Abstract
With the General Data Protection Regulation there will be a legal obligation for controllers to conduct a Data Protection Impact Assessment for the first time. This paper examines the new provisions in detail and examines ways for their successful implementation. It proposes a process which operationalizes established requirements ensuring the appropriate attention to fundamental rights as warranted by the GDPR, incorporates the legislation’s new requirements and can be adapted to suit the controller’s needs.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Note that Article 32(1)(b) GDPR, in addition to the classical security goals confidentiality, integrity, and availability, also stipulates the resilience of systems and services processing personal data as an objective.
References
European Commission: Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification. OJ L 122/47 of 16 May 2009. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009H0387&from=EN
European Commission: Recommendation of 9 March 2012 on preparations for the roll-out of smart metering systems. OJ L 73/9 of 13 March 2012. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32012H0148&from=EN
Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications. WP 175 (2010). http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2010/wp175_en.pdf
Article 29 Working Party: Opinion 07/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission’s Smart Grid Task Force. WP 209 (2013). http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp209_en.pdf
Wright, D., De Hert, P. (eds.): Privacy Impact Assessment. Springer, Heidelberg (2012)
ISO/IEC 29134: Information technology – Security techniques – Privacy impact assessment – Guidelines. ISO/IEC, International Organization for Standardization (2016)
ICO (Information Commissioner’s Office): Conducting privacy impact assessments code of practice. ICO (2014). https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
CNIL (Commission Nationale de l’Informatique et des Libertés): Privacy Impact Assessment: Methodology (how to carry out a PIA). CNIL (2015). http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-1-Methodology.pdf
Friedewald, M., Bieker, F., Nebel, M., Obersteller, H., Rost, M.: Datenschutz-Folgenabschätzung - Ein Werkzeug für einen besseren Datenschutz. Forum Privatheit und selbstbestimmtes Leben in der digitalen Welt, Karlsruhe (2016). https://www.forum-privatheit.de
Wright, D., Gellert, R., Bellanova, R., Gutwirth, S., Langheinrich, M., Friedewald, M., Hallinan, D., Venier, S., Mordini, E.: Privacy Impact Assessment and Smart Surveillance: A State of the Art Report, Deliverable 3.1 SAPIENT Project (2013). http://www.sapient-project.eu
Wadhwa, K., Rodrigues, R.: Evaluating privacy impact assessments. Innov. Eur. J. Soc. Sci. Res. 26(1–2), 161–180 (2013)
Wright, D., Friedewald, M., Gellert, R.: Developing and testing a surveillance impact assessment methodology. Int. Data Priv. Law 5(1), 40–53 (2015)
AK Technik der Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Schulz, G., Rost, M.: Das Standard-Datenschutzmodell – der Weg vom Recht zur Technik: Ein Datenschutzwerkzeug für Aufsichtsbehörden und verantwortliche Stellen (2015). https://www.datenschutzzentrum.de/uploads/sdm/SDM_Tagungsband2015_Hannover.pdf
Hansen, M., Jensen, M., Rost, M.: Protection goals for privacy engineering. In: 2015 International Workshop on Privacy Engineering (IWPE), Security and Privacy Workshops (SPW), pp. 159–166. IEEE (2015)
Rost, M., Pfitzmann, A.: Datenschutz-Schutzziele - revisited. DuD - Datenschutz und Datensicherheit 33, 353–358 (2009)
Rost, M., Bock, K.: Privacy by Design and the New Protection Goals, EuroPriSe Whitepaper (2011). https://www.european-privacy-seal.eu/AppFile/GetFile/ca6cdc46-d4dd-477d-9172-48ed5f54a99c
Hansen, M.: Top 10 mistakes in system design from a privacy perspective and privacy protection goals. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity 2011. IFIP AICT, vol. 375, pp. 14–31. Springer, Heidelberg (2012)
Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J.H., Le Métayer, D., Tirtea, R., Schiffner, S.: Privacy and Data Protection by Design - from policy to engineering, ENISA (2014). https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design/at_download/fullReport
Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security): BSI-Standard 100-2, IT-Grundschutz Methodology (2008). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-2_e_pdf.pdf
Probst, T.: Generische Schutzmaßnahmen für Datenschutz-Schutzziele. DuD - Datenschutz und Datensicherheit 36, 439–444 (2012)
Acknowledgement
This paper was partially funded by the European Commission under the 7th Framework Programme, grant agreement no. 261698 (SAPIENT project) and the Bundesministerium für Bildung und Forschung (German Federal Ministry of Education and Research) for the project Forum Privatheit – Selbstbestimmtes Leben in der Digitalen Welt (Privacy-Forum), www.forum-privatheit.de.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M. (2016). A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds) Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer Science(), vol 9857. Springer, Cham. https://doi.org/10.1007/978-3-319-44760-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-44760-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-44759-9
Online ISBN: 978-3-319-44760-5
eBook Packages: Computer ScienceComputer Science (R0)