DPIA vs FRIA

In 2016, GDPR introduced the Data Protection Impact Assessment (DPIA) for privacy risks. With the EU AI Regulation (August 2024), the Fundamental Rights Impact Assessment (FRIA) was added, specifically for high-risk AI systems. This dual obligation arises because AI systems can pose broader risks than data protection alone. While a DPIA focuses on privacy-related risks, a FRIA looks at the full spectrum of fundamental rights: human dignity, non-discrimination, freedom of expression, access to justice and more.

Under Article 35 of GDPR, you must perform a DPIA when processing "is likely to result in a high risk to the rights and freedoms of natural persons." This applies when you: systematically and extensively evaluate personal aspects of people, do this based on automated processing including profiling, and base decisions on this that affect people. A DPIA must be performed before the start of processing activities - during the planning phase, not afterwards.

The Fundamental Rights Impact Assessment (FRIA) is established in Article 27 of the EU AI Regulation. Unlike the DPIA, the FRIA takes a human-centered approach by examining all relevant fundamental rights: human dignity, equality before the law, non-discrimination, cultural diversity, and the right to effective remedy. The FRIA is mandatory for: (1) all public bodies and private entities providing services of public interest (education, healthcare, social services), and (2) all organizations using AI for creditworthiness assessments or insurance risk assessment.

1. FOCUS: DPIA focuses on data protection and privacy, FRIA on all fundamental rights. 2. DATA TYPE: DPIA only personal data, FRIA also non-personal data. 3. SCOPE: DPIA for all high-risk data processing, FRIA specifically for high-risk AI systems. 4. WHO IS OBLIGATED: DPIA for data controllers, FRIA for certain categories of AI users (deployers). 5. REPORTING: DPIA internal (except for prior consultation), FRIA mandatory notification to supervisor.

Yes! The AI Regulation acknowledges the overlap between both assessments. Article 27(4) states that a FRIA can complement an existing DPIA when both are required. You can choose: (1) Two separate assessments - separate DPIA and FRIA documents, or (2) Integrated assessment - one combined document that meets both sets of requirements. For successful integration, the document must cover all DPIA requirements from Article 35 GDPR, contain all FRIA elements from Article 27 AI Regulation, and address the broader scope of fundamental rights. Practical tip: Start with your existing DPIA template and extend it with FRIA elements.