An AI impact assessment policy defines when organizations must conduct fundamental rights impact assessments (EU AI Act Article 27), data protection impact assessments (GDPR Article 35), and broader societal impact evaluations before deploying AI systems that affect individuals.
AI Impact Assessment Policy: When, How, and What to Evaluate
Types of AI Impact Assessment
Three distinct but overlapping assessment types apply to AI systems:
| Assessment Type | Legal Basis | Trigger | Focus |
|---|---|---|---|
| Fundamental Rights Impact Assessment (FRIA) | EU AI Act Art. 27 | Deployers of high-risk AI (public bodies and certain private entities) | Impact on fundamental rights including non-discrimination, privacy, freedom of expression |
| Data Protection Impact Assessment (DPIA) | GDPR Art. 35 | Processing likely to result in high risk to individuals' rights and freedoms | Data protection risks and mitigation measures |
| Algorithmic Impact Assessment (AIA) | Canada AIDA (proposed), various national laws | Deployment of automated decision systems | Societal and individual impact of algorithmic decisions |
EU AI Act Fundamental Rights Impact Assessment
Article 27 requires deployers who are public authorities or private entities providing public services (and entities operating in banking, insurance, or credit scoring) to conduct a FRIA before using high-risk AI systems. The assessment must include:
- Description of the deployer's processes in which the AI system will be used
- Period and frequency of intended use
- Categories of natural persons and groups likely to be affected
- Specific risks of harm to identified categories of persons
- Human oversight measures and their effectiveness
- Measures to act on AI system output, particularly for decisions affecting fundamental rights
The FRIA must be notified to the relevant market surveillance authority. It must be updated when circumstances change materially.
When a DPIA Is Required for AI
GDPR Article 35(3) mandates a DPIA for: systematic and extensive evaluation of personal aspects based on automated processing including profiling (directly applicable to most AI systems processing personal data), large-scale processing of special categories of data (Article 9), and systematic monitoring of publicly accessible areas.
The Article 29 Working Party guidelines (WP248) list nine criteria; meeting two typically requires a DPIA. AI systems commonly trigger: evaluation or scoring, automated decision-making with legal or similar effects, systematic monitoring, sensitive data processing, and innovative use of new technological solutions.
Assessment Methodology
Step 1: Scoping
Define the AI system's purpose, inputs, outputs, affected populations, and deployment context. Identify all applicable assessment requirements (FRIA, DPIA, sector-specific assessments). Determine the assessment boundary: what is included and excluded.
Step 2: Stakeholder Engagement
GDPR Article 35(9) requires seeking the views of data subjects or their representatives where appropriate. For AI systems affecting communities, conduct meaningful engagement with affected groups before deployment. Document engagement methodology, participants, findings, and how input influenced the assessment.
Step 3: Risk Identification and Analysis
Identify risks across categories: discrimination, privacy, autonomy, dignity, safety, access to services, and freedom of expression. For each risk, assess likelihood and severity. Use standardized risk matrices aligned to ISO 31000 and ISO/IEC 23894:2023 (AI risk management).
Step 4: Mitigation Measures
For each identified risk, document specific mitigation measures, their expected effectiveness, residual risk after mitigation, and the responsible party. Mitigation measures must be proportionate to the risk level and technically feasible.
Step 5: Documentation and Review
Document the complete assessment including methodology, findings, decisions, and review schedule. File FRIAs with the market surveillance authority. Retain DPIAs for the duration of processing plus the applicable limitation period.
Triggering Criteria Matrix
Define organizational triggers for each assessment type. Require mandatory assessment for: any AI system classified as high-risk, any AI processing personal data at scale, any AI system affecting access to services or opportunities, any deployment in a new geographic jurisdiction, and any significant change to an existing assessed system.
Integration with Development Lifecycle
Embed impact assessments at the design stage, not as a post-development compliance exercise. Require preliminary risk screening at project initiation. Conduct full assessment before development begins. Update the assessment at key milestones: prototype completion, pre-deployment testing, initial deployment, and after six months of production operation.
Review and Update Obligations
Review assessments at minimum annually. Additionally, reassess when: the AI system is modified, the deployment context changes, new risks emerge from monitoring data, complaints or incidents reveal unforeseen impacts, or applicable regulations change.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.