FRIA and DPIA for AI systems
Bring privacy, fundamental rights, bias, human oversight and supplier information into one workable file. For AI systems that affect people, show high-risk signals or get stuck between GDPR, the AI Act and governance.
Impact sprint
2 weeks
Explain whether a DPIA, FRIA or combined file is needed
Show which rights and affected groups may be impacted
Challenge suppliers on missing information
Make a decision with visible residual risk
Where organizations get stuck
A DPIA focuses on privacy. A FRIA looks more broadly at fundamental rights. In AI projects those tracks often overlap, while legal, privacy, business and the supplier all hold different information.
Unclear obligation
Is this a DPIA, a FRIA, both, or first a classification decision? We make the sequence concrete.
Too little vendor evidence
Suppliers often provide generic security or model information, but not enough for bias, oversight and impact analysis.
No decision-ready file
Risks are spread across privacy, legal, procurement and business. We bring them into one reviewable decision memo.
What we deliver
DPIA/FRIA scope and decision on whether a combined file is useful
AI system context: purpose, workflow, users, affected people and supplier
AI Act role and risk route: provider, deployer, high-risk, transparency or low risk
GDPR link: personal data, special category data, legal basis, data flows and retention
Fundamental-rights analysis: discrimination, human dignity, access to services, explanation and appeal
Bias and fairness questions for data, model, use context and monitoring
Human oversight plan with authority, escalation, override and logging
Supplier questions and missing evidence per contract or product claim
Risk and mitigation matrix with owner, status and residual risk
Decision memo for legal, privacy, leadership or project steering group
Approach in 2 weeks
Scope and intake
We determine system, use case, team, affected group, AI Act route and the question: DPIA, FRIA or combined file.
Evidence request
We request focused documentation from internal teams and suppliers: data flows, model information, logging, oversight and instructions for use.
Impact workshop
Legal, privacy, business and process experts bring privacy and fundamental-rights impact together on one risk map.
Measures and vendor gaps
We translate risks into controls, human oversight, transparency, appeal route, monitoring and supplier questions.
Decision memo
We deliver a reviewable file with conclusion, open points, owners and go/no-go or follow-up advice.
Where this has the most impact
Public sector
For algorithms around public services, supervision, enforcement, benefits, education or citizen interaction.
HR and recruitment
For screening, matching, performance, planning, monitoring or other AI that affects workers or candidates.
Finance and essential services
For AI around credit, fraud, access to services, risk scores or customer decisions.
Legal, privacy and procurement
When a supplier does not sufficiently explain what the system does, which risks exist and who is responsible for what.
Afterwards you can
Explain whether a DPIA, FRIA or combined file is needed
Show which rights and affected groups may be impacted
Challenge suppliers on missing information
Make a decision with visible residual risk
Connect the outcome to the AI register, governance and evidence pack
Logical next steps
AI inventory and register setup
Record per system where DPIA/FRIA, vendor evidence and human oversight are needed.
View routeAI Act Readiness Sprint
Connect classification, gap analysis and evidence building in a 30-60-90 day roadmap.
View routeHR-AI Risk & Evidence Sprint
For HR systems where bias, transparency and candidate or worker impact weigh heavily.
View routeFrequently asked questions
When is a FRIA needed?
A FRIA is especially relevant for high-risk AI systems and situations where fundamental rights may be affected. The exact obligation depends on the system, role, sector and use context.
What is the difference between a DPIA and a FRIA?
A DPIA focuses on privacy risks under the GDPR. A FRIA looks more broadly at fundamental rights such as non-discrimination, access to services, human dignity, explanation, appeal and effective human oversight.
Can DPIA and FRIA be combined?
Often yes. Especially for AI systems involving personal data, a combined file is more efficient, as long as privacy and broader fundamental rights are both treated explicitly.
What if the supplier provides little information?
Then we make that visible as a vendor gap. You receive concrete questions for contract, security, privacy, model governance, logging, bias and human oversight.
Is this legal advice?
This is practical AI governance and compliance support. For formal legal opinions, organizations work with their own lawyer or legal adviser where needed.
Make impact analysis decision-ready.
Start with the Gap Intake. We then determine which AI system, obligation and evidence belongs in the first FRIA/DPIA scope.