Data protection and privacy impact assessments: An instrument foreseen by the new European data protection regulation
Workshop at the 3rd European Technology Assessment Conference, Cork (Ireland), 17-19 May 2017
While the proliferation of technological innovation has made the processing of personal data by automated means ubiquitous, the enforcement of the individual’s rights has not been at the forefront of concern. Carrying out a Data Protection (or Privacy) Impact Assessment, while keeping in mind its purpose of ensuring the protection of individual rights, is able to bridge this divide. In order to help organizations and enterprises to assess the data protection impact of their processing of data, the new EU General Data Protection Regulation (GDPR), under the conditions of its Article 35, prescribes the execution of a Data Protection Impact Assessment (DPIA). A DPIA is an instrument to identify and analyse risks for individuals, which exist due to the use of a certain technology or system by an organization in their various roles (as citizens, customers, patients, etc.). On the basis of the outcome of the analysis, the appropriate measures to remedy the risks should be chosen and implemented (so called „privacy by design“). Although DPIAs have been discussed for more than ten years there was no standard model of how to carry out such an assessment. Until May 2018 when the GDPR will comes into force there need to be DPIA framework(s) which are fulfilling the legal requirements.
In the first part of the workshop (90 minutes) researchers and practioners from several disciplines will present scientific findings on Privacy Impact Assessment and Data Protection Impact Assessment respectively. One aim is to learn from each other’s approaches.
In the second part (60 minutes) a round table of stakeholders (policymakers, representatives of civil society and industry, etc) will discuss their perspectives on the data protection impact assessment and which extent scientific findings may help to deal with societal and political challenges
Part 1: Presentations by
- Michael Friedewald, Fraunhofer ISI, Germany, Forum Privacy and Self Determined Life in a Digital World
- Raphaël Gellert/Niels van Dijk, Vrije Universiteit Brussel, Belgium, Brussels Laboratory for Data Protection & Privacy Impact Assessments
- Johann Čas, Austrian Academy of Sciences, Institute for Technology Assessment, Austria
Part 2: Round table with
- Andreas Krisch, President European Digital Rights (EDRi)
- Data Protection Authorities: Marit Hansen, ULD?; EDPS (who’s responsible for DPIA?)
- Policy Makers: Thomas Zerdick, EC (or even Paul Nemitz); Jan Philipp Albrecht/Ralf Bendrath, EP
- Industry: Siani Pearson, HP; Matthias Schunter, Intel
- ENISA (Stefan Schiffner), FRA (Vida Beresneviciute)