Data protection and privacy impact assessments: An instrument foreseen by the new European data protection regulation (19 May 2017, 9:00 – 12:15 h)
Workshop at the 3rd European Technology Assessment Conference, Cork (Ireland), 17-19 May 2017
Organisers: Michael Friedewald, Fraunhofer Institute for Systems and Innovation Research ISI, Karlsruhe, Germany; Johan Cas, Walter Peissl, ITA, Austrian Academy of Sciences, Vienna, Austria; Raphael Gellert, Nils van Dijk, Vrije Universiteit Brussels, Belgium
While the proliferation of technological innovation has made the processing of personal data by automated means ubiquitous, the enforcement of the individual’s rights has not been at the forefront of concern. Carrying out a Data Protection (or Privacy) Impact Assessment, while keeping in mind its purpose of ensuring the protection of individual rights, is able to bridge this divide. In order to help organizations and enterprises to assess the data protection impact of their processing of data, the new EU General Data Protection Regulation (GDPR), under the conditions of its Article 35, prescribes the execution of a Data Protection Impact Assessment (DPIA). A DPIA is an instrument to identify and analyse risks for individuals, which exist due to the use of a certain technology or system by an organization in their various roles (as citizens, customers, patients, etc.). On the basis of the outcome of the analysis, the appropriate measures to remedy the risks should be chosen and implemented (so called “privacy by design”). Although DPIAs have been discussed for more than ten years there was no standard model of how to carry out such an assessment. Until May 2018 when the GDPR will comes into force there need to be DPIA framework(s) which are fulfilling the legal requirements.
Currently there are proposals by the French and UK Data Protection authorities, by the German “Privacy Forum” and others.
In the first part of the workshop (90 minutes) researchers and practioners from several disciplines will present scientific findings on Privacy Impact Assessment and Data Protection Impact Assessment respectively. One aim is to learn from each other’s approaches.
In the second part (60 minutes) a round table of stakeholders (policymakers, representatives of civil society and industry, etc) will discuss their perspectives on the data protection impact assessment and which extent scientific findings may help to deal with societal and political challenges
Part 1: Presentations by
- Michael Friedewald, Fraunhofer Institute for Systems and Innovation Research, Germany, Forum Privacy and Self Determined Life in a Digital World
- Data Protection Impact Assessments: Opportunities, Barriers, Implementation
- Raphaël Gellert/Niels van Dijk, Vrije Universiteit Brussel, Belgium, Brussels Laboratory for Data Protection & Privacy Impact Assessments
- Defining a risk to a right: Challenges and caveats
- Johann Čas, Austrian Academy of Sciences, Institute for Technology Assessment, Austria
- An Impact Assessment of Impact Assessments: Can DPIAs really be effective?
Part 2: Round table with
- Andreas Krisch (European Digital Rights/EDRi)
- Massimo Attoresi (European Data Protection Supervisor/EDPS, tbc)
- Amelia Andersdotter (Former MEP/Pirates; dataskydd.net)
- Prokopios Drogkaris (European Network and Information Security Agency/ENISA)
- Michael Friedewald, Fraunhofer ISI
- Johann Čas, Austrian Academy of Sciences, Institute for Technology Assessment
- Raphaël Gellert/Niels van Dijk, Vrije Universiteit Brussel
moderated by Walter Peissl, Austrian Academy of Sciences, Institute for Technology Assessment
Issues for discussion
- Definition of risk and high risk?
- How to reconcile competing goals such as protecting fundamental rights vs. minimizing risks under a economic rationale.
- How to involve citizens? Enable a discussion between laypeople and experts? How to deal with the tension between individual rights vs. company interests in a process organised by the companies
- Check-list approaches (prior-checking) vs. individual, in-depth assessment of each case
- Economics of DPIAs. Costs. Learning effects (i.e. cost reductions though standardised processes and specialised service companies, DPIA as a business enabler)
- What roles can/could a DPIA play beyond compliance?
- What methodology is the most adapted if any in order to assess and measure risks to rights and freedoms to fundamental rights?
- Is there any experience we can gather in other fields?
- Implementation in practice: how should it concretely be implemented to function as an early warning system, in particular having regards to its continuous and iterative nature?