Workshop Privacy Impact Assessments The NOREA-PIA: design and experience



Similar documents
Our Commitment to Information Security

Information Paper for the Legislative Council Panel on Financial Affairs. Protection of Consumer Credit Data

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Published by the National Regulatory System for Community Housing Directorate. Document Identification: /NRSD. Publication date: January 2014

In order to achieve this goal and to address the concerns from NGOs with regards to reporting tools, we have carried out these actions:

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

Iowa Student Loan Online Privacy Statement

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

COCIR contribution to the public consultation on Personal Data Protection in the EU 1

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

TRANSPOSITION NOTE. Directive 2013/11/EU on alternative dispute resolution for consumer disputes

Self assessment tool. Using this tool

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Data Protection Act. Conducting privacy impact assessments code of practice

Christine M. Frye, CIPP/US, CIPM, Chief Privacy Officer, Bank of America

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Information Security Program CHARTER

La Trobe University is committed to maintaining a comprehensive and effective Compliance Framework.

Accountability: Data Governance for the Evolving Digital Marketplace 1

The Legal Pitfalls of Failing to Develop Secure Cloud Services

CFPB Readiness Series: Compliant Vendor Management Overview

Governance and Management of Information Security

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

LEGAL SERVICES DIRECTIONS COMPLIANCE FRAMEWORK

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

Privacy Impact Assessment

AIRBUS GROUP BINDING CORPORATE RULES

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

Supervisory Policy Manual

INSURANCE BROKERS CODE OF PRACTICE

How To Write An Article On The European Cyberspace Policy And Security Strategy

HIPAA Privacy Rule Policies

Tax risk management strategy

Ethical Trading Initiative Management Benchmarks

Code of Conduct for Mobile Money Providers

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

A Best Practice Guide

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

Information Security Management Systems

APB ETHICAL STANDARD 5 NON-AUDIT SERVICES PROVIDED TO AUDIT CLIENTS

Cloud Adoption Practices & Priorities Survey Report

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

4-column document Net neutrality provisions (including recitals)

Establishing a Business Development Roadmap

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Independence Audit and Review Engagements. Independence Other Assurance Engagements

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

Information Governance Strategy :

Stakeholder Engagement Initiative: Customer Relationship Management

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

Authorisation Requirements and Standards for Debt Management Firms

Cisco Security Optimization Service

TECHNICAL SPECIFICATION: LEGISLATION EXECUTING CLOUD SERVICES

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

Cloud Security Trust Cisco to Protect Your Data

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

A Privacy Officer s Guide to Providing Enterprise De-Identification Services. Phase I

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

Explanation where the company has partially applied or not applied King III principles

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General

Privacy and Electronic Communications Regulations

AUDIT COMMITTEE BEST PRACTICES CHECKLIST

Human Services Quality Framework. User Guide

005ASubmission to the Serious Data Breach Notification Consultation

Comments of the EDPS in response to the public consultation on

AlixPartners, LLP. General Data Protection Statement

INSURANCE BROKERS CODE OF PRACTICE

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Sustainable Compliance: A System for Ongoing Audit Readiness

Terms of Business for Registered Support Providers

ICC RESOURCE GUIDE FOR SELF-REGULATION OF ONLINE BEHAVIOURAL ADVERTISING (OBA)

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

European Commission Per

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Common position of national authorities within the CPC Network

RISK-BASED PLANNING FOR AUDITS OF OFFICIAL CONTROL SYSTEMS

Listing and Admission to Trading Rules for. Short Term Paper. Release 2

Infrastructure Planning and Management. Phases of an Infrastructure Project

Information Security for Managers

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

Transcription:

PI.lab: Privacy in 2014 Workshop Privacy Impact Assessments The NOREA-PIA: design and experience Wolter Karssenberg RE Member of the Knowledge Group Privacy Audits NOREA (NOREA is the professional association for IT-auditors in the Netherlands) Management Consultant and Co-owner Social Force (Social Force is an advisory firm in the field of reducing household debt, improving debt collection and protecting privacy) 1

NOREA-PIA background: Privacy is in the spotlight Corporate Social Responsibility / Competitive Edge Resolution Franken (First Chamber / Senate) Resolution Schouw and Elissen (Second Chamber / HoR) Coalition Agreement VVD/PvdA EU General Data Protection Regulation (LIBE compromise) Growing importance of privacy risk IT-auditors are increasingly asked to execute PIA s No Dutch PIA available Guide NOREA-members to execute PIA s 2

