You’ve spent years getting your GDPR compliance sorted. You’ve got a Data Protection Officer, your DPIA process works, and you know how to handle breach notifications. Now the EU AI Act arrives with its Fundamental Rights Impact Assessment requirements, and you’re looking at August 2026 wondering if you need to build an entirely separate compliance track.
You don’t. The EU AI Act implementation guide shows how compliance coordination can work across both frameworks.
Article 27 of the AI Act explicitly allows FRIAs to complement your existing DPIAs when obligations overlap. The Digital Omnibus amendments from 2025 go further—coordinated breach reporting and expanded permissions for processing sensitive data when you’re testing for bias. You can extend what you already have rather than duplicating it.
The opportunity here is straightforward. Your DPO already handles privacy assessments. Your documentation templates exist. Your workflows are established. You just need to extend them to cover fundamental rights beyond privacy—discrimination, fairness, human dignity—without rebuilding your compliance infrastructure from scratch.
Workflow coordination and role mapping between your data protection officers and AI compliance work. That’s how you meet the August 2026 deadline without waste.
What is the difference between DPIA and FRIA?
A Data Protection Impact Assessment focuses exclusively on privacy risks. It’s the GDPR Article 35 requirement you already know—what happens when data processing creates high risk to individuals’ rights and freedoms.
A Fundamental Rights Impact Assessment extends beyond privacy to all fundamental rights affected by AI deployment. Discrimination, fairness, human dignity, freedom of expression. Article 27 of the AI Act requires FRIAs for certain deployers starting August 2026.
The key distinction: DPIA evaluates data risks. FRIA evaluates broader societal rights impacts.
Here’s what matters for your planning. DPIA applies to all high-risk data processing activities while FRIA applies only to specific high-risk AI systems. But when both apply to the same system, Article 27 explicitly allows FRIA to complement DPIA when obligations overlap. Single integrated assessment rather than duplicative processes.
The practical implication: if you’re deploying AI that processes personal data and qualifies as high-risk AI fundamental rights assessments, both assessments apply. But you can satisfy both with unified documentation using common EU-wide templates from the Digital Omnibus.
How does the EU AI Act interact with GDPR requirements?
Both regulations apply simultaneously when AI systems process personal data. There’s no exemption from GDPR obligations just because you’re also following the AI Act.
The two frameworks overlap across approximately 20 compliance dimensions—data governance, transparency, security, documentation, incident reporting. The AI Act extends GDPR principles rather than replacing them. Privacy by design becomes fundamental rights by design throughout your system lifecycle.
Your existing GDPR infrastructure maps cleanly to AI Act requirements. Risk management systems? They align with privacy by design and DPIA processes. Data governance requirements? They overlap across purpose limitation, data minimisation, and accuracy standards. Security measures between Article 32 GDPR technical safeguards and AI Act security requirements? Same ground. Avoiding duplicative assessment costs through this integration becomes a significant efficiency gain for resource-constrained SMBs.
Provider and deployer roles under the AI Act map to controller and processor under GDPR, with cumulative obligations. Your Article 30 records of processing extend to include AI system documentation.
Transparency obligations combine too. GDPR Articles 13-14 mandate disclosure about data processing purposes, legal basis, retention, and subject rights. AI Act Articles 13 and 50 require deployment instructions, notification of AI interactions, and explainability of decisions. You satisfy both through coordinated transparency documentation—extend your privacy notices to include AI-specific disclosures.
The Digital Omnibus harmonises requirements through EU-wide templates and coordinated breach reporting via the NIS2 single-entry point. Instead of separate notifications to multiple supervisory authorities, you submit a unified incident report and the infrastructure routes it appropriately.
What changes did the Digital Omnibus make to special category data processing?
The 2025 Digital Omnibus amendments expanded Article 9 GDPR to allow processing special category data for bias detection and fairness testing across all AI systems, not just high-risk ones.
This matters because previously you couldn’t legally process sensitive personal information—racial or ethnic origin, health data, biometric information—to test for discriminatory patterns without explicit consent or substantial public interest justification. The expanded legal basis now allows processing for developing and training AI systems under the controller’s legitimate interests, subject to appropriate guardrails.
The guardrails are strict. You need state-of-the-art security and pseudonymisation, documented necessity showing bias detection isn’t possible using other data types, strict access controls with confidentiality obligations, and deletion as soon as bias is corrected.
This creates a practical pathway for bias mitigation workflows. Collect representative special category data, apply pseudonymisation, conduct fairness testing across demographic groups, identify disparate impacts, correct discriminatory patterns, and delete the sensitive data after correction. All documented in your integrated DPIA/FRIA assessment showing legal basis, security measures, and deletion procedures.
