GDPR fines are almost never paid, will the AI Act be different?
Anyone who’s been in a customer facing role in the last five years or so should be in some way familiar with General Data Protection Regulation (GDPR) and how it shapes the way organizations handle customer information. Well, from 2026, new EU regulation – the AI Act will come into force, and it’s making some firms anxious.
But it shouldn’t. Or at least, that’s what this data privacy expert said. Speaking at the recent ISACA conference in Dublin, Dr Valerie Lyons – author of The Privacy Leader, shared her thoughts on the new regulations and the changes they might bring.
“I don’t really see that much additional in the AI act to what GDPR already provides. The principles are exactly the same, principles of transparency, security, and consent” she said.
It’s the thought that counts
There’s a significant overlap between the two pieces of legislation, mostly due to the extensive amount of data that AI systems store and process, and because the AI Act uses a very broad definition of Artificial Intelligence.
GDPR compliance is not an exact science, she explains, and it’s likely the AI Act will use similar “principles of necessity and proportionality”, Lyons says.
It’s important to understand the context and intentions behind the regulations, noting, “If I look back to GDPR, Giovanni Buttarelli, who’s kind of father of GDPR, he said that you can adhere to the spirit of the law, or the letter of the law. If we adhere to the letter of the law of GDPR, it will never work. You must adhere to the spirit of the law”
Who’s paying?
We hear a lot about firms being handed giant fines for non-compliance of the GDPR, but we’re not getting the full story, Lyons suggests.
“You know, the fines, they’re not working because actually no one’s paying them, so the exchequer isn’t even getting the money,” she says. “I mean, it looks to everybody in Europe, like, Ireland should have a whole host of money, but 1% of fines [have been collected]”
Although Ireland’s Data Protection Commission has famously handed out billions of euros worth of fines, less than 1% of these have actually been collected thanks to appeals processes.
Even then, these fines aren’t hurting the companies the way the statistics would suggest, and it’s usually the taxpayer who ends up out of pocket.
“Who pays for the DPC to go to these courts- the exchequer,” says Lyons.
“So essentially the tax man keeps on paying. Tusla, for example, the Irish child protection agency was fined 75k four years ago – they paid the fine and the exchequer ultimately paid that fine out too – as it’s a government agency funded by the taxpayer, she told TechRadar Pro.
It’s looking likely the AI Act will be regulated by the same organization, the Data Protection Commission, which Lyons describes as having ‘no teeth’ – suggesting the lack of follow through could continue with the new regulations.
So what does the AI Act mean for companies in the coming months as the new regulations come in?
For smaller businesses, most are deployers of AI (I.e. providing AI systems for users), as opposed to distributors or developers.
“Their next step is simple. Do a gap analysis. Using standards like ISO or NIST will be really helpful in this regard and can provide a robust structured roadmap to next steps. Often smaller companies complain about the cost however NIST standards are freely available.“ Lyons told us.
Adhering to GDPR is already a good first step, so develop on AI policy and implement it – and make sure to conduct AI literacy training before February 2025. Make sure to update all ROPA notices, policies, and DPIAs with the AI system.
“After that it’s a matter of ensuring there is a robust process in place to monitor the introduction of AI systems into the organization,” Lyons reassured.