1 / 53

Topic 9 : Data Protection Impact Assessments

Topic 9 : Data Protection Impact Assessments. Guidance for using these slides ( remove before delivering ).

Download Presentation

Topic 9 : Data Protection Impact Assessments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Topic 9: Data Protection ImpactAssessments

  2. Guidance for using these slides (removebeforedelivering) These slides are meant to be easily adaptable to different audiences. To facilitate this, each slide is assignedto a specificaudience (see „relevant for:” in the notes). In the notes-section below each slide, you find an indication of the slide’s degree of difficulty [i.e. whether it is suited for data protection beginners or not], its target audience [everyone vs authorities, lawyers, data protection officers, etc.], and its degree of importance [whether it is essential that you deliver it, or if it can be removed without impacting the effectiveness of the training]. Prior to training delivery, please: Read the slides and the notesthoroughly Take a look at the readingmaterials – theyalsoservetoassistyou in your preparation Remove/hide the slides that you consider unnecessary [right click on the slide miniature on the left and click ‘hide slide’]. A provisionalcategorisation has beenmadebasedon the depth and importance of the respectivecontent Adjust slides to national or sectoral requirements Add content that you consider essential for your particular audience Feel free to replace the default layout with your organisation’s layout

  3. How to Read The Slides’ Colour Frames [Remove Before Delivering] Green – Is a basic slide: we encourage you to keep it Yellow – is a medium level slide: it is important, but does not jeopardise effectiveness if removed Red – is an advanced slide: consider adapting it to your audience, preparing your audience for it, or removing it if you deem it unnecessary Purple – advised adaptation: this slide should contain information regarding the national legislation complementing the EU Regulations; if the content regards a different Member State, we advise you replace it with the national, relevant content

  4. Speaker Name Title Department Contact details

  5. Table of content • Welcome and introduction • objectives • What is a DPIA, and why do we do them? • DPIA in practice • Success and failure • Understanding necessity, proportionality and risk in DPIA • Consultation and working with stakeholders • Tips and tricks on conducting a DPIA • Q & A • Wrap-up and feedback

  6. Objectives • Explain the core concepts of what a DPIA is, and when they are required. • Provide some guidance on assessing data protection risks and impacts • Point to sources of guidance • Provide some hints and tips from our DPIA experience

  7. Introductions What’s your level of experience and exposure with data protection? Have you carried out DPIAs before? Is there anything in particular you are hoping to get out of today?

  8. Table of content • Welcome and introduction • objectives • What is a DPIA, and why do we do them? • DPIA in practice • Success and failure • Understanding necessity, proportionality and risk in DPIA • Consultation and working with stakeholders • Tips and tricks on conducting a DPIA • Q & A • Wrap-up and feedback

  9. What is a Data Protection Impact Assessment? Any thoughts?

  10. What is a Data Protection Impact Assessment? • One of the novel elements of the GDPR. • Didn’t exist in the prior legislation • The Regulation introduces a new legal obligation for data controllers. • Had precursors in optional impact assessment exercises and methodologies. • E.g. Privacy Impact Assessments • Has a use beyond compliance...

  11. Information Commissioner’s Office’s perspective: “A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.” (ICO) “A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.” (also ICO)

  12. DPIA in the GDPR Recital 84: In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.

  13. DPIA in the GDPR Article 35(1) Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

  14. A brief history lesson Why assess impact?

  15. A brief history lesson • Historical precursors: • Environmental Impact Assessments / Environmental Impact Statements (1960s) • Social impact assessments (1980s) • Privacy impact assessments (PIA, 1990s-2000s)

  16. A brief history lesson • Predecessors to the DPIA • Information Matching Privacy Impact Assessments, Privacy Act, New Zealand (1993). • Article 20, Data Protection Directive 95/46/EC? (1995) • PIA requisite for project approval, Management Board Secretariat, Ontario, Canada (1998) • PIA Guide, Office of the Information and Privacy Commissioner (2001, 2010) • Privacy Impact Assessment Questionaire, Office of the Information and Privacy Commissioner, Alberta Canada, (2001) • PIA Handbook, Office of the Privacy Commissioner, New Zealand (2002, 2007) • E-Government Act, United States (2002) • PIA Guide, Office of the Victoria Privacy Commissioner (2004, 2009) • Privacy Impact Assessment Guide, Office of the Privacy Commissioner, Australia (2006, revised 2010) • Privacy Impact Assessment Handbook, Information Commissioner’s Office, UK (2007, 2009) • Data Handling Review, Cabinet Office UK (2008) • Madrid Resolution, International Conference of Privacy and Data Protection Commissioners (2009) • PIA Guidance, Health Information and Quality Authority, Ireland, (2010) • ISO29134 – Guidelines for Privacy Impact Assessment (2017).