The key limitation: you must maintain detailed records proving processing was strictly necessary and couldn’t have been achieved by processing other data including synthetic or anonymised alternatives. No retention for ongoing monitoring without separate legal basis.
How to integrate FRIA with existing DPIA process?
Start with your existing DPIA template. You already have sections covering data processing risks, technical safeguards, and privacy impact mitigation. Extend those sections to cover fundamental rights beyond privacy.
Add FRIA-specific evaluation criteria: algorithmic bias assessment, human oversight mechanisms, transparency requirements for AI-specific disclosures, and societal impact analysis covering discrimination and fairness concerns.
Successful integration requires covering all Article 35 GDPR requirements plus Article 27 AI Act elements. Your unified documentation satisfies both regulations using the common EU-wide templates from Digital Omnibus.
The workflow integration looks like this. Conduct joint scoping to identify where privacy obligations and fundamental rights obligations overlap. Run a combined risk assessment covering both privacy risks and broader fundamental rights impacts. Develop unified mitigation measures addressing both. Submit a single notification to your supervisory authority.
Your DPO oversight extends from privacy-focused DPIA work to broader FRIA coordination. Your DPO validates privacy compliance sections, your AI compliance team validates fundamental rights analysis, and you get joint sign-off on the integrated assessment.
Key risk factors to assess: accuracy of automated decisions, bias and discrimination in outcomes, transparency of algorithmic processes, and data quality throughout the AI system lifecycle. These align with GDPR principles while extending to AI-specific concerns. The integrated approach delivers GDPR infrastructure cost savings by leveraging existing processes rather than building parallel systems.
How to coordinate DPO and AI compliance team workflows?
Your Data Protection Officer brings established GDPR expertise and existing supervisory authority relationships. Your AI compliance team provides technical AI risk assessment capabilities. Divide responsibilities rather than duplicating work.
The DPO focuses on privacy, data governance, and Article 30 records maintenance. The AI team evaluates algorithmic bias, human oversight implementation, and broader fundamental rights impacts beyond privacy.
For integrated assessments, the DPO leads privacy sections, the AI team leads fundamental rights sections, and you establish joint ownership for overlapping concerns. Single documentation process with clear handoff points rather than parallel compliance tracks.
This extends your existing DPO role to FRIA coordination without hiring dedicated AI compliance headcount in smaller organisations. Legal teams must work closely with engineering to embed privacy-by-design principles into AI development processes, and the same applies to fundamental rights by design.
The practical workflow involves joint scoping meetings to identify obligations, parallel assessment work with the DPO handling privacy analysis and AI team handling fundamental rights analysis, unified documentation review, and joint sign-off before supervisory authority submission.
Your DPO already interfaces with supervisory authorities for GDPR matters. They submit the combined assessment using common EU-wide templates and coordinate responses for both GDPR and AI Act inquiries through the same relationship.
How to implement bias mitigation using special category data?
The Digital Omnibus expanded legal basis enables processing special category data for fairness testing without violating Article 9 GDPR prohibitions. But you need documented justification and strict safeguards.
Your bias detection workflow: collect representative special category data under documented necessity, apply state-of-the-art pseudonymisation and security, conduct fairness testing across demographic groups, identify disparate impacts, correct discriminatory patterns, and delete special category data after correction.
The necessity documentation must show bias detection isn’t possible using synthetic or anonymised data. You need strict access controls limiting which personnel can access the sensitive data, confidentiality obligations for authorised persons, and technical measures preventing unauthorised transmission or third-party access.
Security requirements include encryption during processing and storage, pseudonymisation techniques that prevent re-identification, and technical limitations on re-use beyond the specific bias correction purpose.
Document the entire workflow in your integrated DPIA/FRIA. Show legal basis under Digital Omnibus provisions, detail security measures and access controls, describe bias correction methodology, and specify deletion procedures with timelines.
This applies to high-risk AI systems in HR and recruitment, financial assessment and creditworthiness, and healthcare, plus broader deployments under the expanded permissions. But retention limits remain firm—delete special category data immediately after bias correction, not after ongoing monitoring periods.
What organisations must conduct FRIAs under the AI Act?
FRIA becomes mandatory in August 2026 for specific deployer categories using high-risk AI systems listed in Annex III.
You need FRIAs if you’re a public body deploying any high-risk AI, a financial institution using creditworthiness or insurance pricing AI, or an organisation providing public interest services like education, healthcare, or critical infrastructure.
High-risk AI systems triggering FRIA include employment and HR decisions, worker management, access to essential services, creditworthiness assessment, law enforcement, and biometric identification. Check if your deployed AI system appears in the Annex III use case GDPR coordination categories.
