Use: complete for any AI feature that meets a DPIA trigger or is screened high-risk, at the requirements/design stage and on material change. Owner: General Counsel + product owner. File alongside the DPIA and the model card. Frameworks: ISO/IEC 42001 A.5.2–A.5.5; EU AI Act Art. 27 (FRIA); complements the DPIA Procedure.
This template captures the AI-specific impact dimensions that a standard DPIA does not fully cover. Run it together with the DPIA (data-protection) and, for high-risk EU systems, as the basis of the Art. 27 FRIA. Replace every {{var}}.
1. System & context
- Feature / system: {{feature_name}} (link the model card)
- Intended purpose & decision supported: {{intended_purpose}}
- EU AI Act tier / Annex III screen: {{eu_ai_act_tier}}
- Affected individuals & groups: {{affected_individuals}}
- Deployment context & scale: {{deployment_context}}
2. Impact on individuals (A.5.4)
| Impact area | Description | Severity | Likelihood | Mitigation |
|---|---|---|---|---|
| Access to opportunity (employment) | {{opportunity_description}} | {{opportunity_severity}} | {{opportunity_likelihood}} | {{opportunity_mitigation}} |
| Dignity / autonomy | {{dignity_description}} | {{dignity_severity}} | {{dignity_likelihood}} | {{dignity_mitigation}} |
| Privacy | {{privacy_description}} | {{privacy_severity}} | {{privacy_likelihood}} | {{privacy_mitigation}} |
3. Impact on groups & fundamental rights (A.5.5 / FRIA)
- Risk of bias / discrimination: {{bias_risk}}
- Fundamental-rights considerations (EU): {{fundamental_rights}}
- Disproportionate impact on vulnerable groups: {{vulnerable_groups_impact}}
- Societal impact: {{societal_impact}}
4. Privacy impact
- Lawful basis & transparency: {{lawful_basis}} (cross-reference the DPIA)
- Data minimization & retention: {{minimization_retention}}
- Re-identification risk: {{reidentification_risk}}
5. Environmental impact
- Compute & energy profile: {{compute_profile}}
- Mitigations: {{environmental_mitigations}}
- Notes: for inference-only use of third-party hosted models, record that the environmental footprint sits primarily with the upstream provider; quantify where data is available.
6. Human oversight & redress
- Human-in-the-loop control: {{human_in_the_loop}}
- Subject redress: {{subject_redress}}
- Monitoring & re-assessment: {{monitoring_reassessment}}
7. Conclusion
- Overall residual impact: {{residual_impact}}
- Decision: {{decision}}
- Conditions & owners: {{conditions_owners}}
- Assessed by / date / approver: {{assessed_by}} / {{assessment_date}} / {{approver}}
Variables
| Variable | Description |
|---|---|
{{feature_name}} | Feature / system name |
{{intended_purpose}} | Intended purpose and decision supported |
{{eu_ai_act_tier}} | EU AI Act tier / Annex III screen |
{{affected_individuals}} | Affected individuals and groups (candidates, employees, protected classes, vulnerable groups) |
{{deployment_context}} | Deployment context and scale (jurisdictions, volume) |
{{opportunity_description}} | Access-to-opportunity impact description (e.g., ranking affects who is contacted) |
{{opportunity_severity}} | Access-to-opportunity severity |
{{opportunity_likelihood}} | Access-to-opportunity likelihood |
{{opportunity_mitigation}} | Access-to-opportunity mitigation (human oversight; alternative process) |
{{dignity_description}} | Dignity / autonomy impact description |
{{dignity_severity}} | Dignity / autonomy severity |
{{dignity_likelihood}} | Dignity / autonomy likelihood |
{{dignity_mitigation}} | Dignity / autonomy mitigation |
{{privacy_description}} | Privacy impact description (re-identification; profiling) |
{{privacy_severity}} | Privacy severity |
{{privacy_likelihood}} | Privacy likelihood |
{{privacy_mitigation}} | Privacy mitigation (deidentification; minimization) |
{{bias_risk}} | Risk of bias / discrimination (protected-class proxies; measured disparate impact — link the bias audit) |
{{fundamental_rights}} | Fundamental-rights considerations (non-discrimination, dignity, effective remedy, data protection) |
{{vulnerable_groups_impact}} | Disproportionate impact on vulnerable groups |
{{societal_impact}} | Societal impact (labor-market effects, chilling effects, misuse potential) |
{{lawful_basis}} | Lawful basis and transparency |
{{minimization_retention}} | Data minimization and retention |
{{reidentification_risk}} | Re-identification Audit result / N/A |
{{compute_profile}} | Compute and energy profile (own-trained vs hosted; relative training/inference footprint) |
{{environmental_mitigations}} | Environmental mitigations (efficient models, hosted/shared infrastructure, right-sizing) |
{{human_in_the_loop}} | Human-in-the-loop control (who reviews / can override; for which decisions) |
{{subject_redress}} | Subject redress (how an affected person contacts us / the deployer; ADMT opt-out) |
{{monitoring_reassessment}} | Monitoring and re-assessment (post-market monitoring cadence; re-assessment triggers) |
{{residual_impact}} | Overall residual impact (low / medium / high) |
{{decision}} | Decision (proceed / proceed with conditions / do not deploy) |
{{conditions_owners}} | Conditions and owners |
{{assessed_by}} | Person who performed the assessment |
{{assessment_date}} | Date of assessment |
{{approver}} | Approver |