The automation of privacy- and data protection impact ...€¦ · § privately vs. publicly...
Transcript of The automation of privacy- and data protection impact ...€¦ · § privately vs. publicly...
DariuszKLOZA,István BÖRÖCZ andMarcoGIACALONEVrijeUniversiteitBrussel(VUB)ResearchGrouponLaw,Science,Technology&Society(LSTS)BrusselsLaboratoryforDataProtection&PrivacyImpactAssessments(d.pia.lab)
Salzburg,23February2018UniversitätSalzburg
21.InternationalesRechtsinformatikSymposion(IRIS)2018
Theautomationofprivacy-anddataprotectionimpactassessments
All about us
§ TheResearchGrouponLaw,Science,Technology&Society(LSTS)attheVrijeUniversiteitBrussel(VUB),createdin2003
§ workspredominantlyinEnglish§ 47full-timeresearchers
§ 3spin-off’s:• BrusselsPrivacyHub• PrivacySalon• BrusselsLaboratoryforDataProtection&PrivacyImpactAssessments(d.pia.lab),createdin2015
§ 1st policybrief ofd.pia.lab publishedinMay2017
Agenda
Friday,23February2018Universität Salzburg,Hörsaal 211
16:00– 16:15 Introduction16:15– 16:45 Demonstrations
§ GeorgPhilipKROG – Signatu (NO)§ ErwinRIGTER – PrivacyCompany (NL)§ RobertSINDLINGER – OneTrust (DE)
16:45– 17:00 Evaluation§ DariuszKLOZA, István BÖRÖCZ andMarcoGIACALONE – VUB (BE)
17:00– 17:15 Responses17:15– 17:20 Concludingremarks17:20– 17:30 Publicdiscussion
robo
t!by
iwou
ldifi
coul
d
Part 1: Introduction
a (good) D/PIA
(Klozaetal.2017:1)
Supporting the conduct of D/PIA
§ frameworks,handbooks,guidelines,manuals,…
§ templates,questionnaires
§ awareness-raising,education,training,…§ academic&professionalliterature,policydocuments,…
§ bilaterals,word-of-mouth
§ advice&feedbackfromDPAs(‘referencecentres’)
§ softwarefortheautomationofD/PIA
§ …
Technology at the service of privacy governance & management
§ (data)privacyprotectionor (ab)usearebothapartofitsgovernance ormanagement
§ governance/managementforthebenefitoftheindividual→protection§ legalprotections§ organisationalprotections§ technologicalprotections,e.g.PETsincl.encryption§ behaviouralprotections(Kloza2017:451-505)
§ governance/managementforthebenefitanorganization(public&private)→(ab)use§ …§ technology
§ IAPP:PrivacyProgramManagement(PPM)andEnterprisePrivacyManagement(EPM)§ NYMITY:LegalResearchSoftware,PrivacyOfficeSupport Software,PrivacyManagementSoftware
§ …
§ nonmaleficence§ beneficence
§ (over)exploitation§ compliance
…contrast…
A (subjective) retroactive view…
2017 2018…… 2011 2016
Automation: why particularly now?
§ top-down§ regulatoryrequirements,suchastheGDPRintheEU(May2018)
§ ‘risk-basedapproach’triggersresortingtoriskmanagement‘tools’§ novelties,suchasdataportability,DPIA,etc.triggerresortingtotheuseoftechnology
§ volume ofpersonaldataprocessed§ difficulty&complexity relatedtosuchdatahandlings§ (positive?)experience oftheITsecurity&financialsectors§ limitedresources:time,money,manpower,knowledge&know-how§ …
§ bottom-up§ publicawareness,suchastheramificationsofdatabreaches§ …
§ ‘privacytechnologyindustry’§ beenaroundformanyyears§ recently: nascent&changingmarket,but100+vendorsidentifiedthusfar
Source:IAP
P,Priv
acyTechVendo
rReport2
017
(Fazlioglu [IAPP]20Feb2018)
Typology (1)
§ PrivacyProgramManagement(PPM)§ consentmanagers§ incidentresponse§ websitescanning/cookiecompliancetools§ datamapping§ privacyassessmentmanagers
§ EnterprisePrivacyManagement(EPM)§ datadiscovery§ activitymonitoring§ de-identification&pseudonymization§ enterprisecommunications§ datamapping
Source:IAP
P,Priv
acyTechVendo
rReport2
017
Typology (2)
§ LegalResearchSoftware[legal/regulatoryinformationsoftware]§ understandingcompliance§ readingthelaws§ stayinginformed&informingothers§ …
§ PrivacyOfficeSupport Software§ building/maintainingastructuredprivacyprogram§ managingaprivacyofficeteam§ benchmarkingaprivacyprograminternallyandexternally
§ PrivacyManagementSoftware§ D/PIA§ datamapping/datainventory§ enterpriseassessments So
urce:N
YMITY,20
18Priv
acyCo
mplianceSoftwareBu
yer’sGuide
Typology (3) – further criteria§ software
§ privatelyvs.publiclydeveloped;cf.CNIL§ proprietaryvs.open-source;paidvs.free;§ genericvs.bespoken§ internallyvs.cloud-hosted(SaaS);cf.EU/EEA/CH-hostedvs.hostedoutside§ front-endvs.back-end(modifiable,integrate-able,etc.vs.not)
