Category Archives: Impact, Risk and Measures

Standard about privacy

ISO – the International Organization for Standardization has already issued a set of guidelines and frameworks that anticipate the European Regulation on privacy. The main standards already published are: ISO / IEC 29100: 2011 Information technology – Security techniques – Policy framework ISO / IEC 29101: 2013 Information technology – Security techniques – Privacy architecture ISO… Read More »

DPO duties and indipendence

In the last version of the Privacy Regulation, the DPO role is not compulsory but an option for Data Controllers. The DPO is mandatory for all organizations of the European Union (agencies). The last version of the Regulation made the certification an option. Organizations willing to be certified should appoint a manager to lead the project… Read More »

The European Data Protection Supervisor opinion on the data protection reform

On August the 6th the EDPS gave his opinion on the data reform. The full text is available at Consilium web site. The EDPS points out five high level requirements: A better deal for citizen: simplicity while: Understanding what is personal information Exercising their rights on personal data All data processing should be both lawful and justified… Read More »

GDPR: ten steps to compliance

Following the European Parliament’s adoption of a “General Approach” in June 2015, negotiations over the regulation’s final form are in the pipeline. The adoption represents the final stage of the negotiations between the European Commission, the European Parliament and the EU Council of Ministers, which means the regulations are on track for being put in… Read More »

An international Privacy culture

The recent scandal of the data theft suffered by Canadian extramarital dating website Ashley Madison astonished and continues to create consequences; nearly 10 GBs of data stolen by a hacker group and containing highly sensitive information about the private life of the users involved, whose lives have been however inevitably affected only for being part… Read More »

The PIA concept from directive 95/46 to the current draft of the EU – Conclusion

In two previous posts, I’ve presented some of the ideas for planning and execution of PIA process and report. Risk assessment is a very useful tool for management decision. Unfortunately someone promotes too much complex risk assessment methods that don’t help any management decision, but only increase the time and effort for analysis and don’t… Read More »

The PIA concept from directive 95/46 to the current draft of the EU – Part 2

Further developments After the first wave of PIA methods, in the last two years, further ideas have been proposed. Unfortunately, they introduce complexity, instead of help for controllers, processors and operators. In 2014 European Commission ruled on smart grid and promoted another model for PIAs. This model has theoretical errors (e.g. “feared events” and “threats”… Read More »

The PIA concept from directive 95/46 to the current draft of the EU – Part 1

First developments  Privacy impact assessment (PIA) is more and more cited in news and technical documents. This article is a first attempt to analyse the first significant contributions on this subject and has no aim of completeness. Present EU Directive 95/46 on data protection requires to data controllers and processors to have measures to “ensure… Read More »