Interactive Workshop on Data Protection Impact Assessment

Similar documents
PROTECTION GOALS FOR PRIVACY ENGINEERING

Data Protection and Ethics in Healthcare

Data Protection by Design and by Default. à la European General Data Protection Regulation

DATA PROTECTION IMPACT ASSESSMENT

Robert Bond Partner, Commercial/IP/IT

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Privacy by Design with or without information security? Kirsten Bock CPDP

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

National population registers in a Europe without barriers

Efese, ethics in research

GDPR Implications for ediscovery from a legal and technical point of view

BBMRI-ERIC WEBINAR SERIES #2

Privacy and Security in Europe Technology development and increasing pressure on the private sphere

Protection of Privacy Policy

2

Personal Data Protection Competency Framework for School Students. Intended to help Educators

ARTICLE 29 DATA PROTECTION WORKING PARTY

PRIVACY ANALYTICS WHITE PAPER

Privacy Self-Protection for Connected Cars

End-to-End Privacy Accountability

ICC POSITION ON LEGITIMATE INTERESTS

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

Integrating Fundamental Values into Information Flows in Sustainability Decision-Making

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

Societal and Ethical Challenges in the Era of Big Data: Exploring the emerging issues and opportunities of big data management and analytics

Trends in TA: Contested futures and prospective knowledge assessment

Wireless Sensor Networks and Privacy

Privacy Procedure SOP-031. Version: 04.01

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

DATA PROTECTION POLICY

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

ARTICLE 29 DATA PROTECTION WORKING PARTY

EU-GDPR The General Data Protection Regulation

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

Media Literacy Policy

Big Data & AI Governance: The Laws and Ethics

CODE OF CONDUCT. STATUS : December 1, 2015 DES C R I P T I O N. Internal Document Date : 01/12/2015. Revision : 02

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Pan-Canadian Trust Framework Overview

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Nymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

Commonwealth Data Forum. Giovanni Buttarelli

Article The Transparency Challenge: Making children aware of their data protection rights and the risks online

ST. MARY in the MARSH PARISH COUNCIL

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

Privacy Policy Framework

Ocean Energy Europe Privacy Policy

European Cloud Initiative. Key Issues Paper of the Federal Ministry of Education and Research

Privacy Impact Assessment on use of CCTV

GUIDELINES ON PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENT

CHEMIE³. The Sustainability Initiative of the German Chemical Industry

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Specifications for Post-Earthquake Precise Levelling and GNSS Survey. Version 1.0 National Geodetic Office

RFID and privacy - Some industry perspectives (ICC, EICTA)

Australian Census 2016 and Privacy Impact Assessment (PIA)

The new GDPR legislative changes & solutions for online marketing

Opinion of the European Data Protection Supervisor

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

A Pattern Catalog for GDPR Compliant Data Protection

Interaction btw. the GDPR and Clinical Trials Regulation

About the Office of the Australian Information Commissioner

IV/10. Measures for implementing the Convention on Biological Diversity

(Non-legislative acts) DECISIONS

MISSISSAUGA LIBRARY COLLECTION POLICY (Revised June 10, 2015, Approved by the Board June 17, 2015)

1 SERVICE DESCRIPTION

The University of Sheffield Research Ethics Policy Note no. 14 RESEARCH INVOLVING SOCIAL MEDIA DATA 1. BACKGROUND

ARTICLE 29 Data Protection Working Party

integrity, honor and dignity knowledge and skill honest and impartial increase the competence professional and technical societies

Thank you for the opportunity to comment on the Audit Review and Compliance Branch s (ARC) recent changes to its auditing procedures.

Principles and Rules for Processing Personal Data

DaPIS: an Ontology-based Data Protection Icon Set

Privacy Policy SOP-031

Violent Intent Modeling System

Melbourne IT Audit & Risk Management Committee Charter

Identity Management and its impact on the Digital Economy

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

Internet, Human Rights and privacy

Appeals Policy Council for the Accreditation of Educator Preparation th Street, N.W., Suite 400 Washington, D.C

Executive Summary Industry s Responsibility in Promoting Responsible Development and Use:

The Information Commissioner s role

Banco de Sabadell, S.A. Policy on communication and contacts with shareholders, institutional investors and proxy advisors

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

Privacy Impact Assessment in Practice

IET Guidelines for Volunteers: Data Protection

Forsight and forward looking activities Exploring new European Perspectives Vienna 14-15th June 2010

European Union General Data Protection Regulation Effects on Research

"Workshops on key economic issues regarding the. enforcement of IPR in the European Union"

Fraunhofer ISI Seite 1

NCRIS Capability 5.7: Population Health and Clinical Data Linkage

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

Privacy Management in Smart Cities

Transcription:

Interactive Workshop on Data Protection Impact Assessment A Hands On Tour of the GDPR s Most Practical Tool IFIP Summer School 2017 Felix Bieker, Michael Friedewald and Marit Hansen

Workshop Structure Short Introduction to DPIA The Standard Data Protection Model and Risk Analysis Data Subject Participation Hands-On: Two Cases for Analysis Group discussions Presentation & Discussion Interactive Workshop on Data Protection Impact Assessment 2

The General Data Protection Regulation Applicable May 2018 Obligations for controllers: Interactive Workshop on Data Protection Impact Assessment 3

The General Data Protection Regulation Applicable May 2018 Obligations for controllers: Interactive Workshop on Data Protection Impact Assessment 4

The General Data Protection Regulation Applicable May 2018 Obligations for controllers: Interactive Workshop on Data Protection Impact Assessment 5

The General Data Protection Regulation Applicable May 2018 Obligations for controllers: Interactive Workshop on Data Protection Impact Assessment 6

