data protection impact assessments under the gdpr

Data Protection Impact Assessments under the GDPR

DPO Circle – Data Protection Day

Brussels – 12 December 2017

DATA PROTECTION IMPACT ASSESSMENTS: ASUMMARY OVERVIEW

❖ Data Protection Impact Assessment (DPIA)• Who?

• Controller• Processor?

• When?• Likelihood of high risk

• Mandatory cases (GDPR and supervisory authorities’ list)• Exemptions • Ad hoc assessment for all other cases

• What?• Impact assessment (required content)

• How?• Process & Methodology• Involvement of stakeholders• Involvement of DPO, if designated• Involvement of data subjects (or their representatives)

2

3

Source: F. Bieker e.a., “A processfor Data Protection Impact Assessment under the European General Data ProtectionRegulation” in S. Schiffner e.a. (eds.), Privacy technologies andpolicy – 4th Annual Privacy Forum, Springer, 2016.

Source: CNIL, Etude d’impact sur la vie privée (EIVP) –Privacy Impact Assessment – Comment mener uneEIVP, un PIA, June 2015, www.cnil.fr

http://www.cnil.fr/

STEP 1: IDENTIFY THE NEED FOR A DPIA

❖ Likelihood of high risk• Mandatory list

• GDPR• Systematic and extensive evaluation of personal aspects based on automated processing

leading to decisions producing legal effect or significantly affecting the data subject

• Processing on a large scale of special categories of data or data relating to criminal convictions and offences

• Systematic monitoring of publicly accessible area on a large scale

• Public list by supervisory authorities

• Exemptions• Public list by local supervisory authorities

• Ad hoc assessment

5

STEP 1: IDENTIFY THE NEED FOR A DPIA

❖ Likelihood of high risk?• Combination of at least two of the following criteria?

• Evaluation or scoring• Automated decision making with legal or similar significant effect• Systematic monitoring• Sensitive data• Data processed on a large scale• Matching or combining datasets• Data concerning vulnerable data subjects• Innovative use or applying technological or organisational solutions• International data transfers• Preventing of the exercise of a right or the use of service or a contract

• Create screening action for these criteria

6

STEP 2: PREPARE THE DPIA IN FUNCTION OF THE

CONTEXT

❖ Preparatory steps to perform the DPIA• Create a team to perform the DPIA

• Define the DPIA plan, including process and methodology

• Allocate the necessary resources

7

STEP 3: PERFORM THE DPIA

❖ GDPR does not impose format or methodology, only minimum content

❖ Various methodologies are available, some explicitly mentioned in Article 29 WP opinion• France: CNIL (Evaluation d’impact à la vie privée)• UK: ICO (Data Protection Impact Assessment)• The Netherlands: Norea (Privacy Impact Assessment)• International: ISO 29134 (Privacy Impact Assessment)

❖ Practical advice• Choose a specific methodology • Create / use a template on the basis of the chosen methodology• Assess compliance with GDPR• Keep a register of all DPIAs and related decisions

8


❖ GDPR offers limited guidance• No specific format or methodology is imposed

• Minimum DPIA content• a systematic description of the envisaged processing operations and the purposes of

the processing, including, where applicable, the legitimate interest pursued by the controller

• an assessment of the necessity and proportionality of the processing operations in relation to the purposes

• an assessment of the risks to the rights and freedoms of data subjects

• the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

9


❖ Detailed DPIA report content overview• Introduction• DPIA scope

• Description of the data processing activity• Description of the risk criteria• Stakeholders• Privacy requirements• Risk assessment

• Risk sources• Threats

• Likelihood• Impact

• Risk evaluation

• Risk treatment plan (risk reducing measures)• Decisions

10


❖ Report structure• Cover page with relevant identification data• Executive summary if appropriate• Introduction• DPIA report

❖ Introduction• Why?• When?• Who?• General information• References to applicable legislation and policies

11


❖ Description of the data processing activity• Nature, scope, context and purposes of the processing

• Strong link with record of processing activities• A functional description of the processing operation• An overview of the assets used in the context of the processing activity

