Key takeaways
- A privacy impact assessment (PIA) is a structured review of how a system collects, uses, stores, and shares personal data, run before that system goes live, to surface privacy risks early.
- The term originates in US federal law (the E-Government Act of 2002) and often describes an internal, voluntary practice in the private sector.
- A PIA is not the same as a GDPR data protection impact assessment (DPIA), which is legally mandatory for high-risk processing under Article 35.
- The EU AI Act adds a third assessment, the fundamental rights impact assessment (FRIA), required for certain deployers of high-risk AI from 2 August 2026.
- A single high-risk AI system can require a DPIA and a FRIA at once. The FRIA complements the DPIA; it does not replace it.
What a privacy impact assessment means
A privacy impact assessment is, in the words of the US National Institute of Standards and Technology, an analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, and to determine the risks and effects of collecting, using, storing, and sharing information in identifiable form. The definition traces back to the E-Government Act of 2002, whose Title II, Section 208 obliged US federal agencies to run a PIA before building or buying any system that handles personally identifiable information (PII).
Strip away the legal language and the purpose is simple. A PIA asks one question before a project starts: where could this system put people’s personal data at risk, and what should we change now to prevent that. It maps how PII enters a system, where it travels, who can see it, and how it is eventually disposed of. The output is a documented set of risks and the measures taken to reduce them.
One nuance trips up most readers. In the US public sector, a PIA is a legal obligation. In the private sector, it is usually an internal good-practice tool with no single statute behind it, which is why a company can run a PIA voluntarily and still need a separate, legally mandated assessment for the same project. That gap is where the next two assessments come in, and where privacy work starts to overlap with AI governance.
PIA, DPIA, and FRIA: three assessments, one question
PIA, DPIA, and FRIA get used interchangeably in privacy conversations, and that habit is becoming expensive. They share a goal, protecting people from harm tied to how their data and rights are handled, but they sit on different legal bases and trigger in different situations.
A privacy impact assessment is the broad, original term. It covers any structured review of privacy risk and is most strongly anchored in US federal practice.
A data protection impact assessment is narrower and harder-edged. Under Article 35 of the GDPR, a DPIA is mandatory whenever processing is likely to result in a high risk to the rights and freedoms of natural persons. It must contain a systematic description of the processing, an assessment of its necessity and proportionality, an assessment of the risks, and the measures planned to address them.
A fundamental rights impact assessment is the newest pillar. Introduced by Article 27 of the EU AI Act, a FRIA is required of certain deployers of high-risk AI systems and focuses on the people a system affects: whether it treats them fairly, whether it creates systemic disadvantage, and whether those subject to its decisions can challenge them.
| Assessment | Legal basis | Triggered by | Who must run it | Core output |
|---|---|---|---|---|
| PIA | E-Government Act 2002 (US); internal policy elsewhere | Any new system handling PII | US federal agencies; voluntarily, private firms | Documented privacy risks and mitigations |
| DPIA | GDPR Article 35 (EU) | Processing likely high-risk to rights and freedoms | Data controllers | Risk assessment plus mitigation measures |
| FRIA | EU AI Act Article 27 | Deployment of certain high-risk AI systems | Specific deployers of high-risk AI | Fundamental rights risk assessment, notified to the authority |
When each assessment is legally required
When a PIA is required
In the US, the E-Government Act of 2002 requires federal agencies to complete a PIA before developing or procuring IT systems that handle PII. Sector laws add their own triggers: the Health Insurance Portability and Accountability Act (HIPAA) drives privacy reviews in healthcare, and several US state laws, including the California Privacy Rights Act, require risk assessments before certain processing of consumer data. Outside these regimes, a PIA is typically discretionary, though it remains a sound part of any risk management routine.
When a DPIA is required
Under the GDPR, a DPIA is not optional once processing is likely to result in a high risk. Supervisory authorities treat large-scale processing of sensitive data, systematic monitoring of public areas, and systematic profiling with legal or similarly significant effects as clear triggers. Many automated decision systems fall squarely into that category, which is the first reason AI and privacy assessments began to overlap.
When a FRIA is required
Article 27 applies to a defined set of deployers of high-risk AI: bodies governed by public law, private operators providing public services, and deployers using high-risk systems for creditworthiness evaluation or for risk assessment and pricing in life and health insurance. The obligation applies from 2 August 2026. The deployer must perform the assessment before first use, keep it current as conditions change, and notify the market surveillance authority of the result using the official template.
How a privacy impact assessment connects to AI governance
Here is what the standard definitions leave out: the moment personal data flows through an AI system, a single project can trigger more than one assessment at once. A high-risk AI system that profiles people will often require a DPIA, because it processes personal data at high risk, and a FRIA, because it is a high-risk AI deployment in scope of Article 27.
