DPIA vs FRIA in hiring: how the two assessments differ and overlap
Michael
Founder, KimonRecruit
Published
A GDPR DPIA and an EU AI Act FRIA are different instruments that are often conflated. Here is how each applies to AI in hiring, where they overlap, and how to run them together.
Teams deploying AI in recruitment often ask whether their existing data protection impact assessment, the DPIA, covers the new fundamental rights impact assessment, the FRIA, introduced by the EU AI Act. The honest answer is that they are two different instruments with a large overlap. This article explains what each one is, how they differ for a hiring tool, and how to run them together without doing the work twice. It is a practical orientation, not legal advice; for your specific situation, speak to your own advisers.
What is a DPIA?
A data protection impact assessment is a GDPR instrument. It is required where processing is likely to result in a high risk to the rights and freedoms of individuals, and it must describe the processing, assess its necessity and proportionality, identify the risks to data subjects, and set out the measures that address those risks. Using AI to systematically evaluate candidates is the kind of large-scale, automated processing that typically triggers a DPIA. [Source: UK GDPR Article 35 and ICO guidance, ico.org.uk, accessed 2026-06-18.]
The DPIA's lens is data protection: lawful basis, data minimisation, accuracy, retention, the rights of the data subject, and the security of the processing.
What is a FRIA?
A fundamental rights impact assessment is an EU AI Act instrument, introduced by Article 27. It applies to certain deployers of high-risk AI systems and must be completed before the system is put into use. Its lens is broader than data protection: it asks what harm the system could do to people's fundamental rights overall, with discrimination and unfair treatment central for a hiring use case. [Source: artificialintelligenceact.eu, Article 27, accessed 2026-06-18.]
The high-risk obligations that bring the FRIA into play for hiring currently apply from 2 August 2026, with a provisional Digital Omnibus agreement of 7 May 2026 proposing to defer stand-alone Annex III systems to 2 December 2027, not yet adopted, so the 2 August 2026 date stands as of 18 June 2026. [Source: Travers Smith, EU AI Act Service Desk, accessed 2026-06-18.]
How do the DPIA and FRIA differ?
The two assessments differ in their legal source, their lens, and who they bind.
| Dimension | DPIA | FRIA |
|---|---|---|
| Legal source | GDPR (Article 35) | EU AI Act (Article 27) |
| Primary lens | Risk to personal data and the rights of data subjects | Risk to fundamental rights from a high-risk AI system |
| Trigger | Processing likely to be high-risk to individuals | A caught deployer putting a high-risk system into use |
| Focus for hiring | Lawful basis, minimisation, retention, automated-decision rights | Discrimination, fairness, oversight, redress |
| Timing | Before the processing begins | Before the system is put into use |
In short, the DPIA asks "is this data processing lawful and safe?" while the FRIA asks "could this AI system harm people's rights, and how will we prevent that?"
Where do they overlap in hiring?
For an AI hiring tool the two assessments share a great deal of ground. Both care about the risk of unfair outcomes for protected groups. Both ask you to document the system, the people affected, the risks, and the mitigations. Both expect human oversight and a route to challenge a decision. The Article 27 FRIA itself recognises this, allowing a deployer to rely on a DPIA already carried out, complementing it rather than repeating the overlapping parts. [Source: artificialintelligenceact.eu, Article 27, accessed 2026-06-18.]
The practical implication is that you should not run them as two disconnected exercises. Build one shared evidence base: the system description, the affected-people analysis, and the bias-monitoring approach serve both. Then add the data-protection-specific analysis to the DPIA and the broader fundamental-rights analysis to the FRIA.
There are still differences worth keeping distinct. A DPIA can be satisfied for a hiring tool that processes personal data without ever asking whether the tool is discriminatory in outcome, because that is not strictly a data-protection question. A FRIA, by contrast, puts that fairness question at the centre. So a deployer who has only ever done a DPIA may have a real gap on the fundamental-rights side, and a deployer who reaches for a FRIA without a DPIA may miss the lawful-basis and retention questions that GDPR still demands. Neither instrument is a superset of the other, which is exactly why conflating them is risky: you can feel covered while a whole category of risk is unexamined.
A simple way to run both
Treat the DPIA as the data-protection chapter and the FRIA as the fundamental-rights chapter of one assessment file. Complete the shared sections once. Tag each remaining section to the instrument it belongs to. Keep both with your records, because if a hiring decision is ever challenged, contemporaneous assessments are what carry weight. Where your platform monitors outcomes across protected characteristics and keeps replayable scoring, both chapters draw on the same generated evidence rather than on a one-off manual reconstruction.
Part of: EU AI Act and recruitment.
For the FRIA structure itself, read a fundamental rights impact assessment template for recruitment. For the oversight both assessments rely on, see human oversight requirements for AI in hiring.
Conflating the two is the common mistake. Treating them as one file with two chapters keeps them honest without doubling the work.
Found this useful? Share via email. · Read more →