v2.4.0 | Report Errata
docs development docs development

A Data Protection Impact Assessment is required under GDPR Article 35 whenever processing is likely to result in a high risk to individuals’ rights and freedoms. For AI systems that process personal data, this obligation is triggered in most high-risk deployments. The DPIA should follow the methodology set out in the EDPB’s guidelines (WP 248 rev.01, as endorsed by the EDPB), which specify the minimum content requirements and the criteria for determining when a DPIA is required. The DPIA is a distinct exercise from the Fundamental Rights Impact Assessment required under AI Act Article 27, though the two overlap considerably and should be coordinated to avoid duplication.

The DPIA focuses specifically on data protection risks: confidentiality, integrity, and availability of personal data, along with the broader risks to data subjects’ rights arising from the processing. Findings from the DPIA should feed into the FRIA, since data protection risks are a subset of fundamental rights risks. Conversely, fairness concerns surfaced during the FRIA may carry data protection implications that the DPIA must address.

Module 4 of the AISDP records how the two assessments are coordinated, cross-references their findings, and confirms that both remain current throughout the system’s lifecycle. The DPO Liaison is responsible for ensuring the DPIA reflects the specific technical characteristics of the AI system, including the lawful basis for processing training data, data subject rights implications (particularly the right to erasure and the right not to be subject to solely automated decision-making), and data retention tensions between GDPR’s storage limitation principle and the AI Act’s ten-year documentation retention obligation under Article 18.

Organisations should not treat the DPIA as a one-time exercise. Changes to the system’s data processing activities, including retraining on new datasets or expanding to new deployer contexts, may require the DPIA to be revisited.

Key outputs

  • Completed DPIA document covering the AI system’s personal data processing
  • Cross-reference mapping between DPIA findings and FRIA findings
  • Documented coordination methodology between the two assessments
  • Evidence of DPO Liaison sign-off
On This Page