Workshop Privacy Impact Assessments The NOREA-PIA: design and experience

Transcription

1 PI.lab: Privacy in 2014 Workshop Privacy Impact Assessments The NOREA-PIA: design and experience Wolter Karssenberg RE Member of the Knowledge Group Privacy Audits NOREA (NOREA is the professional association for IT-auditors in the Netherlands) Management Consultant and Co-owner Social Force (Social Force is an advisory firm in the field of reducing household debt, improving debt collection and protecting privacy) 1

2 NOREA-PIA background: Privacy is in the spotlight Corporate Social Responsibility / Competitive Edge Resolution Franken (First Chamber / Senate) Resolution Schouw and Elissen (Second Chamber / HoR) Coalition Agreement VVD/PvdA EU General Data Protection Regulation (LIBE compromise) Growing importance of privacy risk IT-auditors are increasingly asked to execute PIA s No Dutch PIA available Guide NOREA-members to execute PIA s 2

3 EU DPR (LIBE-compromise): Recital 71a: Impact assessments are the essential core of any sustainable data protection framework and Data protection impact assessments should consequently have regard to the entire lifecycle management of personal data Recital 74a: Impact assessments can only be of help if controllers make sure that they comply with the promises originally laid down in them. Data controllers should therefore conduct periodic data protection compliance reviews demonstrating that the data processing mechanisms in place comply with assurances made in the data protection impact assessment. 3

4 EU DPR (LIBE-compromise): Article 32/33: Data Protection Impact Assessments required for operations that present specific risks, e.g.: More than 5,000 data subjects Large scale filing systems with location data, data on children or employees Profiling on which measures are based that significantly affect the data subject Article 33a: Compliance review required at least every two years after carrying out a PIA demonstrating that the processing is in compliance with the PIA (immediately when there is a change in specific risks) 4

5 NOREA-PIA objectives: Systematically detecting the risks of privacy violation To which extend In which area s Documenting privacy risk exposure Contributing to avoiding or reducing privacy risks Define required action to mitigate detected privacy risks 5

6 NOREA-PIA objectives: Preventing costly (late stage) changes Reducing monitoring and enforcement impact Improving service Improving decision making Raising privacy awareness Improving project feasibility Strengthening customer/emloyee/citizen confidence Improving communication about privacy 6

7 NOREA-PIA privacy principles (OECD): OECD Privacy Principles Collection Limitation Principle Data Quality Principle Purpose Specification Principle Use Limitation Principle Security Safeguards Principle Openness Principle Individual Participation Principle Accountability Principle 7

8 NOREA-PIA structure: 1. Introduction: background and and interests 2. Process: steps and considerations 3. Questionnaire: questions and explanations 4. Annexes: terms and abbreviations 8

9 NOREA-PIA roadmap: Determine who will perform the PIA and how this should be done Gather relevant information about the project Enter the PIA questionnaire Assess the impact and define additional measures Write the PIA report Optional: perform an (independent) evaluation of the PIA 9

10 NOREA-PIA questionnaire: The initiative / the project Project type Data Stakeholders The data lifecycle Collect Utilize Store / delete Secure 10

11 The NOREA-PIA: experience NOREA-PIA pitfalls: Client: Ready for production, let s check privacy compliance with a PIA As small a scope as possible We ve executed a PIA, so we re compliant PIA professional: A fool with a tool is still a fool If all you have is a hammer, everything looks like a nail Hype Risk! 11

12 PIA- depth The NOREA-PIA: experience NOREA-PIA pitfalls expectation management: Part-scope compliance assessment Part-scope questionnaire Full scope compliance assessment Full scope questionnaire Discuss Refuse if necessary Explain! PIA-width 12

13 The NOREA-PIA: experience NOREA-PIA pitfalls expectation management: Important part of legislation is principle based, a.o.: Proportionality principle Subsidiarity principle 13

14 The NOREA-PIA: experience NOREA-PIA pitfalls expectation management: Development phase Exploitation phase Legal Quality PIA Development phase Partial scope 14

15 The NOREA-PIA: experience NOREA-PIA is a good tool, if Adequate expectation management Adequate integral Life Cycle Data Protection Management, e.g.: PIA update management (important design changes, before go-/nogo-decisions) Privacy by Design ISO2700x on ICT security Full-scope compliance assessments Accountability mgt (continuously enable the controller to demonstrate compliance) Integral part of the organization s Risk Management Strategy Adequate expertise management Adequate stakeholder management Adequate transparancy management 15

16 The NOREA-PIA: experience NOREA-PIA is a good tool, if Adequate professional conduct management (NOREA): Rules of the profession and code of conduct Guidelines and recommendations An independent tribunal for dealing with complaints and disputes Adequate change management: 2014: planned evaluation in conjunction with the Toetsmodel PIA (government) New legislation: security breach notification law, EU DPR, etc. Specific PIA s (e.g. via annexes)? (but: you re never going to be comlete ) Small scope PIA? (but: high risk for expectation gap) 16

17 PI.lab: Privacy in 2014 Workshop Privacy Impact Assessments The NOREA-PIA: design and experience NOREA-PIA: Wolter Karssenberg RE Phone: Linkedin: 17