  17. What is a DPIA?: Summary Process / exercise Systematic An assessment of risk (but not necessarily a “risk assessment” Legally required (for certain types of personal data processing) Opportunity to improve practices around privacy and handling of personal data.

  18. Questions?

  19. Table of content • Welcome and introduction • objectives • What is a DPIA, and why do we do them? • DPIA in practice • Success and failure • Understanding necessity, proportionality and risk in DPIA • Consultation and working with stakeholders • Tips and tricks on conducting a DPIA • Q & A • Wrap-up and feedback

  20. Potential to achieve DPIA potential and challenges • Protect social and data protection rights • Prompts reflection on technology development / procurement process. • Build in values • Support informed decision making • Early warning system • Input to Privacy-by-design • Prevent negative impact on organisation (e.g. reputation). • Demonstrates accountability • Allows stakeholders to have input • Sensitise multidisciplinary teams to data protection • Bureaucratic spread • Wasted effort • Token effort • Lack of integration with project management • Insular, minimum consultation • “Defensive” DPIA • Challenges to manage

  21. Do I need to do a DPIA? (threshold analysis). • Don’t always need to do a DPIA (not for every processing of personal data). • When? (according to GDPR, recitals 89 & 91). • Processing involves new technologies • When no DPIA has been done before • Long time since initial processing • Large scale processing operations • Considerable personal data • Regional, national or supranational level • Affect a large number of data subjects • New technology used at large scale • Taking decisions about natural persons based on systematic or extensive evaluation of personal aspects (profiling). • Processing special categories, biometric data, data on criminal convictions, • Monitoring public accessible areas on large scale • Any operations where a supervisory authority considers that processing is likely to result in high risks • where processing might prevent people exercising a right or using a service/contract. • Systematic / large scale

  22. Art 29 data protection working party DPIA criteria Evaluation or scoring, including profiling and predicting Automated-decision making with legal or similar significant effects Systematic monitoring Sensitive data or data of a highly personal nature Data processed on a large scale Matching or combining datasets Data concerning vulnerable subjects Innovative use or applying new technology or organisational solutions When the processing itself prevents data subjects from exercising a right or using a service or contract

  23. ICO DPIA screening checklist • We always carry out a DPIA if we plan to: • Use systematic and extensive profiling or automated decision-making to make significant decisions about people. • Process special category data or criminal offence data on a large scale. • Systematically monitor a publicly accessible place on a large scale. • Use new technologies. • Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit. • Carry out profiling on a large scale. • Process biometric or genetic data. • Combine, compare or match data from multiple sources. • Process personal data without providing a privacy notice directly to the individual. • Process personal data in a way which involves tracking individuals’ online or offline location or behaviour. • Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them. • Process personal data which could result in a risk of physical harm in the event of a security breach.

  24. ICO DPIA screening checklist (2/2) • We consider whether to do a DPIA if we plan to carry out any other: • Evaluation or scoring. • Automated decision-making with significant effects. • Systematic processing of sensitive data or data of a highly personal nature. • Processing on a large scale. • Processing of data concerning vulnerable data subjects. • Innovative technological or organisational solutions. • Processing involving preventing data subjects from exercising a right or using a service or contract. • We consider carrying out a DPIA in any major project involving the use of personal data. • If we decide not to carry out a DPIA, we document our reasons. • We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.

  25. [yourorganisation’sscreeningcheck-list] [pleasefill in this slide with information aboutyourorganisation’sinternalcheck list]

  26. When is a DPIA not required? A DPIA is not required in the following cases: where the processing is not "likely to result in a high risk to the rights and freedoms of natural persons" (Article 35(1)); when the nature, scope, context and purposes of the processing are very similar to the processing for which DPIA have been carried out. In such cases, results of DPIA for similar processing can be used (Article 35(1)18); where a processing operation has a legal basis in EU or Member State law and has stated that an initial DPIA does not have to be carried out, where the law regulates the specific processing operation and where a DPIA, according to the standards of the GDPR, has already been carried out as part of the establishment of that legal basis (Article 35(10))19; where the processing is included on the optional list (established by the supervisory authority) of processing operations for which no DPIA is required (Article 35(5)20). Such a list may contain processing activities that comply with the conditions specified by this authority, in particular through guidelines, specific decisions or authorizations, compliance rules, etc. (e.g. in France, authorizations, exemptions, simplified rules, compliance packs…). In such cases, and subject to re-assessment by the competent supervisory authority, a DPIA is not required, but only if the processing falls strictly within the scope of the relevant procedure mentioned in the list and continues to comply fully with the relevant requirements.

  27. Exercise: Threshold analysis • In groups of 4-5 • Pick a case study • Pick a threshold or screening criteria • National supervisory authority • Article 29 Working Party • Your organisation • Run the case study through the screening criteria, and decide if this case study requires a full DPIA? • Be prepared to justify your decision.

  28. Your DPIA process • The GDPR does not mandate a particular set process for a DPIA • Nor does ICO • It does set some requirements for a valid process. • This allows organisations to develop their own internal approach, provided it meets those requirements. • Allows for flexibility in terms of scope and scale. • Allows for alignment with existing project management approaches • So first step for many – check if your organisation has a process.

  29. Minimum requirements from GDPR Article 35(7) • A) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable the legitimate interests pursued by the controller; • Nature, scope, purposes of processing • Personal data, recipients, storage period • Functional description of the processing operation • Assets on which personal data rely are identified • B) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; • Measure to comply with GDPR are determined • Purpose, lawfulness and limited • Measures contributing to rights of data subjects • C) an assessment of the risks to the rights and freedoms of data subjects referred; • Origin, nature, particularity and severity of risks are taken into account • From perspective of data subject • Impacts in case of illegitimate access, undesired modification, disappearance of data? • Likelihood and severity estimated • D) the measures envisaged to address risks, including • safeguards, • security measures • mechanisms to ensure the protection of personal data • mechanisms to demonstrate compliance with the Regulation

  30. (Further) development of technical organisational system • Source: A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation – Felix Baker, Michael Friedewald, Marit Hansen, Hannah Obersteller, Martin Rost (2016) Decision to implement a DPIA or change of circumstances since last DPIA Preparation stage Evaluation stage Report and safeguard stage Supervision and continuation Relevance threshold: Is a DPIA necessary? Catalogue of typical objectives, attackers and consequ-ences Catalogue of typical safeguards No Identification of protection goals Identification of appropriate safeguards Yes Documentation required Identification of potential attackers, motives and objectives Documentation of evaluation results in standard form Implementation of safeguards Define scope and identify DPIA team Identification of actors involved/ persons concerned Description of system, identification of data and data flows Identification of evaluation criteria and benchmarks DPIA report End of DPIA cycle Evaluation of risks Publication of DPIA report Identification of relevant legal requirements Auditing of evaluation results Documentation of tasks and issues

  31. The WP29 process

  32. The ICO process

  33. Assessing risk • Risk to the rights and freedoms of data subjects (people!) • Not organisational risk management • (e.g risk = we get fined by the DPA) • Start from the perspective of the data subject whose personal data is going to be processed. • Include other potentially impacted parties. • Requires sensitising yourself (or project team) to potential privacy risks.

