EDPB Work Programme 2026-2027: Templates, AI Act Guidance, and What It Means for Practitioners
The European Data Protection Board has published its Work Programme 2026-2027, and two items stand out as genuinely significant for anyone working in EU data protection and AI compliance. One is immediately practical, the other will shape how two major regulatory frameworks interact for years to come.
EU-Wide Compliance Templates: Standardizing the Baseline
The EDPB is developing standardized templates for some of the most common compliance deliverables: breach notifications, Data Protection Impact Assessments (DPIAs), legitimate interest assessments, and privacy notices.
On the surface, this might seem incremental. Templates exist everywhere — from national DPAs, industry associations, and law firms. But EU-wide harmonized templates from the EDPB carry different weight. They establish a common baseline that supervisory authorities across all member states are expected to recognize, reducing the fragmentation that has made cross-border compliance unnecessarily complex.
The Real Value: Knowing When to Deviate
Here is where I think the discussion around templates often misses the point. A breach notification template gets you perhaps 60% of the way. The template tells you what fields to fill in — nature of the breach, categories of data, approximate number of data subjects, measures taken. That part is mechanical.
Where expertise actually matters is in the judgment calls that no template can make for you: analyzing whether the severity and context of a specific breach cross the threshold for notification to the supervisory authority under Art. 33 GDPR, or whether the risk is high enough to require data subject notification under Art. 34. That analysis depends entirely on the specific circumstances — the type of data, the vulnerability exploited, the likelihood of adverse effects, the effectiveness of your protective measures.
The same applies to DPIAs and legitimate interest assessments. A standardized structure helps. But the substance — whether your balancing test under Art. 6(1)(f) actually holds up, or whether your DPIA identifies the right risks and proposes proportionate mitigation — requires experience and legal judgment.
I have spent the past months building AI-powered compliance tools for exactly these workflows: breach assessment, DPIA evaluation, privacy notice generation. The EDPB standardizing the baseline format is a welcome development. It means practitioners can stop reinventing basic forms and focus their time on the analytical work that actually determines compliance outcomes.
Joint Guidelines on AI Act and GDPR Interplay
Buried on page 7 of the work programme is what I consider the most significant deliverable on the entire list: joint guidelines on the interplay between the AI Act and the GDPR.
This might not sound dramatic, but it addresses one of the most pressing open questions in EU tech regulation today. Every organization deploying AI systems in Europe currently faces a fundamental uncertainty: how do AI Act obligations interact with GDPR requirements, and where do they potentially conflict?
Why This Matters Now
The AI Act's high-risk compliance framework becomes enforceable in August 2026. That is not a distant horizon — it is roughly six months away. Organizations subject to these requirements need to build compliance programs that satisfy both frameworks simultaneously. Currently, they are doing so with limited regulatory guidance on how the two regimes intersect.
Consider a practical example: an AI system used in HR recruitment (high-risk under Annex III of the AI Act) that processes candidate personal data. The AI Act requires specific technical documentation, risk management, and data governance measures. The GDPR requires a legal basis for processing, a DPIA for high-risk processing, and compliance with data subject rights. How do the AI Act's data governance requirements under Art. 10 interact with GDPR's purpose limitation and data minimization principles? When does an AI Act conformity assessment overlap with — or satisfy — a GDPR DPIA?
These are not academic questions. They affect system design, documentation requirements, and organizational responsibilities right now.
What the Guidelines Should Address
The joint guidelines will need to clarify several critical areas:
- Legal basis for training data — how GDPR's lawful processing requirements apply to AI training datasets, including the role of legitimate interest and the boundaries of purpose limitation
- DPIA and conformity assessment alignment — whether and how an AI Act conformity assessment can satisfy GDPR DPIA requirements, or whether parallel assessments remain necessary
- Transparency obligations — how the AI Act's transparency requirements (Art. 13, Art. 52) relate to GDPR's information duties (Art. 13/14) and the right to explanation
- Data subject rights in AI contexts — practical implementation of rectification, erasure, and objection rights for data embedded in trained models
- Oversight and accountability — the relationship between AI Act market surveillance authorities and GDPR supervisory authorities
What to Watch
Two questions will determine how useful these deliverables become in practice.
First, the timeline. The work programme covers 2026-2027, but the AI Act high-risk deadline arrives in August 2026. Will the joint AI Act/GDPR guidelines arrive before organizations need them, or after the fact? The sequencing matters enormously.
Second, the depth. Will the templates be rigid forms or flexible frameworks? Will the AI Act/GDPR guidelines address specific sector use cases or remain at a principled level? The practical value depends on how far the EDPB is willing to go beyond general statements.
For organizations navigating both frameworks, the message is clear: do not wait for the guidelines to begin your compliance work. Build your AI Act and GDPR compliance programs now, and design them to be adaptable when guidance arrives. The organizations that will be best positioned are those that already understand where the two frameworks intersect — and where the open questions lie.