These two are not duplicates, and one does not cancel the other. The European Commission’s guidance on the AI Act is explicit that the FRIA does not replace the existing data protection impact assessment that controllers must perform under data protection law. Article 27(4) frames the relationship the same way: where a DPIA already covers part of what the FRIA requires, the fundamental rights assessment complements the DPIA rather than absorbing it. A DPIA asks whether you are protecting personal data. A FRIA asks a wider question: whether the system is fair to the people it affects and whether they can contest its decisions.
The scope can widen further. The Council of Europe’s HUDERIA methodology assesses an AI system’s impact on human rights, democracy, and the rule of law, a lens that reaches past data privacy into discrimination, access to justice, and procedural fairness. For organizations outside the EU, or those that want a single defensible method, it offers a structured way to think about rights-level impact.
The practical consequence is organizational. The privacy officer who used to own the PIA and the AI governance owner who now owns the FRIA are assessing the same system from two angles. Running those reviews in disconnected spreadsheets invites gaps and contradictions. This is why regulated AI deployers increasingly govern data protection and fundamental rights assessments on one AI governance platform, so the evidence, risks, and mitigations stay consistent across both obligations.
How to conduct a privacy impact assessment, step by step
The method below works for a classic PIA and extends cleanly to AI systems.
- Define the scope. Describe the project, the categories of personal data involved, and the boundary of the assessment. For an AI system, add the model, its training data, and the decisions it automates.
- Map the data flows. Track where PII enters, where it is stored, how it moves, and who can access it, including third parties and vendors.
- Check accuracy and access. Confirm how data is kept accurate, how long it is retained, and which people or tools can reach it.
- Assess the risks. Weigh the sensitivity of the data and the likelihood and severity of harm. For AI, add the groups of people the system affects and the specific risks of unfair or harmful outcomes.
- Apply mitigations. Reduce what you collect, tighten retention, restrict transfers, and design human oversight for automated decisions.
- Document the outcome. Record residual risks and the measures taken. For a FRIA, this documentation is also what you notify to the market surveillance authority.
- Review on a schedule. Re-run the assessment when the system, the data, or the law changes. AI systems drift, so periodic review is not optional.
A practical tip for coordination: run these steps once and tag each finding by the obligation it satisfies, so a single workflow can feed a PIA, a DPIA, and a FRIA instead of three disconnected efforts. That is the model a purpose-built governance platform is designed to support.
FAQ
What is the purpose of a privacy impact assessment? The purpose of a privacy impact assessment is to identify and reduce privacy risk before a system handling personal data goes live. It documents how PII is collected, used, stored, shared, and disposed of, flags where individuals could be harmed, and records the measures taken to prevent that harm. It is a proactive control, not a post-incident report.
Is a privacy impact assessment legally required? It depends on who you are and where you operate. US federal agencies must run a PIA under the E-Government Act of 2002, and laws like HIPAA and several US state privacy statutes impose their own assessment duties. In the private sector outside those regimes, a PIA is often voluntary, but a related mandatory assessment, a GDPR DPIA or an AI Act FRIA, may still apply to the same project.
What is the difference between a PIA and a DPIA? A PIA is the broad term for any structured privacy review and is rooted in US federal practice, where it is often an internal tool. A DPIA is a specific legal requirement under Article 35 of the GDPR, mandatory when processing is likely to be high risk to people’s rights and freedoms, with prescribed contents. Put simply, every DPIA is a privacy assessment, but not every PIA meets the legal bar of a DPIA.
When must a PIA be conducted? A PIA should be conducted before a new system or process that handles personal data begins, and again whenever a material change alters how that data is collected or used. Running it early, at the design stage, is the point: the assessment is meant to shape the system before risks are baked in, not to document them afterward.
Does an AI system need a FRIA and a DPIA? Often, yes. A high-risk AI system that processes personal data can require a DPIA under the GDPR and a FRIA under Article 27 of the EU AI Act at the same time. The two overlap but are not interchangeable: the FRIA complements the DPIA and adds a fundamental rights lens. Deployers in scope should plan for both rather than assuming one satisfies the other.
What is a fundamental rights impact assessment? A fundamental rights impact assessment (FRIA) is a pre-deployment review required of certain deployers of high-risk AI under the EU AI Act. It describes how and where the system will be used, the people and groups it affects, the specific risks of harm, the human oversight in place, and the steps to take if risks materialize. The result is notified to the market surveillance authority, and the obligation applies from 2 August 2026.
Conclusion
The meaning of a privacy impact assessment has outgrown its original definition. It began as a US federal check on how agencies handle personal data, and it remains exactly that. But for any organization deploying AI, the term now sits at the head of a family of assessments: the PIA, the legally binding DPIA, and the new fundamental rights impact assessment under the EU AI Act. Treating them as one blurred concept is how compliance gaps open. Treating them as one coordinated workflow is how they close. Govern your data protection and fundamental rights assessments on the same high-risk AI system, in one place, with AI Sigil.