EU DPR (LIBE-compromise): Recital 71a: Impact assessments are the essential core of any sustainable data protection framework and Data protection impact assessments should consequently have regard to the entire lifecycle management of personal data Recital 74a: Impact assessments can only be of help if controllers make sure that they comply with the promises originally laid down in them. Data controllers should therefore conduct periodic data protection compliance reviews demonstrating that the data processing mechanisms in place comply with assurances made in the data protection impact assessment. 3

EU DPR (LIBE-compromise): Article 32/33: Data Protection Impact Assessments required for operations that present specific risks, e.g.: More than 5,000 data subjects Large scale filing systems with location data, data on children or employees Profiling on which measures are based that significantly affect the data subject Article 33a: Compliance review required at least every two years after carrying out a PIA demonstrating that the processing is in compliance with the PIA (immediately when there is a change in specific risks) 4

NOREA-PIA objectives: Systematically detecting the risks of privacy violation To which extend In which area s Documenting privacy risk exposure Contributing to avoiding or reducing privacy risks Define required action to mitigate detected privacy risks 5

NOREA-PIA objectives: Preventing costly (late stage) changes Reducing monitoring and enforcement impact Improving service Improving decision making Raising privacy awareness Improving project feasibility Strengthening customer/emloyee/citizen confidence Improving communication about privacy 6

NOREA-PIA privacy principles (OECD): OECD Privacy Principles Collection Limitation Principle Data Quality Principle Purpose Specification Principle Use Limitation Principle Security Safeguards Principle Openness Principle Individual Participation Principle Accountability Principle 7

NOREA-PIA structure: 1. Introduction: background and and interests 2. Process: steps and considerations 3. Questionnaire: questions and explanations 4. Annexes: terms and abbreviations 8

NOREA-PIA roadmap: 1 2 3 4 5 6 Determine who will perform the PIA and how this should be done Gather relevant information about the project Enter the PIA questionnaire Assess the impact and define additional measures Write the PIA report Optional: perform an (independent) evaluation of the PIA 9

NOREA-PIA questionnaire: The initiative / the project Project type Data Stakeholders The data lifecycle Collect Utilize Store / delete Secure 10

The NOREA-PIA: experience NOREA-PIA pitfalls: Client: Ready for production, let s check privacy compliance with a PIA As small a scope as possible We ve executed a PIA, so we re compliant PIA professional: A fool with a tool is still a fool If all you have is a hammer, everything looks like a nail Hype Risk! 11

PIA- depth The NOREA-PIA: experience NOREA-PIA pitfalls expectation management: Part-scope compliance assessment Part-scope questionnaire Full scope compliance assessment Full scope questionnaire Discuss Refuse if necessary Explain! PIA-width 12

The NOREA-PIA: experience NOREA-PIA pitfalls expectation management: Important part of legislation is principle based, a.o.: Proportionality principle Subsidiarity principle 13

The NOREA-PIA: experience NOREA-PIA pitfalls expectation management: Development phase Exploitation phase Legal Quality PIA Development phase Partial scope 14

The NOREA-PIA: experience NOREA-PIA is a good tool, if Adequate expectation management Adequate integral Life Cycle Data Protection Management, e.g.: PIA update management (important design changes, before go-/nogo-decisions) Privacy by Design ISO2700x on ICT security Full-scope compliance assessments Accountability mgt (continuously enable the controller to demonstrate compliance) Integral part of the organization s Risk Management Strategy Adequate expertise management Adequate stakeholder management Adequate transparancy management 15

The NOREA-PIA: experience NOREA-PIA is a good tool, if Adequate professional conduct management (NOREA): Rules of the profession and code of conduct Guidelines and recommendations An independent tribunal for dealing with complaints and disputes Adequate change management: 2014: planned evaluation in conjunction with the Toetsmodel PIA (government) New legislation: security breach notification law, EU DPR, etc. Specific PIA s (e.g. via annexes)? (but: you re never going to be comlete ) Small scope PIA? (but: high risk for expectation gap) 16

PI.lab: Privacy in 2014 Workshop Privacy Impact Assessments The NOREA-PIA: design and experience NOREA-PIA: http://www.norea.nl/norea/actueel/nieuws/presentatie+pia.aspx Wolter Karssenberg RE Email: wolter.karssenberg@socialforce.nl Phone: +31 6 22 39 37 49 Linkedin: http://www.linkedin.com/in/wkarssenberg Twitter: @WolterKarss 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information