Article 27: fundamental rights impact assessments
Article 27 asks a specific set of deployers to think hard, before they switch a high-risk system on, about what it could do to people's rights.
Who it applies to
This one is narrower than most. It applies to public bodies and private providers of public services, and to deployers using high-risk systems for creditworthiness or credit scoring, or for risk assessment and pricing in life and health insurance.
If none of those describe you, a fundamental rights impact assessment is unlikely to be on your list.
When to do it
Before the first use of the system. It is a before-you-start step, not an after-the-fact review, because the whole point is to catch problems while you can still change course, add safeguards, or decide not to proceed.
If the way you use the system changes materially later, you revisit the assessment rather than treating the first one as done forever.
What it covers
The processes the system will be used in, how long and how often, and the people or groups who could be affected. Then the specific risks of harm to those people, the human oversight you have in place, and what you will do if a risk actually materialises.
It is meant to be concrete about your situation, not a generic statement. The value is in naming the real people affected and the real things that could go wrong for them.
After the assessment
Where required, notify the relevant market surveillance authority of the results, in the form they expect. The assessment is not purely an internal exercise; for the deployers it covers, the authority may want to see it.
Revisit it if the use changes in a way that matters, and keep the version history, so you can show how your thinking developed over time.
How it relates to a DPIA
If you have already carried out a data protection impact assessment under the GDPR, the two overlap a good deal, and one can build on the other rather than being done from scratch. Both ask who is affected and what could go wrong.
They are not the same document, though: the DPIA is about personal data, while the fundamental rights assessment is broader. See the guide on how the AI Act and GDPR fit together.
This guide is general educational information, not legal advice. For how the Act applies to your organisation, classify your systems and consult qualified counsel.
Put it into practice
Classify your AI systems against the Act and generate the documents this guide describes.