Use: complete for any AI feature that meets a DPIA trigger or is screened high-risk, at the requirements/design stage and on material change. Owner: General Counsel + product owner. File alongside the DPIA and the model card. Frameworks: ISO/IEC 42001 A.5.2–A.5.5; EU AI Act Art. 27 (FRIA); complements the DPIA Procedure.
This template captures the AI-specific impact dimensions that a standard DPIA does not fully cover. Run it together with the DPIA (data-protection) and, for high-risk EU systems, as the basis of the Art. 27 FRIA. Replace every {{var}}.

1. System & context

  • Feature / system: {{feature_name}} (link the model card)
  • Intended purpose & decision supported: {{intended_purpose}}
  • EU AI Act tier / Annex III screen: {{eu_ai_act_tier}}
  • Affected individuals & groups: {{affected_individuals}}
  • Deployment context & scale: {{deployment_context}}

2. Impact on individuals (A.5.4)

Impact areaDescriptionSeverityLikelihoodMitigation
Access to opportunity (employment){{opportunity_description}}{{opportunity_severity}}{{opportunity_likelihood}}{{opportunity_mitigation}}
Dignity / autonomy{{dignity_description}}{{dignity_severity}}{{dignity_likelihood}}{{dignity_mitigation}}
Privacy{{privacy_description}}{{privacy_severity}}{{privacy_likelihood}}{{privacy_mitigation}}

3. Impact on groups & fundamental rights (A.5.5 / FRIA)

  • Risk of bias / discrimination: {{bias_risk}}
  • Fundamental-rights considerations (EU): {{fundamental_rights}}
  • Disproportionate impact on vulnerable groups: {{vulnerable_groups_impact}}
  • Societal impact: {{societal_impact}}

4. Privacy impact

  • Lawful basis & transparency: {{lawful_basis}} (cross-reference the DPIA)
  • Data minimization & retention: {{minimization_retention}}
  • Re-identification risk: {{reidentification_risk}}

5. Environmental impact

  • Compute & energy profile: {{compute_profile}}
  • Mitigations: {{environmental_mitigations}}
  • Notes: for inference-only use of third-party hosted models, record that the environmental footprint sits primarily with the upstream provider; quantify where data is available.

6. Human oversight & redress

  • Human-in-the-loop control: {{human_in_the_loop}}
  • Subject redress: {{subject_redress}}
  • Monitoring & re-assessment: {{monitoring_reassessment}}

7. Conclusion

  • Overall residual impact: {{residual_impact}}
  • Decision: {{decision}}
  • Conditions & owners: {{conditions_owners}}
  • Assessed by / date / approver: {{assessed_by}} / {{assessment_date}} / {{approver}}

Variables

VariableDescription
{{feature_name}}Feature / system name
{{intended_purpose}}Intended purpose and decision supported
{{eu_ai_act_tier}}EU AI Act tier / Annex III screen
{{affected_individuals}}Affected individuals and groups (candidates, employees, protected classes, vulnerable groups)
{{deployment_context}}Deployment context and scale (jurisdictions, volume)
{{opportunity_description}}Access-to-opportunity impact description (e.g., ranking affects who is contacted)
{{opportunity_severity}}Access-to-opportunity severity
{{opportunity_likelihood}}Access-to-opportunity likelihood
{{opportunity_mitigation}}Access-to-opportunity mitigation (human oversight; alternative process)
{{dignity_description}}Dignity / autonomy impact description
{{dignity_severity}}Dignity / autonomy severity
{{dignity_likelihood}}Dignity / autonomy likelihood
{{dignity_mitigation}}Dignity / autonomy mitigation
{{privacy_description}}Privacy impact description (re-identification; profiling)
{{privacy_severity}}Privacy severity
{{privacy_likelihood}}Privacy likelihood
{{privacy_mitigation}}Privacy mitigation (deidentification; minimization)
{{bias_risk}}Risk of bias / discrimination (protected-class proxies; measured disparate impact — link the bias audit)
{{fundamental_rights}}Fundamental-rights considerations (non-discrimination, dignity, effective remedy, data protection)
{{vulnerable_groups_impact}}Disproportionate impact on vulnerable groups
{{societal_impact}}Societal impact (labor-market effects, chilling effects, misuse potential)
{{lawful_basis}}Lawful basis and transparency
{{minimization_retention}}Data minimization and retention
{{reidentification_risk}}Re-identification Audit result / N/A
{{compute_profile}}Compute and energy profile (own-trained vs hosted; relative training/inference footprint)
{{environmental_mitigations}}Environmental mitigations (efficient models, hosted/shared infrastructure, right-sizing)
{{human_in_the_loop}}Human-in-the-loop control (who reviews / can override; for which decisions)
{{subject_redress}}Subject redress (how an affected person contacts us / the deployer; ADMT opt-out)
{{monitoring_reassessment}}Monitoring and re-assessment (post-market monitoring cadence; re-assessment triggers)
{{residual_impact}}Overall residual impact (low / medium / high)
{{decision}}Decision (proceed / proceed with conditions / do not deploy)
{{conditions_owners}}Conditions and owners
{{assessed_by}}Person who performed the assessment
{{assessment_date}}Date of assessment
{{approver}}Approver

Cross-references