FRIA vs DPIA: two assessments, one AI system

The DPIA is a GDPR obligation (Article 35) triggered by high-risk personal data processing. The FRIA is an EU AI Act obligation (Article 27) triggered by deploying high-risk AI in specific contexts — public services, banking, insurance, credit scoring, healthcare, migration, and public assistance.

An AI system that processes personal data and is deployed in one of these contexts will likely require both assessments. They are complementary, not substitutes: the DPIA covers data protection risks while the FRIA covers the full spectrum of EU Charter rights including dignity, non-discrimination, freedom of expression, and access to justice.

Scope: DPIA focuses on data protection only; FRIA covers all fundamental rights. Notification: DPIA results go to the Data Protection Authority only when high residual risk remains; FRIA results must always be notified to the market surveillance authority before the system is used. Timing: DPIA is required before processing begins; FRIA must be completed before the high-risk AI system is put into use.

Penalties also differ: DPIA non-compliance risks GDPR fines (up to €20 million / 4% turnover); FRIA non-compliance risks AI Act Tier 2 fines (up to €15 million / 3% turnover). Both can apply simultaneously to the same system.

The most efficient approach is to conduct both assessments on the same timeline, sharing the data mapping and stakeholder engagement process. Findings from each assessment inform the other: DPIA data flows reveal privacy risks relevant to the FRIA's fundamental rights analysis, while FRIA findings about non-discrimination or access impacts may flag additional GDPR considerations.

ActLoom's assessment workflows support parallel FRIA and DPIA execution, flagging overlapping risks and generating separate, compliant output documents for each regulatory authority.