Step-by-Step: Conducting Your First FRIA

A Fundamental Rights Impact Assessment (FRIA) is required for certain deployers of high-risk AI systems. This guide walks you through the process step by step.

When is FRIA Required?

You must conduct a FRIA if you are:

• A public authority deploying high-risk AI
• A private entity providing public services using high-risk AI
• Deploying certain Annex III high-risk systems

The FRIA Process

Step 1: Preparation

Gather your team:

• System owner
• Legal/compliance representative
• Data protection officer
• Subject matter experts for affected groups

Collect documentation:

• Provider's instructions for use
• Technical documentation
• Data flow diagrams
• Existing impact assessments

Step 2: Describe the Process

Document:

• Your organization's process where AI is used
• The AI system's role in that process
• Decisions influenced by the AI
• Human oversight arrangements

Step 3: Identify Affected Persons

Consider:

• Who is directly affected by AI outputs?
• Are there vulnerable groups?
• How many people are affected?
• What's the frequency of impact?

Step 4: Assess Risks to Fundamental Rights

Evaluate risks across categories:

• Non-discrimination and equality
• Privacy and data protection
• Freedom of expression
• Access to services
• Due process and contestability

For each risk:

• Assess likelihood (Low/Medium/High)
• Assess severity (Low/Medium/High)
• Document your reasoning

Step 5: Define Mitigations

For each identified risk:

• What controls reduce the risk?
• Who is responsible for each control?
• How will effectiveness be measured?

Step 6: Document Oversight Measures

Describe:

• Who provides oversight
• Their competencies and training
• Their authority to intervene
• Escalation procedures

Step 7: Approval and Notification

Complete:

• Internal approval workflow
• Document approvers and dates
• Notify market surveillance authority (if required)

Get the Template

Download our FRIA Template to structure your assessment.