If you use a high-risk AI system that processes personal data, you face two impact assessments that seem to ask for the same things: the GDPR DPIA (art. 35) and the fundamental rights impact assessment — the FRIA of the AI Act (art. 27, Regulation EU 2024/1689). The practical question is: do I have to run both from scratch, or can I merge them? The short answer is that you can and should integrate them into a single exercise, but only after you are clear on who does what. Here is how.
Three different assessments, three different owners
The first mistake is to blur obligations that fall on different parties.
- Conformity assessment (art. 43 AI Act) — the provider's duty (whoever develops or places the system on the market). It demonstrates that the high-risk system meets the AI Act's requirements before it is marketed, and it underpins the CE marking. It is not the job of whoever uses the system.
- DPIA (art. 35 GDPR) — the controller's duty, typically whoever uses the system to process personal data. It is mandatory when the processing, especially with new technologies, is likely to result in a high risk to people's rights and freedoms.
- FRIA (art. 27 AI Act) — the deployer's duty, i.e. whoever uses the high-risk system in the course of their activity.
The DPIA and the FRIA therefore live on the same side: both fall on whoever deploys the system. That is where the duplication risk arises — and where the AI Act, in article 27(4), offers a way out.
Who actually has to run a FRIA
Contrary to a widespread belief, the FRIA does not burden every deployer of a high-risk system. Article 27 imposes it only on:
- public bodies (bodies governed by public law);
- private entities that provide public services;
- deployers of high-risk systems for creditworthiness assessment and for risk assessment and pricing in life and health insurance (Annex III, points 5(b) and 5(c)).
If your company falls outside these cases, no FRIA is due — but a DPIA may still be required under the GDPR. Settling this scope early avoids producing useless documents or, conversely, missing a real obligation.
Where the DPIA and the FRIA overlap
The two assessments share much of their structure but have a different reach. The DPIA focuses on risks to the protection of personal data. The FRIA looks at all fundamental rights the system may touch: not only privacy, but also non-discrimination, human dignity, protection of minors, the right to an effective remedy.
The table shows how the FRIA's content (art. 27) leans on what a DPIA (art. 35 GDPR) already produces:
| FRIA element (art. 27 AI Act) | Reusable from the DPIA? |
|---|---|
| Description of the processes where the system is used | Yes, largely |
| Period and frequency of use | Partly |
| Categories of persons and groups affected | Yes |
| Specific risks of harm to those categories | Only for data; the rest is new |
| Human oversight measures | New (AI Act specific) |
| Measures if risks materialise, including complaint mechanisms | Partly |
In short: the descriptive part is reused; the part on risks beyond data protection and on human oversight has to be added.
One exercise: how to integrate them step by step
Article 27(4) provides that, where an obligation of the FRIA is already met by a DPIA carried out under art. 35 GDPR, "the fundamental rights impact assessment shall complement that data protection impact assessment." The key word is complement: a single document, built like this.
- Start from the inventory. Identify the high-risk AI systems and check, for each, whether the DPIA (art. 35 GDPR) and/or the FRIA (art. 27 AI Act) applies.
- Write one descriptive base. Context, purposes, processes, categories of people affected: write them once, they serve both.
- Widen the risk analysis. To the data-risk assessment add the other fundamental rights: discrimination, effects on vulnerable groups, transparency toward the individual.
- Document human oversight. This is an AI Act requirement of its own: who monitors, when they can step in, how a decision is overridden.
- Define measures and complaints. What you do if the risk materialises, with a complaint channel accessible to the people involved.
- Close with the formalities. Consult the DPO (GDPR) and prepare to notify the FRIA's outcome to the market surveillance authority using the required template. The AI Office will make a model questionnaire available.
The deadlines and what to do now
High-risk system obligations — the FRIA included — become fully applicable from 2 August 2026. The FRIA must be completed before the system is put into use. Joint guidelines from the European Data Protection Board (EDPB) and the Commission on the GDPR–AI Act interplay are in preparation: it is worth setting up the assessment in an integrated way now, so you do not have to redo it once the clarifications arrive.
Where to start
The most efficient way to handle this overlap is a gap assessment that maps, system by system, which assessments are due and how much of the work already done for the GDPR can be reused for the AI Act. An independent audit turns two seemingly redundant obligations into a single, orderly process — with owners and deadlines, and nothing duplicated or forgotten.