AI Impact Assessment: Beyond the DPIA

DPIA versus AI impact assessment

A DPIA, required by GDPR Article 35, focuses specifically on the processing of personal data. It asks: what personal data is processed, what are the risks to data subjects, and what measures mitigate those risks? The DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms, which includes profiling, automated decision-making, and large-scale processing of sensitive data.

An AI impact assessment covers a broader set of effects. It asks: how does this AI system affect the people it interacts with or makes decisions about, including effects on fairness, equality, dignity, safety, and access to services? It considers not only data protection risks but also algorithmic bias, discriminatory outcomes, loss of human agency, safety failures, and effects on vulnerable populations.

The practical distinction matters because an AI system can pass a DPIA (it processes personal data lawfully with adequate security) while still causing material harm through biased outputs, opaque decision-making, or the erosion of human oversight. The DPIA alone is not sufficient for AI governance; it must be complemented by an AI-specific impact assessment.

EU AI Act Article 27: fundamental rights impact assessment

The EU AI Act introduces a specific requirement for fundamental rights impact assessments (FRIAs) for deployers of high-risk AI systems. Article 27 requires deployers that are bodies governed by public law, or private entities providing public services, to conduct an assessment of the impact on fundamental rights before putting a high-risk AI system into use.

The FRIA must assess the specific risks to fundamental rights that the AI system may generate, considering the characteristics of the system, the context of its deployment, and the particular vulnerabilities of the affected groups. It must describe the measures the deployer will implement to mitigate identified risks, and the results must be notified to the relevant market surveillance authority.

While the mandatory FRIA obligation applies to specific categories of deployer, the underlying methodology is relevant to all organisations deploying high-risk AI. Private-sector organisations that voluntarily conduct fundamental rights impact assessments demonstrate governance maturity and reduce the risk of discovering adverse effects only after deployment.

When assessments are needed

An AI impact assessment should be conducted before deployment and repeated whenever the system is materially modified. The assessment is particularly important for AI systems that make or significantly inform decisions affecting individuals: recruitment and hiring decisions, credit and insurance decisions, access to public services, content moderation and recommendation, law enforcement and judicial decisions, and healthcare diagnosis or treatment recommendations.

The assessment should also be triggered by changes in the operating environment: a new use case for an existing system, expansion to a new demographic or geographic population, changes to the training data or model architecture, and regulatory changes that alter the risk classification of the system.

A common mistake is to treat impact assessment as a one-time gate at deployment. AI systems evolve: models are retrained, data distributions shift, and the population affected by the system changes over time. The assessment must be a living process with defined triggers for reassessment, not a document that is produced once and filed.

Practical methodology

An effective AI impact assessment follows a structured process. First, scope the assessment: identify the AI system, its intended purpose, the decisions it makes or informs, and the populations affected. Second, identify potential impacts: consider effects on fairness, equality, privacy, safety, autonomy, dignity, and access to services, drawing on consultation with affected stakeholders where practicable.

Third, assess severity and likelihood for each identified impact, considering both the inherent risk of the AI system and the effectiveness of existing controls. Fourth, determine additional mitigation measures where residual risk is unacceptable, which may include technical controls (bias testing, performance monitoring), procedural controls (human review of AI decisions, appeal mechanisms), or governance controls (restrictions on use cases, enhanced oversight for high-risk deployments).

Fifth, document the assessment, including the methodology, findings, mitigation measures, and the rationale for accepting any residual risks. This documentation serves as evidence for regulators, auditors, and affected individuals. Sixth, establish a review schedule and reassessment triggers so the assessment remains current.

The Veridio AI Impact Assessment Template provides the structure for this process, covering all six steps with guided sections and prompts. For organisations that also need to meet GDPR requirements, the AI DPIA Template provides a complementary document specifically structured around GDPR Article 35 requirements.