• High-level description of hardware, software, networks, …• Location (location based risk elements and international data transfers)

• Description of security measures in place

❖ Review of necessity and proportionality• Full review of data processing principles• Description of measures implemented to comply with data subject rights• Assessment of obligations in relation data processors• Optionally: review of compliance with main controller obligations

12


❖ Risk assessment• Impact• Likelihood

❖ Model to assess impact• Individual risks and overall• Impact levels

• Negligible (1): no effect on data subject or only minor inconvenience (e.g. waste of time, annoyance, …)

• Limited (2): significant inconvenience (extra costs, loss of service, fear, serious stress, …)• Significant (3): significant consequences that data subjects may still overcome

(consequences of identity theft, loss of employment, blacklisting, …)• Maximum (4): significant consequence that may be irreversible or that data subject

cannot overcome (long-term illness, inability to work, irreversible blacklisting, …)

13


❖ Model to assess likelihood• Negligible (1): threat does not appear possible or at least very unlikely to

happen

• Limited (2): difficult to realize threat

• Significant (3): threat appears to be possible

• Maximum (4): threat is easy to realize

❖ Risk criteria should take data subject perspective in mind (restrictive approach by Article 29 Working Party)

❖ Risk is a combination of impact and likelihood

❖ Risk acceptance criteria

14


❖ Identify the relevant/most likely risks (non-exhaustive)• Unauthorized access (confidentiality)

• Unauthorized modification (integrity)

• Loss or theft (availability and confidentiality)

• Violations of proportionality principle (excessive personal data)

• Violation of purpose limitation

• Non-compliance with data subject rights

• Absence of a lawful ground

• Data retention issues

15


❖ Identify the relevant/most likely threats❖ Assets

• Hardware• Software• Persons• Documents

❖ Actions• Abnormal use / abuse• Damage• Espionage• Loss• Modification• Excessive use causing malfunction

16


❖ Risk reduction plan• List of measures that have been implemented to reduce risk

• Recommendations for additional measures• Approval

• Rejection (document decision on risk acceptance criteria)

• Planning in function of risk assessment

• Describe residual risk• If high, initiate prior consultation

17


❖ Do not forget to involve the interested parties• Questionnaires to stakeholders

• Identify and assess risks

• Risk perception

• Advice from the DPO is a legal requirement (if designated)• Approval is not legally required

• Document involvement (i.e. the advice of the DPO)

• Views of the data subjects or their representatives, where appropriate• Document the views of these persons

• Document the decision on the appropriateness of their involvement (or not)

18

STEP 4: FOLLOW-UP ON THE DPIA

❖ Create a register of DPIAs• Decisions not to perform a DPIA (analysis of “likelihood of high risk”)• DPIAs

• Decisions to perform a DPIA• DPIA

❖ Publication of the DPIA• Recommended by Article 29 Working Party and various methodologies• Not a legal obligation

❖ Implement risk reducing measures recommended in the DPIA• Risk owner decision should be documented

❖ Prior consultation of supervisory authority?

19

STEP 5: AUDIT AND REVIEW THE DPIA

❖ Audit of the DPIA• Assessment of compliance with the DPIA findings• Assessment of compliance with the risk reducing measures

(implementation plan)• Audit report

❖ Review of the DPIA• Assessment of required changes to the DPIA

• Changes in legislation• Changes in the data processing activity• Technological changes

• Review report and feedback to a DPIA review mechanism (DPIA lifecycle management)

20

CONCLUSION

❖ DPIA threshold criteria remain vague• Article 29 Working Party opinion offers some explanation

• Some contradictions (one, two or more criteria?)

• Are all criteria relevant?

❖ Large margin for the controller to determine process and methodology• Standards exist

• CNIL and ISO appear to be the most detailed• CNIL and ISO largely correspond in relation to risk approach (criteria, impact, likelihood,

threats)

• CNIL offers a template / open source software tool

• Think about using the annexes of both standards if you need to switch between French and English to limit translation cost/effort

21

data protection impact assessments under the gdpr

Law