DPIA for AI: When You Need One and How to Write One Quickly

Updated 19 May 2026. Article 27 FRIA obligations apply with the high-risk regime from 2 December 2027. GDPR Article 35 DPIA obligations apply today for high-risk personal-data processing. Read what changed.

A Data Protection Impact Assessment (DPIA) under GDPR Article 35, combined with a Fundamental Rights Impact Assessment (FRIA) under EU AI Act Article 27, is the single biggest piece of compliance work for high-risk AI use. It is also the one SMBs over-think.

When you need a DPIA + FRIA

  • Hiring or HR AI (CV screening, candidate ranking, performance assessment).
  • Credit or insurance AI affecting individuals.
  • AI in education access decisions (admissions, grading, scholarships).
  • Healthcare AI affecting patient pathways.
  • AI determining access to public services.
  • Biometric identification or categorisation.
  • Any AI processing special category data (health, biometric, racial/ethnic, religious, sex life).

The 90-minute template

A complete SMB-sized DPIA + FRIA covers: identification, purpose and context, data inventory, risk assessment, fundamental rights impact, affected persons and stakeholders, human oversight, individual rights, monitoring, conclusion and sign-off.

What residual risk means

After mitigations, your DPIA assigns a residual risk level: low, medium, high, or unacceptable. Low or medium: proceed. High: senior management approval required, possible DPA consultation. Unacceptable: do not deploy.

Done-for-you DPIA + FRIA

The Ready AI Act Premium Compliance Programme (€899) includes a DPIA + FRIA for one of your high-risk use cases — completed by us within 5 business days, reviewed by qualified ICT/privacy counsel, ready for management sign-off.

Back to blog