A DPIA asks whether personal data processing is likely to create high risks for the rights and freedoms of natural persons, and how those data protection risks are assessed and mitigated. An AI Act risk assessment asks how an AI system should be classified, whether prohibited-practice concerns exist, which actor role the organization has, and what AI-specific governance duties must be addressed. A DPIA does not replace AI risk classification. AI risk classification does not replace a DPIA. Organizations need to run both where both are relevant — without conflating the two obligations.
A DPIA is about personal data processing risk
A DPIA is a data protection instrument. It focuses on processing operations involving personal data, especially where the processing is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR logic is centered on data protection accountability. A DPIA may examine the nature, scope, context, and purposes of the processing; the necessity and proportionality; the risks to data subjects; and the measures used to address those risks.
For AI systems, a DPIA may become relevant where the system processes personal data in sensitive, large-scale, systematic, profiling-related, employment-related, monitoring-related, or decision-support contexts. But the DPIA remains a GDPR instrument. It does not automatically classify the AI system under the EU AI Act.
An AI risk assessment is about AI system governance
An AI Act risk assessment is centered on the AI system. It asks whether the system falls into AI Act scope, whether prohibited-practice concerns exist under Article 5, whether the system may be high-risk under Annex III, whether limited-risk transparency obligations apply, and which actor role the organization has in relation to the system.
This assessment may include privacy-related facts, but it is not limited to data protection. An AI system can be relevant under the AI Act even where GDPR is not the central issue. An AI system can also process personal data and require both AI governance and GDPR governance — and those obligations must then each be addressed in their proper structure.
The same system can trigger both assessments
Many AI systems sit at the intersection of GDPR and the EU AI Act. Examples include AI-supported recruitment tools, employee monitoring or productivity analytics, customer scoring systems, creditworthiness support tools, fraud detection systems, healthcare triage systems, education and assessment tools, and personalized customer interaction systems. Such systems may process personal data and create AI-specific governance duties at the same time.
The organization should not ask: "Do we need a DPIA or an AI risk assessment?" The better question is: "Does this AI system require data protection impact assessment, AI Act risk classification, or both?" The answer may be both.
A DPIA and an AI risk assessment produce different outputs
A DPIA should produce a privacy-risk record — showing what personal data is processed, why the processing is necessary, what risks exist for data subjects, what safeguards apply, which measures reduce risk, whether residual risk remains, and whether consultation or further review is required.
An AI risk assessment should produce an AI governance record — showing the AI system, intended purpose, prohibited-practice review, risk classification, actor-role context, obligation logic, evidence readiness, responsible roles, and approval status. These outputs should connect, but they should not collapse into one undifferentiated document. If the organization merges them completely, the DPIA may become overloaded with AI Act logic, and the AI governance record may ignore data protection depth. The result is neither strong privacy governance nor strong AI governance.
DPIA logic and AI Act logic ask different questions
A DPIA asks: What personal data is processed? Who are the data subjects? What is the lawful basis? Is the processing necessary and proportionate? What risks arise for rights and freedoms? Are data minimization, transparency, retention, access control, and security addressed? Is profiling or automated decision-making involved?
An AI risk assessment asks: Is this an AI system in the relevant regulatory sense? Is there prohibited-practice relevance? Does Annex III high-risk logic apply? Is the organization provider, deployer, importer, or distributor? Which AI Act obligations apply? Which evidence supports classification and obligations? Is human oversight required? Are transparency duties triggered? Who approves the AI governance decision? Both assessment types may discuss risk to individuals — but through different legal and operational lenses.
A DPIA cannot replace AI risk classification
A DPIA may include valuable information for AI governance — describing the system's purpose, affected persons, data categories, profiling logic, decision impact, safeguards, and residual risks. This information can support AI risk classification. But it does not automatically answer the AI Act questions. A DPIA may not determine whether Article 5 prohibited-practice concerns exist. It may not assess Annex III relevance. It may not identify provider or deployer obligations. It may not assign AI Act obligation areas. It may not create an AI-specific approval trail. A DPIA can support AI governance, but it should not replace it.
AI risk classification cannot replace a DPIA
The reverse is equally true. An AI risk assessment may classify a system, identify obligations, document actor role, and connect the system to evidence and approval. But that does not automatically satisfy GDPR accountability. If the system processes personal data, the organization may still need to assess data protection issues, document processing activities, review lawful basis, evaluate necessity and proportionality, consider data subject rights, assess transparency under GDPR, and review retention, processors, transfers, TOMs, and security measures. An AI Act record cannot simply absorb these questions without proper GDPR structure.
Where DPIA and AI risk assessment overlap
Although the two assessments are different, they often share evidence. The overlap can include: intended purpose; affected persons; data categories; sensitive data relevance; profiling logic; decision influence; human oversight; transparency information; vendor involvement; security measures; access control; logging; retention; risk mitigation; organizational responsibility; and audit trail. This overlap should be managed deliberately. The organization should not duplicate the same facts inconsistently across multiple systems. Connected records reduce the risk of contradictions between what the AI System Registry and the DPIA describe.
The AI System Registry should connect to GDPR records
A mature governance structure connects the AI System Registry with GDPR documentation. Where an AI system processes personal data, the AI system record should identify the relevant processing activity. The RoPA should show that AI is involved where relevant. The DPIA should connect to the AI system where the AI system creates or contributes to high privacy risk. TOM profiles should support both privacy and AI governance evidence where appropriate. Vendor governance should connect processors, AI providers, and subprocessors. The goal is not to merge all obligations — it is to make the relationship between obligations visible.
How to run both without conflating them
Organizations should follow a structured sequence. First, register the AI system to establish a governed record before assessment begins. Second, determine whether personal data is involved and link the system to the relevant GDPR processing activity if so. Third, perform AI compliance screening covering prohibited-practice review, risk classification, and actor-role assessment. Fourth, determine whether DPIA logic is required based on the nature, scope, context, purpose, and risk to natural persons. Fifth, connect shared evidence — where the same evidence supports both frameworks, it should be linked rather than blindly duplicated. Sixth, preserve separate outputs: the DPIA as a GDPR record, the AI risk assessment as an AI governance record. Seventh, create a unified audit trail so both assessments are reconstructable.
Conflating DPIA and AI risk assessment creates several governance weaknesses. The organization may assume GDPR work covers AI Act obligations, or that AI classification covers GDPR accountability. It may miss actor-role obligations, overlook prohibited-practice concerns, fail to document lawful basis, or produce a report that looks complete but does not answer either framework properly. In compliance, conceptual clarity matters. A connected governance system is stronger than a merged document.
How EAB connects DPIA and AI risk assessment
In EAB, DPIA and AI risk assessment remain distinct but connected. The AI System Registry creates the governed AI system record. Business Intake captures purpose, use case, affected persons, and organizational context. AI Screening evaluates prohibited-practice relevance, risk classification, actor role, and AI-specific obligations. The Obligation Matrix translates AI Act classification and actor role into obligation areas. The GDPR module supports processing activities, DPIA or DSFA logic, TOM profiles, vendor governance, and GDPR-related reports. Where the AI system processes personal data, the AI governance record can connect to the relevant GDPR records — allowing both assessments to inform each other without losing their distinct structure.
For a deeper look at how TOMs, processor governance, and vendor documentation become part of the AI evidence structure, see TOMs, Vendors, and AI Systems.