Towards An Automated AI Act FRIA Tool That Can Reuse GDPR's DPIA
This work addresses the need for automated compliance tools for AI developers and regulators under the EU AI Act, though it appears incremental as it builds on existing DPIA frameworks.
The paper tackles the AI Act's requirement for an automated Fundamental Rights Impact Assessment (FRIA) tool by analyzing how to reuse Data Protection Impact Assessment (DPIA) information, presenting FRIA as a 5-step process and discussing automation roles.
The AI Act introduces the obligation to conduct a Fundamental Rights Impact Assessment (FRIA), with the possibility to reuse a Data Protection Impact Assessment (DPIA), and requires the EU Commission to create of an automated tool to support the FRIA process. In this article, we provide our novel exploration of the DPIA and FRIA as information processes to enable the creation of automated tools. We first investigate the information involved in DPIA and FRIA, and then use this to align the two to state where a DPIA can be reused in a FRIA. We then present the FRIA as a 5-step process and discuss the role of an automated tool for each step. Our work provides the necessary foundation for creating and managing information for FRIA and supporting it through an automated tool as required by the AI Act.