§ comprehensive package(generic)vs.D/PIAsolutiononly(specific)
§ addressees (1):§ publicvs.privatesector,orboth§ sector-specific,e.g.healthservices,localgovernment,…§ lawyers,‘privacyprofessionals’(e.g.DPO),laymen
§ addressees (2)(product?):§ organisationitself→product:software§ lawfirmor‘privacyconsultancy’→products:software &advice
§ aim:§ regulatory compliance (e.g.exploitationofdata,avoidanceoffines,…)vs.beyond(e.g.ethics,socialacceptability,reputation,CSR,…)§ management/governanceofdata/informationalprivacyorbeyond(cf.typologiesof‘privacy’)
§ …
Evaluation criteria
(Clarke2011:113) (NYMITY2018:17)
Levels:
1.Regulatory1a.IdealD/PIA1b.Arts35&36GDPR
2.Technological2a.Qualityattributes(general)2b.SpecificfunctionalityoftheD/PIAsoftware
(ourown)
Level 1a: a (subjective) ideal D/PIA
1. Systematicprocess2. Considerstherelevantsocietalconcerns3. Noteverythingneedsit4. Usestheappropriatemethod5. Includesrecommendations6. Constitutesbesteffortsobligations7. Reliesonsufficientknowledgeandknow-how8. Documented9. Deliberative10. Accountable11. Assessorisindependent12. Simple13. Adaptive14. Inclusive15. Receptive16. Growsinsupportiveenvironment
Level 1b: Art 35 & 36 GDPR
1. threshold§ level1:highrisk§ level2:specificcases(3)§ level3: exclusionlist§ level4:inclusionlist
2. description§ technical§ contextual
3. assessment§ necessity&proportionality§ riskstotherights& freedoms
ofindividuals
4. stakeholderconsultation(whenappropriate)§ duerespectforlegitimatesecrecy
5. contingencyplan:measuresenvisagedto:§ addresstherisks§ ensurecompliancewithGDPR
6. re-visiting(whennecessary)
7. priorconsultation§ highresidualrisk§ possiblebanofprocessing
8. DPOconsultation
Level 2a: Software quality attributes (general)
Source:w
ww.cse.dcu.ie
Level 2b: Specific functionality
… ofD/PIAsoftware1. discoverability(marketing)2. vendor/softwarereputation&trust
§ warranty,maintenanceandsupport,escrow3. affordability
§ pricing,financialmodel,cost-efficiency4. usability
§ “effectiveness,efficiencyandsatisfaction”(ISO9241)5. multilingualism6. security
§ ’CIAtriad’,protectionofpersonaldata,tradesecrets,…7. intellectualpropertyrights
§ e.g.openaccess,outsourcing,3rd partyrights
…ofD/PIAprocesswithinthesoftware
1. processguidance&automation
2. flexible&customizable
3. multi-jurisdictional
4. educative-ness
5. (external)revision/validation/approval
6. auditlog
7. reporting
8. dataexport
Part 2: Demonstrations
Part 3: Evaluation
§ comparingappleswithoranges
§ withabitofsimplification,a5-pointevaluationscale:yes affirmative
no negative1/2 in-between
? don’tknow
n/a notapplicable
Part 4: Responses
Part 5: Public discussion
Concluding remarks (1)
§ thestakesarehigh§ “Thisisnotbananaswearetalkingabout.”(SpirosSimitis)
§ don’ttrustblindlyintheautomationofanything,incl.thatofD/PIA§ ‘Theworldgetshunguponautomation,partlybecauseitsoundslikeitsavesmoney,andpartlybecauseitsaveshavingtothink.It’sthedifferencebetweendecisionsystemsanddecisionsupportsystems.’(RogerClarke)
§ ‘…undernocircumstancesshouldanyorganisationthinkitcanpassitsresponsibilitiesoff…toapieceofsoftware.’(RogerClarke)
§ ‘Arighttobeassessedbyahuman.’[provocative] (NielsvanDijk)§ theaddedvalueofautomationlargelydependsonthebenchmark(template/questionnaire)chosen
Concluding remarks (2)
§ “Frommyexperiencethereisno‘silverbullet’intoolsfordoingDPIA.”(FrankDawson)§ evenifyou‘automate’,thereisstillalotofroomforimprovement
§ betaversions;continuousdevelopment§ needforcollaborativedevelopment§ integrate-abilitybetweenvarioustypesofassessments
§ practicalyetessentialmatters:§ whichvendortotrust?§ howtotrustcloud-basedsolutions(security)?
§ intheEU:verification after25May2018
(under construction)
A wish list: software that…
§ …aids theassessorandnotreplacesher(i.e.decision-makingvs.decision-support)§ helping discoveringproblems(risks,…)§ suggesting solutions
§ … doesnot absolvetheleadershipfromaccountability
§ …ensures (formal)legalcompliance(e.g.necessity,proportionality&risksinDPIA)
§ …offersusable documentationoftheD/PIAprocess(e.g.areportforaDPA;abridgedforthepublic)
§ …
[email protected]@[email protected]
@darekkloza@istvan_borocz@MarcoGiacalon
vub.ac.be/LSTSdpialab.org@dpialab
Danke schön!