GovCompass
Knowledge base
Guide

FRIA Step by Step: How to Conduct a Fundamental Rights Impact Assessment

Updated: June 2026 — full revision to Validai quality standard

Introduction: The FRIA as a Governance Exercise

The Fundamental Rights Impact Assessment (FRIA) required by Art. 27 of the EU AI Act is designed to answer one fundamental question: what happens to the fundamental rights of real people when this AI system is deployed? It is not a documentation exercise — it is a structured inquiry that should genuinely change how an organisation approaches AI deployment.

This guide provides a detailed, practical walkthrough of the six-step FRIA process, with specific guidance for Dutch public sector and regulated organisations.

Before You Begin: Who Needs a FRIA?

Art. 27.1 requires a FRIA from public authorities and bodies deploying high-risk AI. This includes: central and local government, public hospitals and healthcare institutions, public universities, social housing corporations, and certain regulated private sector organisations providing public services.

The FRIA must be completed before deployment begins — not after. Retrospective FRIAs have no legal standing under Art. 27.

Step 1: System Scoping (Week 1)

Document the AI system precisely:

  • System name, vendor, version
  • Intended purpose and specific use case
  • How the system works (at a conceptual level — you do not need the source code)
  • Which decisions the system informs or makes
  • The categories of individuals it processes data about or affects
  • The scale of deployment (how many people affected per year?)
  • Whether similar systems have been used before and what happened

Output: A 1–2 page system description that the rest of the FRIA builds on.

Step 2: Stakeholder Mapping (Week 1–2)

Identify every group whose rights could be affected by the AI system:

  • Direct subjects: individuals whose data is processed and who receive AI-influenced decisions
  • Indirect stakeholders: family members, employees, communities who may be affected by decisions made about direct subjects
  • Vulnerable groups: children, elderly, people with disabilities, people in economic hardship — who may face heightened risks
  • Protected characteristics: ethnic minority groups, LGBTQ+ individuals, religious minorities — who may face discrimination risk

Output: A stakeholder map with a narrative explanation of how each group is connected to the AI system.

Step 3: Rights Mapping (Week 2–3)

For each stakeholder group, identify which fundamental rights are at risk. Work through the EU Charter systematically:

Charter articleRightRelevance to this AI system
Art. 1Human dignity[High/Medium/Low/None]
Art. 7–8Privacy and data protection[Assessment]
Art. 21Non-discrimination[Assessment]
Art. 24Children's rights[Assessment]
Art. 47Right to a fair hearing[Assessment]

Output: A completed rights mapping table with brief justification for each assessment.

Step 4: Risk Assessment (Week 3)

For each rights risk identified as High or Medium:

  • Probability: How likely is this harm to occur? (1–5 scale)
  • Severity: How serious is the harm if it occurs? (1–5 scale)
  • Breadth: How many people could be affected? (1–5 scale)
  • Risk score: Probability × Severity × Breadth
  • Priority: High (score 27–125), Medium (8–26), Low (1–7)

Output: A risk matrix prioritising the top rights risks for mitigation.

Step 5: Mitigation Measures (Week 3–4)

For each High and Medium priority risk: design specific, verifiable mitigation measures. Examples:

  • Non-discrimination risk: Regular algorithmic auditing for demographic parity; independent bias testing before deployment
  • Right to fair hearing: Mandatory written explanation of AI-influenced decisions; appeals process documented in procedure manual
  • Privacy risk: Data minimisation review; GDPR DPIA with DPO sign-off
  • Dignity risk: Human override mandatory for all negative decisions affecting individuals

Each measure must have: a responsible owner, an implementation deadline, and a verification method.

Step 6: Residual Risk Assessment and Sign-Off (Week 4)

After applying mitigation measures, re-assess residual risks. For each risk: what is the residual probability and severity after mitigation? If any residual risk remains High — consider whether deployment should proceed, and under what additional conditions.

Sign-off required from: the AI Officer, the DPO (for data-related risks), legal counsel, and the relevant management level (typically the Management Team member responsible for the affected function).

Compliance Checklist

  1. Has the FRIA been completed before deployment?
  2. Does the FRIA cover all six steps?
  3. Has the stakeholder mapping identified vulnerable groups?
  4. Have all Charter rights been assessed (not just privacy)?
  5. Are mitigation measures specific, verifiable, and assigned to named owners?
  6. Has residual risk been assessed and documented?
  7. Has sign-off been obtained from AI Officer, DPO, and management?
  8. Is the FRIA filed and available for supervisory review?