Since the AI Act came into force, public-sector organisations that want to deploy an AI system processing personal data must carry out not one, but two mandatory assessments. The first is the Data Protection Impact Assessment (DPIA), a risk assessment that maps the risks a data-processing operation poses to the rights and freedoms of data subjects. The DPIA has been around since the General Data Protection Regulation (GDPR) took effect in 2018 and is by now a familiar tool for many organisations. The second is the Fundamental Rights Impact Assessment (FRIA), which evaluates how an AI system may affect people's fundamental rights.
AI systems can create broader risks than data protection alone. Think of discrimination or harm to human dignity. Both assessments therefore evaluate risks, but each from its own angle. At the same time, they overlap considerably in practice. In this blog we explain how the DPIA and the FRIA differ, where they intersect, and why an integrated approach can add real value.
The main difference lies in the scope. The DPIA is anchored in Article 35 GDPR and is mandatory whenever a processing operation is likely to result in a high risk to the rights and freedoms of natural persons. This applies regardless of whether AI is involved, yet AI applications that process personal data quickly trigger the requirement. Examples include systematic profiling, automated decision-making with legal effects, large-scale processing of special categories of personal data, or monitoring of publicly accessible areas. These are processing activities that, according to the European Data Protection Board (EDPB) guidelines, pose a high risk. The FRIA derives from Article 27 of the AI Act and applies to public-law bodies and to private parties providing public services. The obligation arises when they put a high-risk AI system into use. This includes AI applications listed in Annex III of the AI Act, such as systems for credit scoring, employment decisions, law enforcement and migration. In an earlier blog (available in Dutch only) we discussed the FRIA and the requirements it must meet. [1]
Whether the FRIA obligation applies therefore depends on the context in which the system is deployed. Take an AI system that screens job applicants as an example.[2] If a private organisation uses it, no FRIA obligation arises directly, even though the system qualifies as high-risk AI. If a public-sector body uses the same tool, a FRIA is mandatory. In that case both a DPIA and a FRIA are conducted, each from its own perspective. The DPIA assesses whether applicant data is processed lawfully, whether retention periods are correct, and whether data subjects can exercise their rights. The FRIA looks at different questions. Does the model inadvertently discriminate against certain groups? Is the human dignity of candidates adequately safeguarded, for instance by ensuring a human is always involved in the final decision? An AI system can therefore be fully GDPR-compliant and still infringe fundamental rights.
Various tools are available for carrying out both assessments. Within the Dutch public sector, two instruments are commonly used. For the DPIA this is the Model DPIA Rijksdienst (the central government's model DPIA). For the human-rights review of algorithms it is the Impact Assessment Mensenrechten en Algoritmes (IAMA). The IAMA has a broader scope than the FRIA. Where the FRIA applies specifically to high-risk AI systems under the AI Act, the IAMA covers all algorithms that may affect fundamental rights, including simple rule-based systems that do not qualify as AI. In February 2026 the IAMA was updated and aligned with the requirements of the AI Act. For public-sector organisations already working with the IAMA, this provides a solid foundation for meeting the FRIA obligation as well. The Model DPIA Rijksdienst and the IAMA show some overlap. The Ministry of the Interior and Kingdom Relations has therefore published guidance on using both instruments together.[3]
Both the DPIA and the FRIA are form-free. Organisations not bound by an internal mandatory template can therefore shape both assessments themselves. They may, for example, use the Model DPIA Rijksdienst and the IAMA, develop their own instrument, or choose a combination. The condition is that the chosen instruments meet the requirements of Article 35 GDPR and Article 27 AI Act.
Although the DPIA and the FRIA approach risks from different angles, there is considerable overlap in practice. Running both assessments entirely from scratch means duplication of effort and increases the risk of inconsistencies between documents that relate to the same system.
For this reason the European legislator built a bridge between the two instruments. Article 27(4) of the AI Act provides that where part of the FRIA obligations has already been fulfilled through a DPIA, the FRIA supplements that existing assessment. The FRIA does not replace the DPIA, nor vice versa. The provision does, however, allow organisations to reuse existing work and conduct both assessments as one coherent process. The Regulation thus encourages an integrated approach, provided both frameworks are fully covered.
Rather than running the DPIA and the FRIA separately, an organisation can opt for a single integrated assessment. Placing both frameworks side by side reveals which elements overlap, which are complementary, and where the FRIA genuinely adds new content. In practical terms, an integrated assessment might follow these steps:
At ICTRecht we are currently developing an integrated assessment framework that meets both sets of requirements. This helps organisations carry out the DPIA and the FRIA in one coherent process. If you need support with this, get in touch. We are happy to think along with you.
The AI Act is now in force and its obligations are being phased in. Originally, high-risk AI systems would have had to comply with the Regulation's rules from 2 August 2026. On 29 June 2026, however, the Council of the European Union gave final approval to the Digital Omnibus. This package is intended to simplify the EU's digital regulatory framework, including the implementation of the AI Act. Part of it is that several AI Act deadlines are pushed back. The obligations for standalone high-risk AI systems (Annex III) now shift to 2 December 2027, and for embedded high-risk AI (Annex I) to 2 August 2028. You can read more about the Digital Omnibus for AI in this blog (available in Dutch only).
That extension allows some extra time, but even with the new deadlines the implementation period is tight. Start mapping your AI systems in good time. Carrying out risk assessments at an early stage allows the outcomes to inform the design or implementation of the system, rather than requiring corrections afterwards.
The arrival of the FRIA requires additional effort, yet it also offers an opportunity to organise AI risk management more broadly and coherently. Explore how you can integrate both assessments into a single, joined-up process instead of running them separately. That saves time and delivers a better result.
In short, if you would like to know more about the relationship between a DPIA and an FRIA, or get a head start on the AI Act, please contact us. We would be happy to collaborate on this.
1. See the EDPB guidelines (WP248 rev.01, 2017).
2. This concerns a high-risk application under Annex III, category 4 of the AI Act.
3. See ‘Handreiking gezamenlijk gebruik Rijksmodel DPIA en IAMA.’