The General Data Protection Regulation Applicable May 2018 Obligations for controllers: Interactive Workshop on Data Protection Impact Assessment 7

The General Data Protection Regulation Applicable May 2018 Obligations for controllers: Interactive Workshop on Data Protection Impact Assessment 8

The General Data Protection Regulation Applicable May 2018 Obligations for controllers: Interactive Workshop on Data Protection Impact Assessment 9

The General Data Protection Regulation Applicable May 2018 Obligations for controllers: Interactive Workshop on Data Protection Impact Assessment 10

What is a Data Protection Impact Assessment? Tool to implement controller obligations Starts before processing Continues over entire life cycle Ensures compliance Enables transparency for Controller Users DPAs Analyses risks for rights and freedoms of individuals Mitigates these risks with technical and organizational measures Interactive Workshop on Data Protection Impact Assessment 11

1. Preparation Phase 4. Review Phase 2. Execution Phase 3. Implementation Phase

1. Preparation Phase Interactive Workshop on Data Protection Impact Assessment 13

2. Execution Phase Interactive Workshop on Data Protection Impact Assessment 14

3. Implementation Phase 4. Review Phase Interactive Workshop on Data Protection Impact Assessment 15

The Standard Data Protection Model Requirements of data protection Six protection goals (+ data minimisation as general requirement) Three components: Data, IT systems and processes Three protection levels for data (data subject s perspective) Work in progress: catalogue of reference protection measures https://www.datenschutz-mv.de/static/ds/dateien/datenschutzmodell/sdm-methodology_v1_en1.pdf Interactive Workshop on Data Protection Impact Assessment 16

Criteria: Six Protection Goals Confidentiality Unlinkability Classic IT security goals*) + Data Minimisation Integrity Intervenability *) From the data subject s perspective Transparency Availability Interactive Workshop on Data Protection Impact Assessment 17

Art. 5 GDPR and Protection Goals Art. 5 para. 1 Personal data shall be: (a) processed ( ) in a transparent manner in relation to the data subject ( transparency ); (b) collected for specified, explicit and legitimate purposes ( ) ( purpose limitation ); (c) ( ) limited to what is necessary in relation to the purposes for which they are processed ( data minimisation ); (d) ( ) Personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ( accuracy ); (f) ( ) integrity and confidentiality. Transparency Unlinkability Data Minimisation Intervenability Integrity Confidentiality Implicitly: Availability Interactive Workshop on Data Protection Impact Assessment 18

Risk Evaluation Difficult! Risk = Impact x Probability Proper assessment is paramount Recital 76 The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk Interactive Workshop on Data Protection Impact Assessment 19

Examples for risks Risk to the rights and freedoms of natural persons which could lead to physical, material or non-material damage Discrimination Identity theft / fraud Financial loss Damage to reputation Significant economic or social disadvantage Deprivation of data subject s rights Prevention from exercising control over personal data Interactive Workshop on Data Protection Impact Assessment 20

Protection Goals and Measures Data Minimisation (e.g. reduction of data/identifiability) Confidentiality (e.g. encryption, access control) Integrity, Authenticity (e.g. access control, digital signatures) Availability (e.g. redundancy, back-up) Unlinkability (e.g. separation, isolation, division of powers) Transparency, Auditability (e.g. logging, control of SysAdmin, documentation, user manuals, information and notification of users, access) Intervenability (e.g. rectification, erasure, complaint handling, change management, off-switch to deactivate/stop processing) Interactive Workshop on Data Protection Impact Assessment 21

Data Protection Impact Assessment Stakeholder consultation Michael Friedewald Fraunhofer Institute for Systems and Innovation Research 12th IFIP Summerschool Privacy and Identity Management 04 September, Ispra, Italy

Art. 35 (9) Stakeholder consultation No criteria, when involvement is appropriate... (9) Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations. Backdoor to avoid involvement of people affected? Especially in sensitive areas 23

Consultation/participation Consultation of affected people is always useful! Different views and assessment of risks Early identification of expectations, priorities of users Unexpected solutions Increases the quality of results Minimises unexpected and uncontrollable rejection by potential users Legitimises the DPIA 24

Views of the data subject Who is affected? Who else has interests? Data subjects are in the focus of DPIA... but in different roles (citizens, consumers, employees,...) Employees of manufacturers/operators (can be attackers at the same time!) Third parties, which are not directly involved in the data processing (bystanders, intelligence services) If the data subject is not available Consult their represenatives : consumer protection organisations, works council, civil rights groups, Absolute minimum: Involve units that know the customers (sales, maintenance, etc.) this is no consultation in the strict sense!!! 25

The consultation process Adequate involvement of these groups? Participatory (TA) methods (focus groups, citizens conference... ) available, but How to deal with business and corporate secrets? How to assess immature or even embryonic systems? How to address complexity of technology vs. understanding of laypeople? Consultation fatigue Success factors Clear commitment by the management to consider results Early timing, sufficient time and resources Avoid bias in selection of stakeholder (representatives) Good communication (about the features of the system to be assessed; between the participants; about the results of the consultation). 26

michael.friedewald@isi.fraunhofer.de @MFriedewald / @ForumPrivatheit www.forum-privatheit.de 27

Hands-On Discuss the cases in groups Identify risks for individuals Assess risks Time for discussion approx. 20 Mins. Presentation of results approx. 10 Mins. Further discussions Interactive Workshop on Data Protection Impact Assessment 28

Thank you for your attention! Marit Hansen Landesbeauftragte für Datenschutz Schleswig-Holstein marit.hansen@datenschutzzentrum.de Felix Bieker, LL.M. (Edinburgh) Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein fbieker@datenschutzzentrum.de Interactive Workshop on Data Protection Impact Assessment 29

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback