Skip to main content
SpringerLink
Log in
Book cover

Annual Privacy Forum

APF 2016: Privacy Technologies and Policy pp 21–37Cite as

A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9857))

Abstract

With the General Data Protection Regulation there will be a legal obligation for controllers to conduct a Data Protection Impact Assessment for the first time. This paper examines the new provisions in detail and examines ways for their successful implementation. It proposes a process which operationalizes established requirements ensuring the appropriate attention to fundamental rights as warranted by the GDPR, incorporates the legislation’s new requirements and can be adapted to suit the controller’s needs.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Note that Article 32(1)(b) GDPR, in addition to the classical security goals confidentiality, integrity, and availability, also stipulates the resilience of systems and services processing personal data as an objective.

References

  1. European Commission: Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification. OJ L 122/47 of 16 May 2009. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009H0387&from=EN

  2. European Commission: Recommendation of 9 March 2012 on preparations for the roll-out of smart metering systems. OJ L 73/9 of 13 March 2012. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32012H0148&from=EN

  3. Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications. WP 175 (2010). http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2010/wp175_en.pdf

  4. Article 29 Working Party: Opinion 07/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission’s Smart Grid Task Force. WP 209 (2013). http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp209_en.pdf

  5. Wright, D., De Hert, P. (eds.): Privacy Impact Assessment. Springer, Heidelberg (2012)

    Google Scholar 

  6. ISO/IEC 29134: Information technology – Security techniques – Privacy impact assessment – Guidelines. ISO/IEC, International Organization for Standardization (2016)

    Google Scholar 

  7. ICO (Information Commissioner’s Office): Conducting privacy impact assessments code of practice. ICO (2014). https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

  8. CNIL (Commission Nationale de l’Informatique et des Libertés): Privacy Impact Assessment: Methodology (how to carry out a PIA). CNIL (2015). http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-1-Methodology.pdf

  9. Friedewald, M., Bieker, F., Nebel, M., Obersteller, H., Rost, M.: Datenschutz-Folgenabschätzung - Ein Werkzeug für einen besseren Datenschutz. Forum Privatheit und selbstbestimmtes Leben in der digitalen Welt, Karlsruhe (2016). https://www.forum-privatheit.de

  10. Wright, D., Gellert, R., Bellanova, R., Gutwirth, S., Langheinrich, M., Friedewald, M., Hallinan, D., Venier, S., Mordini, E.: Privacy Impact Assessment and Smart Surveillance: A State of the Art Report, Deliverable 3.1 SAPIENT Project (2013). http://www.sapient-project.eu

  11. Wadhwa, K., Rodrigues, R.: Evaluating privacy impact assessments. Innov. Eur. J. Soc. Sci. Res. 26(1–2), 161–180 (2013)

    Article  Google Scholar 

  12. Wright, D., Friedewald, M., Gellert, R.: Developing and testing a surveillance impact assessment methodology. Int. Data Priv. Law 5(1), 40–53 (2015)

    Article  Google Scholar 

  13. AK Technik der Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Schulz, G., Rost, M.: Das Standard-Datenschutzmodell – der Weg vom Recht zur Technik: Ein Datenschutzwerkzeug für Aufsichtsbehörden und verantwortliche Stellen (2015). https://www.datenschutzzentrum.de/uploads/sdm/SDM_Tagungsband2015_Hannover.pdf

  14. Hansen, M., Jensen, M., Rost, M.: Protection goals for privacy engineering. In: 2015 International Workshop on Privacy Engineering (IWPE), Security and Privacy Workshops (SPW), pp. 159–166. IEEE (2015)

    Google Scholar 

  15. Rost, M., Pfitzmann, A.: Datenschutz-Schutzziele - revisited. DuD - Datenschutz und Datensicherheit 33, 353–358 (2009)

    Article  Google Scholar 

  16. Rost, M., Bock, K.: Privacy by Design and the New Protection Goals, EuroPriSe Whitepaper (2011). https://www.european-privacy-seal.eu/AppFile/GetFile/ca6cdc46-d4dd-477d-9172-48ed5f54a99c

  17. Hansen, M.: Top 10 mistakes in system design from a privacy perspective and privacy protection goals. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity 2011. IFIP AICT, vol. 375, pp. 14–31. Springer, Heidelberg (2012)

    Google Scholar 

  18. Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J.H., Le Métayer, D., Tirtea, R., Schiffner, S.: Privacy and Data Protection by Design - from policy to engineering, ENISA (2014). https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design/at_download/fullReport

  19. Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security): BSI-Standard 100-2, IT-Grundschutz Methodology (2008). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-2_e_pdf.pdf

  20. Probst, T.: Generische Schutzmaßnahmen für Datenschutz-Schutzziele. DuD - Datenschutz und Datensicherheit 36, 439–444 (2012)

    Article  Google Scholar 

Download references

Acknowledgement

This paper was partially funded by the European Commission under the 7th Framework Programme, grant agreement no. 261698 (SAPIENT project) and the Bundesministerium für Bildung und Forschung (German Federal Ministry of Education and Research) for the project Forum Privatheit – Selbstbestimmtes Leben in der Digitalen Welt (Privacy-Forum), www.forum-privatheit.de.

Author information

Authors and Affiliations

  1. Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (Independent Centre for Privacy Protection Schleswig-Holstein), Kiel, Germany

    Felix Bieker, Marit Hansen, Hannah Obersteller & Martin Rost

  2. Fraunhofer Institute for Systems and Innovation Research ISI, Karlsruhe, Germany

    Michael Friedewald

Authors
  1. Felix Bieker
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Friedewald
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marit Hansen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hannah Obersteller
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Martin Rost
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Felix Bieker .

Editor information

Editors and Affiliations

  1. ENISA , Athens, Greece

    Stefan Schiffner

  2. Goethe University Frankfurt am Main , Frankfurt, Germany

    Jetzabel Serna

  3. ENISA , Athens, Greece

    Demosthenes Ikonomou

  4. Goethe University Frankfurt am Main , Frankfurt, Germany

    Kai Rannenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M. (2016). A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds) Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer Science(), vol 9857. Springer, Cham. https://doi.org/10.1007/978-3-319-44760-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-44760-5_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-44759-9

  • Online ISBN: 978-3-319-44760-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation