European privacy Regulation (GDPR, Reg. UE 679/2016) requires, in article 35, that controllers carry out, in some special cases, a Data protection impact assessment (usually known as Privacy impact assessment or, shortly, PIA), that is, a document reporting a risk assessment related to processing operations.
PIA is required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
- a systematic monitoring of a publicly accessible area on a large scale.
Supervisor authorities will list processing operations for which the PIA will be mandatory.
GDPR proposes 4 mandatory subjects to address in a PIA report (description of processing operations; assessment of the necessity and proportionality of the processing operations; evaluation of privacy risks; security measures to address privacy risks) and outlines the process to follow for carrying out a PIA (consult DPO, if appointed; gather views of interested parties; write the report; review the report based on a periodical base or in case of major changes in the processing operations).
In spite of such information, many people wonder how to carry out a PIA in practice.
The international standard ISO/IEC 29134, with title “Privacy Impact Assessment – Methodology”, is now in final draft stage and will probably published in spring 2017.
This standard proposes:
- a comprehensive process, split in 14 activities, including following reviews;
- a table of content in 6 items for the report;
- an example for estimating impacts.
We appreciate the attempt to show a method.
But the standard is a little bit confusing. For example, terms from ISO 31000 are not consistently used and activities for risk assessment are mixed each other. Someone may think that this will not impact users, but eventually they will find difficult to apply this standard. For example the terms “risk sources” and “threats” are used as different (but they are the same if we use the previous version of ISO/IEC 27001 or the ISO 31000) and examples of “privacy risks” are in truth threats.
As an addition the standard:
- shows a list of about 50 threats to evaluate with 2 parameters (“impact” and “likelihood”), for which a 4-values scale is given as example;
- suggests the use of forthcoming (probably, in end 2017) ISO/IEC 29151 “Code of practice for personally identifiable information protection”, that can be cumbersome, considering that it uses the 114 security controls from ISO/IEC 27001 and adds some more.
Another, and simpler, approach is given by the publication “Conducting privacy impact assessments – code of practice” from ICO, the UK privacy supervisor authority. In this case, the proposed process consists in 6 steps, related to the 6 chapter that should be in PIA report. In the end of the publication, there is a template for the PIA report.
The 6 steps are:
- Identify the need for a PIA;
- Describe the information flows;
- Identify the privacy and related risks;
- Identify and evaluate the privacy solutions;
- Sign off and record the PIA outcomes;
- Integrate the outcomes into the project plan.
Each of the 6 activities must be carried out after a consult with internal and external stakeholders, as needed.
ICO publication also proposes a list of 20 risks, to analyse with a qualitative method, and of the most important and realistic 10 security measures.
Article written by Fabrizio Bottacin and Cesare Gallotti
Fabrizio Bottacin is management engineer from Politecnico di Milano; PhD in industrial and ICT engineering; post-university degree in “Digital forensics, privacy and data protection, cloud e cyber warfare” in Università degli Studi of Milan; post-university degree in corporate accountability in Italian laws and regulations. He is a consultant in management improvement and compliance and risk management.
Cesare Gallotti provides consultancy, training and audit for: information security, quality, regulatory compliance (Personal Data Protection, SOX, etc.), compliance with international standards (ISO 9001, ISO/IEC 27001, ISO/IEC 20000, ISO 22301, etc.), and processes improvement.