AI Impact Assessments: What are they and why do you need one?

What you’ll learn in this blog:

• What is an AI Impact Assessment? 
• Why is an AI Impact Assessment needed?
• Are AI Impact Assessments required by law?
• How to conduct an AI Impact Assessment
• Frequently asked questions

What is an AI Impact Assessment?

An AI Impact Assessment (AIIA) is a practical tool to help leaders answer a key question about an AI system: Can this AI system deliver value without exposing the organisation to unacceptable risk and non-compliance?   

Unlike a standard Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA), an AIIA goes further, looking beyond privacy to assess the wider business risks. It is a structured process for spotting and addressing potential issues early, whether legal, ethical, or societal. That includes privacy and data protection, bias, discrimination, lack of transparency, and potential harm to individuals or groups. 

Why is an AI Impact Assessment needed?

An AIIA delivers value beyond meeting regulatory requirements. It helps businesses manage risk, protect reputation, and build the trust needed to scale AI with confidence. 

Here’s why it matters: 

• Stay compliant: Demonstrates alignment with the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), the EU AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU., and other emerging regulations, avoiding fines and regulatory scrutiny 
• Manage risk proactively: Spots issues like bias, lack of explainability, or misuse before they escalate into reputational damage or costly remediation 
• Strengthen governance: Provides clear documentation of how AI risks are identified, assessed, and mitigated, showing accountability to boards, regulators, and stakeholders 
• Build trust and transparency: Increases confidence among customers, partners and employees by showing your AI is safe, fair and transparent 

AIIAs are fast becoming an essential part of responsible AI adoption. They allow organisations to balance innovation with the protection of rights, freedoms, and societal values. They also ensure AI systems are deployed safely, lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations., and ethically. 

Are AI Impact Assessments required by law?

Whether you are legally required to complete an AIIA depends on these factors: 

• Where you operate 
• What type of AI system you’re using 
• Your organisation’s role in the AI system lifecycle 

Regulators in the EU and UK seem to be moving quickly and even where AIIA’s are not mandatory, they are strongly encouraged as best practice. 

AIIAs under the GDPR

AIIAs aren’t explicitly named in the UK or EU General Data Protection Regulation (GDPR), but they are strongly encouraged by Supervisory Authorities as part of good governance and risk management. 

Under Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) is mandatory when AI systems involve high-risk processing of personal data, such as profiling, large-scale surveillance, or automated decision-making. An AIIA can strengthen this process by assessing ethical and societal risks in addition to privacy concerns. 

In the UK, the Data (Use and Access) Act 2025 (DUAA) updates the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., including provisions on automated decision-making and data use. While it does not introduce specific AIIA requirements, it reinforces the importance of assessing and managing AI-related risks as part of accountability and transparency. The Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) also advises organisations to integrate AI-specific risks into their DPIAs, with its AI Risk Toolkit providing practical prompts and checklists to help operational teams put this into practice. 

Tips for DPIAs

AIIAs and the EU AI Act

The EU AI Act, which came into force in August 2024, sets out strict obligations for organisations working with high-risk AI systems. The exact requirement depends on your role in the AI lifecycle. 

What is ‘high-risk’ activity? 

If you’re deploying AI:

Under Article 27, you must carry out a Fundamental Rights Impact Assessment (FRIA) before putting a high-risk AI system into use. This assesses the real-world implications of the system, including: 

• Defining how and when it will be used 
• Identifying affected individuals or groups 
• Analysing risks to fundamental rights
• Detailing human oversight and accountability mechanisms
• Outlining mitigation and complaint-handling procedures 

If you’re developing AI:

Under Article 43, you must complete a Conformity Assessment before placing a high-risk AI system on the market or putting it into service. This includes: 

• Verifying compliance with the AI Act’s essential requirements
• Documenting the system’s design and intended use
• Implementing a quality management system
• Performing testing and validation 
• Preparing technical documentation and issuing a CE declaration of conformity 

Get ready now

In practice, both requirements are essentially EU-specific versions of an AI Impact Assessment. We use the broader term ‘AIIA’ because its principles apply beyond organisations directly subject to the EU AI Act. 

The EU AI Office is developing a standardised FRIA template. Until it is released, organisations likely to be subject to the EU AI Act should start preparing now by gathering the key information outlined in this blog. That way, you won’t be caught on the back foot when completing an EU-mandated FRIA becomes a legal requirement. 

How to conduct an AI Impact Assessment

An AIIA should assess both the technical and broader legal and ethical implications of your AI system. The process will vary depending on complexity, but a good approach includes: 

1. Define the system and its purpose
   Clearly describe what the AI system does, why it is being used, and the intended outcomes. Identify whether it is custom-built or a third-party tool.
2. Map the data flows
   Document the types of data used, including whether personal or special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal... is involved. Identify data sources and how data moves through the system.
3. Assess risks to individuals and groups
   Consider potential impacts on rights and freedoms, including bias, discrimination, manipulation, reduced human oversight, and security vulnerabilities. You should pay particular attention to possible harms from unintended or misuse of the system.
4. Review legal and ethical obligations
   Check compliance with applicable laws and ethical principles, such as fairness, accountability, and transparency.
5. Mitigate identified risks
   Develop measures to reduce risk, such as introducing human review points, improving explainability, refining training data, or strengthening security controls.
6. Document your findings
   Keep a record of identified risks, mitigation measures, and decision-making rationale to support accountability and meet audit requirements.
7. Review and update regularly
   AI systems evolve over time. Make sure you can monitor the performance of your system to ensure it is operating within expected parameters and reassess risks if the system is updated, retrained, or used in a new context. 

Key takeaways

AI Impact Assessments (AIIAs) are quickly becoming business necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method. rather than best practice. They help organisations balance innovation with the protection of rights and freedoms. While not always a legal requirement, they are strongly encouraged under the GDPR and will soon be essential for many high-risk systems under the EU AI Act. 

Here’s what matters for leadership teams: Beyond compliance, an AIIA shows that your organisation has considered the broader ethical and societal implications of AI — from bias and discrimination to transparency and accountability. This reduces operational and reputational risk and builds trust with customers, employees, and regulators. 

The most effective AIIAs are proactive, collaborative, and built into the AI lifecycle from the earliest stages. Treating them as a strategic tool rather than a tick-box exercise can result in AI systems that are lawful, ethical, robust, transparent, and aligned with organisational values. 

Frequently asked questions

1. What’s the difference between a DPIA and an AIIA?                                                                                                                                      A DPIA focuses on privacy risks under data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data., whilst an AIIA covers a wider scope, including ethical, societal, and technical risks.
2. Do I need an AIIA if I’m using a third-party AI tool?
   Yes, if the tool processes personal data or impacts individuals. You remain responsible for ensuring lawful, ethical use.
3. Who should complete the AIIA?
   A cross-functional team works best, involving your DPO, technical specialists, legal advisors, and those responsible for governance or ethics.
4. How long does it take?
   Timelines vary; low-risk systems may take a few days, whilst complex or high-risk systems can take weeks and require multiple review cycles.
5. What risks should we assess?
   Bias, discrimination, explainability, autonomy, security, legal compliance, and potential harm to individuals or groups.
6. Do generative AI tools like ChatGPT need an AIIA?
   Yes, if they process personal data, influence decisions, or have a direct impact on individuals.
7. Will regulators expect to see one?
   Regulators, such as the ICO and European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law., expect organisations to identify and mitigate AI risks proactively, so an AIIA is strongly encouraged.
8. Is there a standard template?
   No single template exists, but useful starting points include the ICO’s AI Risk Toolkit, CNIL’s AI DPIA guidance, and Annexes II and IV of the EU AI Act. The EU AI Office will release a standardised template for EU AI Act compliance purposes in due course.

The DPO Centre can assist organisations in conducting a thorough AIIA for current and planned AI deployments. Get in touch with our team today for tailored support to assess risks, embed robust governance frameworks, and ensure long-term AI success.

In case you missed it… 

• Compliance with the AI Act Part 4: Essential strategies
• Vendor due diligence & GDPR compliance: 5 practical steps
• Rise of the machines: Does AI spell death for human recruiters?