Ireland should have a whole host of money, but 1% of fines [have been collected]”

Although Ireland’s Data Protection Commission has famously handed out billions of euros worth of fines, less than 1% of these have actually been collected thanks to appeals processes.

Even then, these fines aren’t hurting the companies the way the statistics would suggest, and it’s usually the taxpayer who ends up out of pocket.

“Who pays for the DPC to go to these courts- the exchequer," says Lyons.

"So essentially the tax man keeps on paying. Tusla, for example, the Irish child protection agency was fined 75k four years ago - they paid the fine and the exchequer ultimately paid that fine out too - as it’s a government agency funded by the taxpayer, she told TechRadar Pro.

It’s looking likely the AI Act will be regulated by the same organization, the Data Protection Commission, which Lyons describes as having ‘no teeth’ - suggesting the lack of follow through could continue with the new regulations.

So what does the AI Act mean for companies in the coming months as the new regulations come in?

For smaller businesses, most are deployers of AI (I.e. providing AI systems for users), as opposed to distributors or developers.

“Their next step is simple. Do a gap analysis. Using standards like ISO or NIST will be really helpful in this regard and can provide a robust structured roadmap to next steps. Often smaller companies complain about the cost however NIST standards are freely available.“ Lyons told us.

Adhering to GDPR is already a good first step, so develop on AI policy and implement it - and make sure to conduct AI literacy training before February 2025. Make sure to update all ROPA notices, policies, and DPIAs with the AI system.

“After that it’s a matter of ensuring there is a robust process in place to monitor the introduction of AI systems into the organization," Lyons reassured.

More from TechRadar Pro

Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

Read more
EU
I read the EU’s AI Act so you don’t have to - here are 5 things you need to know
An AI face in profile against a digital background.
How to harmonize the complexities of global AI regulation
EU
“Rehearse, rehearse, rehearse” - is your business doing enough on DORA compliance?
Half man, half AI.
Ensuring your organization uses AI responsibly: a how-to guide
A graphic showing fleet tracking locations over a city.
How can banks truly understand the changing regulatory landscape?
Hands on a laptop with overlaid logos representing network security
Privacy must be a business priority: the urgent need for investment and action
Latest in Pro
A trough sensor at Overbury farm
“It's wildlife working for you” - how Agri-Tech can help revolutionize British farming as we know it
Epson EcoTank ET-4850 next to a TechRadar badge that reads Big Savings
I found the best printer deal you won't see in the Amazon Spring Sale and it's got a massive $150 saving
NVIDIA RTX PRO 6000 Blackwell Server Edition
Nvidia's most expensive Blackwell card gets massive price cut but it is not the RTX 5090
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis
Group of people meeting
Inflexible work policies are pushing tech workers to quit
Data leak
Top home hardware firm data leak could see millions of customers affected
Latest in Features
Google Gemini 2.5 and ChatGPT o3-mini
I pitted Gemini 2.5 Pro against ChatGPT o3-mini to find out which AI reasoning model is best
A trough sensor at Overbury farm
“It's wildlife working for you” - how Agri-Tech can help revolutionize British farming as we know it
The cast of The Residence peek from a doorway
Netflix's #2 most-watched show is the new madcap whodunnit The Residence –here are 3 more mysteries to stream next
Google AI Mode
I tried Google's new AI mode powered by Gemini, and it might be the end of Search as we know it
Saily eSIM by Nord Security
"Much more than just an eSIM service" - I spoke to the CEO of Saily about the future of travel and its impact on secure eSIM technology
A collage image showing images from the TV shows The White Lotus on Max, Black Mirror on Netflix and The Handmaid's Tale on Hulu.
I'm pausing my Prime Video, Apple TV+ and Paramount+ subscriptions in April 2025 – here are the 3 streaming services I'm keeping instead