SMEs deploying AI systems provided by third parties may be exempt if the provider handles conformity assessment. Organisations using minimal-risk or limited-risk AI systems don’t need FRIAs. Personal use deployments fall outside the requirement.
Self-assessment involves determining if your organisation qualifies as a public body, financial institution, or public interest service provider, then checking if your deployed AI system appears in Annex III high-risk categories. Both conditions must apply.
If FRIA applies, you must document how the system will be used including purpose, duration, and frequency. Document categories of individuals affected. Document specific risks of harm to fundamental rights. Document measures for human oversight and governance. Document steps to address and mitigate risks if they materialise.
The outcome must be notified to the competent market surveillance authority using standardised templates.
Internal control conformity assessment offers an alternative to third-party notified body certification for some deployers with strong internal auditing capabilities. You conduct self-assessment demonstrating AI Act compliance, maintain rigorous documentation including quality management systems and technical documentation, but avoid external certification costs.
For broader context on navigating the full compliance coordination overview across all AI Act obligations, see the complete implementation guide addressing timeline scenarios, cost planning, and vendor due diligence.
The article continues with frequently asked questions about integrating EU AI Act compliance with GDPR programs.
When does the EU AI Act FRIA requirement start applying?
FRIA becomes mandatory in August 2026 for certain deployers—public bodies, financial institutions, and public interest services using high-risk AI systems.
Providers face earlier conformity assessment deadlines for high-risk systems. But if you’re a deployer in the covered categories, August 2026 is your deadline.
You should begin integration planning now to extend existing GDPR DPIA processes before the deadline. Rushed implementation in mid-2026 creates stress and potential compliance gaps.
What is a Fundamental Rights Impact Assessment (FRIA)?
FRIA is the Article 27 AI Act requirement for certain deployers of high-risk AI systems to evaluate broader fundamental rights impacts beyond privacy—discrimination, fairness, human dignity, freedom of expression.
It complements GDPR DPIA with societal impact analysis covering all fundamental rights in the EU Charter. Mandatory from August 2026 for public bodies, financial institutions, and public interest services.
The assessment evaluates what happens when AI systems make decisions affecting fundamental rights beyond just data protection concerns.
How does coordinated breach reporting work under Digital Omnibus?
The Digital Omnibus introduces a single-entry point for incident and breach notifications to reduce duplicate reporting and harmonise processes across multiple frameworks.
GDPR data breaches with 72-hour notification requirements and AI Act serious incidents with 15-day or 2-10-day notification requirements route through the NIS2 single-entry point using a common EU-wide template.
You submit a unified incident report. The NIS2 infrastructure routes it to appropriate authorities based on breach type and regulatory framework. No more separate notifications to multiple supervisory authorities for overlapping incidents.
What’s the difference between provider and deployer obligations?
Provider develops or places AI systems on the EU market under its name. Handles conformity assessment, technical documentation, and risk management system implementation. Similar to GDPR controller obligations.
Deployer uses AI systems under its authority. Conducts FRIA if qualifying as high-risk deployer category, implements human oversight, and maintains deployment logs. Comparable to GDPR processor but with distinct AI-specific obligations.
Provider and deployer terminology maps to controller and processor roles under GDPR with cumulative obligations. If you’re both developing and deploying, both sets of requirements apply.
How do transparency obligations differ between GDPR and AI Act?
GDPR Articles 13-14 mandate disclosure about data processing purposes, legal basis, retention, and subject rights. AI Act Articles 13 and 50 require deployment instructions, notification of AI interactions, and explainability of decisions.
You satisfy both through coordinated transparency documentation. Extend your existing privacy notices to include AI-specific disclosures about how automated decisions work, what AI is involved, and how individuals can challenge decisions.
The Digital Omnibus provides integrated templates combining both sets of requirements in unified user-facing notices.
What is the timeline for AI Act compliance implementation?
Phased rollout: prohibited AI systems banned February 2025, high-risk AI system conformity assessment starts August 2026 including mandatory FRIA for certain deployers, general-purpose AI model obligations August 2027, full enforcement May 2027.
Begin DPIA/FRIA integration now to leverage existing GDPR infrastructure before the August 2026 deadline. You have time to extend what you already have rather than rushing a separate compliance build in mid-2026.
What are internal control conformity assessments?
Alternative to third-party notified body certification available for certain high-risk AI systems. Organisations with strong internal auditing capabilities conduct self-assessment demonstrating AI Act compliance.
Requires rigorous documentation including quality management systems, technical documentation, and design control procedures. You verify compliance internally rather than paying for external certification.
Cost-effective option for SMBs with existing compliance resources and internal audit capabilities, but demands thorough documentation and internal quality management systems meeting AI Act standards.