  34. What's the biggest privacy harm that you have suffered? Discussion

  35. Common privacy risks and harms • Lack of consent • Lack of meaningful choice • Excessive surveillance • Power asymmetries • Manipulation (advertising, politics) • Allowing third party intrusion (e.g. government, criminals). • Function creep • Unjust inferences • Loss of anonymity • Reputation damage • Loss of confidentiality • Basing decisions on incorrect information (“weapons of math destruction”). • Increased vulnerability to cyber crime • Loss of data • Breaking commonly held assumptions about privacy • Lack of transparency • No responsibility for privacy • Data breach • Embarrassment / loss of dignity • Chilling effects • Reduction in autonomy / choice • Reduction in private space (physical, mental). • Social sorting / stereotyping • Discrimination • Prevention of ability to exercise rights • Prevention of ability to exercise data protection rights • Insufficient information about processing

  36. Exercise: privacy risk assessment In small groups Pick a case study Identify as many potential privacy risks

  37. Consultation The GDPR art 35(9) “Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.” ICO “Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?”

  38. Who to consult? • DPO • All internal functions involved in the project • CISO • Data subjects • Their representatives • Unions, student bodies, industry associations, collective bodies etc. • Potentially impacted third parties • (e.g. if data subjects get special treatment what about those people who might be excluded from a process?). • Processors • Technology/software vendors • Security and privacy experts • Ethicists, sociologists

  39. How to consult Surveys (quantitative or qualitative) In-depth interviews Focus groups / user panels Prototype demonstrations / mock-ups / walk throughs Service blueprints / storyboards Existing research on attitudes

  40. Questions?

  41. Table of content • Welcome and introduction • objectives • What is a DPIA, and why do we do them? • DPIA in practice • Success and failure • Understanding necessity, proportionality and risk in DPIA • Consultation and working with stakeholders • Tips and tricks on conducting a DPIA • Q & A • Wrap-up and feedback

  42. Involving the Data Protection Officer GDPR, Article 35 (2)  The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. What advice should you be seeking? What questions could you ask? Can the DPO do my DPIA for me?

  43. The role of the statutory DPO The data controller (you) have an obligation to seek the statutory DPO’s advice when you carry out a DPIA  We can provide advice as to : whether you need to do a DPIA in the first place; The best approach and methodology to carry out the DPIA; If a combination of internal data protection staff and process owners can effectively carry out the DPIA vis-à-vis additional support is required; The market standard safeguards you can take into account to mitigate risks; Whether you’ve done the DPIA correctly, from a methodological and/or substantive point of view; Finally, it is our task to give green light as to whether the processing can go ahead and, if you decide against our advice, you should keep records of the reasoning behind this decision. We might, from time to time and in liaison with the internal UCAM data protection specialists (Knapton, Wheeler, Priestley) decide to audit the implementation of the DPIA outcomes. Note: the statutory DPO cannot perform a DPIA, as it would conflict with its statutory duties to oversight and approve DPIAs.

  44. Publishing your DPIA? • Reasons to publish • Demonstrate compliance • Transparency • Boost trust and confidence • Demonstrate respect for privacy and protection of personal data • To customers • To partner organisation • Reasons not to publish • Commercial sensitivity • Competitive advantage • Risk of cherry picking or misinterpreting the report. • “Cambridge University says its personal data processing poses a high risks to rights and freedoms!”

  45. Do I need to send the DPIA to the data protection authority? • No, unless… • The DPIA identifies a high risk, and you cannot take measures to reduce that risk. • You can’t being processing until you have consulted the supervisory authority. • DPAs have freedom to choose their preferred mean of submission of the DPIA (e.g. in the UK, via email). • Response is typically given within weeks, not days. • Advise if risks acceptable • Any further action • May advise not to carry out processing

  46. Information Commissioner’s Office DPIA guidance. General GDPR guidance: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/#dpia5 DPIA template: https://ico.org.uk/media/about-the-ico/consultations/2258461/dpia-template-v04-post-comms-review-20180308.pdf

  47. ISO/IEC 29134 – Guidelines for privacy impact assessment • Broader than DPIA • Framed within organisation risk management framework • International - Needs to be read alongside the GDPR • Does contain • Process guidance • What should be in the report • Risk assessment guidance • Generic threats • Criteria for assessing scale and likelihood of risk

  48. DPIA online tools: CNIL DPIA tool The French DPA, CNIL developed a software tool to support DPIA. It is open source, and freely available (in English, French & Italian). https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment

  49. Other useful sources of DPIA guidance PIA guidance Data protection authorities Professional literature Academic literature Other published DPIA Technology vendors/suppliers (caution)

More Related