AI Impact Assessment

Impact assessment in the AI context covers two distinct legal regimes. The first is the Fundamental Rights Impact Assessment (FRIA) under EU AI Act Article 27, required for deployers of certain high-risk AI systems before first use. The second is the Data Protection Impact Assessment (DPIA) under GDPR Article 35, required when processing is likely to result in a high risk to the rights and freedoms of natural persons.

Article 27 deployers include bodies governed by public law, private operators providing public services, and operators using AI systems referred to in Annex III points 5(b) and 5(c) (creditworthiness and life insurance pricing). The FRIA must be completed before the first use of the system.

When both apply, the assessments can be combined, but the documentation must satisfy both regimes' requirements.

FRIA and DPIA tooling is a fast-growing category. Mature vendors provide assessment templates aligned to the specific articles, workflow management for stakeholder consultation, and documentation export that satisfies the supervisory authority's expectations.

Capabilities to look for:

• FRIA templates structured against Article 27(1)(a) through (g).
• DPIA templates aligned to Article 35 plus the Article 29 Working Party's WP248 guidance.
• Combined-assessment workflow when both apply.
• Stakeholder consultation tracking, including DPO sign-off and consultation with affected individuals where required.
• Versioning so re-assessment after material change is easy.

• [ ] Determine which assessment regimes apply: FRIA, DPIA, both, or neither.
• [ ] Complete the FRIA before the first use of the high-risk AI system.
• [ ] Document the deployer's processes, the categories of natural persons affected, and the specific risks identified.
• [ ] Identify the human oversight measures and risk-mitigation steps.
• [ ] For DPIA, consult the DPO and document the consultation.
• [ ] Where required by Article 35(9), seek the views of data subjects.
• [ ] Notify the national market surveillance authority of the FRIA results.
• [ ] Re-assess after every material change to the system or its deployment context.

The first gap is timing. Article 27 requires completion before the first use. A FRIA produced six months after go-live does not satisfy the obligation.

The second gap is scope. Deployers often run a single DPIA per system. Article 27 contemplates a per-use-case FRIA: the same model deployed in two different decision contexts may warrant separate assessments.

The third gap is stakeholder consultation. Article 35(9) requires seeking the views of data subjects where appropriate. The same logic applies to FRIA in spirit, particularly when affected populations are identifiable. Many assessments skip this step and rely entirely on internal expertise.

• EU AI Act Article 27: Fundamental Rights Impact Assessment
• GDPR Article 35: Data Protection Impact Assessment
• Article 29 Working Party WP248 on DPIAs — the binding guidance most national DPAs reference.
• ICO DPIA guidance — the most-cited DPA template.
• CNIL AI impact assessment guidance — French DPA, often the first to publish AI-specific guidance.