DariuszKLOZA,István BÖRÖCZ andMarcoGIACALONEVrijeUniversiteitBrussel(VUB)ResearchGrouponLaw,Science,Technology&Society(LSTS)BrusselsLaboratoryforDataProtection&PrivacyImpactAssessments(d.pia.lab)

Salzburg,23February2018UniversitätSalzburg

21.InternationalesRechtsinformatikSymposion(IRIS)2018

Theautomationofprivacy-anddataprotectionimpactassessments

All about us

§ TheResearchGrouponLaw,Science,Technology&Society(LSTS)attheVrijeUniversiteitBrussel(VUB),createdin2003

§ workspredominantlyinEnglish§ 47full-timeresearchers

§ 3spin-off’s:• BrusselsPrivacyHub• PrivacySalon• BrusselsLaboratoryforDataProtection&PrivacyImpactAssessments(d.pia.lab),createdin2015

§ 1st policybrief ofd.pia.lab publishedinMay2017

Agenda

Friday,23February2018Universität Salzburg,Hörsaal 211

16:00– 16:15 Introduction16:15– 16:45 Demonstrations

§ GeorgPhilipKROG – Signatu (NO)§ ErwinRIGTER – PrivacyCompany (NL)§ RobertSINDLINGER – OneTrust (DE)

16:45– 17:00 Evaluation§ DariuszKLOZA, István BÖRÖCZ andMarcoGIACALONE – VUB (BE)

17:00– 17:15 Responses17:15– 17:20 Concludingremarks17:20– 17:30 Publicdiscussion

robo

t!by

iwou

ldifi

coul

d

Part 1: Introduction

a (good) D/PIA

(Klozaetal.2017:1)

Supporting the conduct of D/PIA

§ frameworks,handbooks,guidelines,manuals,…

§ templates,questionnaires

§ awareness-raising,education,training,…§ academic&professionalliterature,policydocuments,…

§ bilaterals,word-of-mouth

§ advice&feedbackfromDPAs(‘referencecentres’)

§ softwarefortheautomationofD/PIA

§ …

Technology at the service of privacy governance & management

§ (data)privacyprotectionor (ab)usearebothapartofitsgovernance ormanagement

§ governance/managementforthebenefitoftheindividual→protection§ legalprotections§ organisationalprotections§ technologicalprotections,e.g.PETsincl.encryption§ behaviouralprotections(Kloza2017:451-505)

§ governance/managementforthebenefitanorganization(public&private)→(ab)use§ …§ technology

§ IAPP:PrivacyProgramManagement(PPM)andEnterprisePrivacyManagement(EPM)§ NYMITY:LegalResearchSoftware,PrivacyOfficeSupport Software,PrivacyManagementSoftware

§ …

§ nonmaleficence§ beneficence

§ (over)exploitation§ compliance

…contrast…

A (subjective) retroactive view…

2017 2018…… 2011 2016

Automation: why particularly now?

§ top-down§ regulatoryrequirements,suchastheGDPRintheEU(May2018)

§ ‘risk-basedapproach’triggersresortingtoriskmanagement‘tools’§ novelties,suchasdataportability,DPIA,etc.triggerresortingtotheuseoftechnology

§ volume ofpersonaldataprocessed§ difficulty&complexity relatedtosuchdatahandlings§ (positive?)experience oftheITsecurity&financialsectors§ limitedresources:time,money,manpower,knowledge&know-how§ …

§ bottom-up§ publicawareness,suchastheramificationsofdatabreaches§ …

§ ‘privacytechnologyindustry’§ beenaroundformanyyears§ recently: nascent&changingmarket,but100+vendorsidentifiedthusfar

Source:IAP

P,Priv

acyTechVendo

rReport2

017

(Fazlioglu [IAPP]20Feb2018)

Typology (1)

§ PrivacyProgramManagement(PPM)§ consentmanagers§ incidentresponse§ websitescanning/cookiecompliancetools§ datamapping§ privacyassessmentmanagers

§ EnterprisePrivacyManagement(EPM)§ datadiscovery§ activitymonitoring§ de-identification&pseudonymization§ enterprisecommunications§ datamapping

Source:IAP

P,Priv

acyTechVendo

rReport2

017

Typology (2)

§ LegalResearchSoftware[legal/regulatoryinformationsoftware]§ understandingcompliance§ readingthelaws§ stayinginformed&informingothers§ …

§ PrivacyOfficeSupport Software§ building/maintainingastructuredprivacyprogram§ managingaprivacyofficeteam§ benchmarkingaprivacyprograminternallyandexternally

