What is a Fundamental Rights Impact Assessment (FRIA)?
A Fundamental Rights Impact Assessment (FRIA) is the new assessment introduced by the EU AI Act (Article 27) requiring deployers of certain high-risk AI systems to assess the potential impact on fundamental rights before putting the system into use. FRIA is the AI Act’s parallel to GDPR’s DPIA: a structured, documented analysis of risks that the AI system poses to natural persons, with mitigation measures.
When FRIA is required
- Bodies governed by public law deploying high-risk AI systems listed in Annex III.
- Private entities providing public services deploying these high-risk systems.
- Banks and insurance companies using high-risk AI for credit scoring or risk assessment.
FRIA required content
- Description of the deployer’s processes in which the AI system is used.
- Period and frequency of system use.
- Categories of natural persons and groups likely to be affected.
- Specific risks of harm to those categories.
- Description of human oversight measures.
- Measures to be taken if those risks materialise, including governance.
FRIA vs. DPIA
- DPIA (GDPR Article 35): data protection focus; required when processing creates high risk to data subject rights.
- FRIA (AI Act Article 27): broader fundamental rights focus; specific to AI Act high-risk systems used by certain deployers.
- Both can coexist; many organisations will conduct combined fundamental rights + data protection assessment.
Türk şirketleri için
AB’ye satan veya AB’de iş yapan Türk bankaları, sigorta şirketleri ve kamu hizmeti sağlayan özel kuruluşlar (örn. üye olduğu meslek odaları) yüksek riskli AI sistemleri kullanırken FRIA yapmak zorundadır. Türkiye’de henüz doğrudan eşdeğeri yok ancak KVKK’nın DPIA gereksinimi (Madde 12) benzer mantık uygular.
Do: integrate FRIA into existing risk-assessment workflows; document upfront and update on significant changes.
Don’t: treat FRIA as a one-time compliance checkbox — it is an ongoing operational tool and should evolve with the system.