§ PrivacyManagementSoftware§ D/PIA§ datamapping/datainventory§ enterpriseassessments So

urce:N

YMITY,20

18Priv

acyCo

mplianceSoftwareBu

yer’sGuide

Typology (3) – further criteria§ software

§ privatelyvs.publiclydeveloped;cf.CNIL§ proprietaryvs.open-source;paidvs.free;§ genericvs.bespoken§ internallyvs.cloud-hosted(SaaS);cf.EU/EEA/CH-hostedvs.hostedoutside§ front-endvs.back-end(modifiable,integrate-able,etc.vs.not)

§ comprehensive package(generic)vs.D/PIAsolutiononly(specific)

§ addressees (1):§ publicvs.privatesector,orboth§ sector-specific,e.g.healthservices,localgovernment,…§ lawyers,‘privacyprofessionals’(e.g.DPO),laymen

§ addressees (2)(product?):§ organisationitself→product:software§ lawfirmor‘privacyconsultancy’→products:software &advice

§ aim:§ regulatory compliance (e.g.exploitationofdata,avoidanceoffines,…)vs.beyond(e.g.ethics,socialacceptability,reputation,CSR,…)§ management/governanceofdata/informationalprivacyorbeyond(cf.typologiesof‘privacy’)

§ …

Evaluation criteria

(Clarke2011:113) (NYMITY2018:17)

Levels:

1.Regulatory1a.IdealD/PIA1b.Arts35&36GDPR

2.Technological2a.Qualityattributes(general)2b.SpecificfunctionalityoftheD/PIAsoftware

(ourown)

Level 1a: a (subjective) ideal D/PIA

1. Systematicprocess2. Considerstherelevantsocietalconcerns3. Noteverythingneedsit4. Usestheappropriatemethod5. Includesrecommendations6. Constitutesbesteffortsobligations7. Reliesonsufficientknowledgeandknow-how8. Documented9. Deliberative10. Accountable11. Assessorisindependent12. Simple13. Adaptive14. Inclusive15. Receptive16. Growsinsupportiveenvironment

Level 1b: Art 35 & 36 GDPR

1. threshold§ level1:highrisk§ level2:specificcases(3)§ level3: exclusionlist§ level4:inclusionlist

2. description§ technical§ contextual

3. assessment§ necessity&proportionality§ riskstotherights& freedoms

ofindividuals

4. stakeholderconsultation(whenappropriate)§ duerespectforlegitimatesecrecy

5. contingencyplan:measuresenvisagedto:§ addresstherisks§ ensurecompliancewithGDPR

6. re-visiting(whennecessary)

7. priorconsultation§ highresidualrisk§ possiblebanofprocessing

8. DPOconsultation

Level 2a: Software quality attributes (general)

Source:w

ww.cse.dcu.ie

Level 2b: Specific functionality

… ofD/PIAsoftware1. discoverability(marketing)2. vendor/softwarereputation&trust

§ warranty,maintenanceandsupport,escrow3. affordability

§ pricing,financialmodel,cost-efficiency4. usability

§ “effectiveness,efficiencyandsatisfaction”(ISO9241)5. multilingualism6. security

§ ’CIAtriad’,protectionofpersonaldata,tradesecrets,…7. intellectualpropertyrights

§ e.g.openaccess,outsourcing,3rd partyrights

…ofD/PIAprocesswithinthesoftware

1. processguidance&automation

2. flexible&customizable

3. multi-jurisdictional

4. educative-ness

5. (external)revision/validation/approval

6. auditlog

7. reporting

8. dataexport

Part 2: Demonstrations

Part 3: Evaluation

§ comparingappleswithoranges

§ withabitofsimplification,a5-pointevaluationscale:yes affirmative

no negative1/2 in-between

? don’tknow

n/a notapplicable

Part 4: Responses

Part 5: Public discussion

Concluding remarks (1)

§ thestakesarehigh§ “Thisisnotbananaswearetalkingabout.”(SpirosSimitis)

§ don’ttrustblindlyintheautomationofanything,incl.thatofD/PIA§ ‘Theworldgetshunguponautomation,partlybecauseitsoundslikeitsavesmoney,andpartlybecauseitsaveshavingtothink.It’sthedifferencebetweendecisionsystemsanddecisionsupportsystems.’(RogerClarke)

§ ‘…undernocircumstancesshouldanyorganisationthinkitcanpassitsresponsibilitiesoff…toapieceofsoftware.’(RogerClarke)

§ ‘Arighttobeassessedbyahuman.’[provocative] (NielsvanDijk)§ theaddedvalueofautomationlargelydependsonthebenchmark(template/questionnaire)chosen

Concluding remarks (2)

§ “Frommyexperiencethereisno‘silverbullet’intoolsfordoingDPIA.”(FrankDawson)§ evenifyou‘automate’,thereisstillalotofroomforimprovement

§ betaversions;continuousdevelopment§ needforcollaborativedevelopment§ integrate-abilitybetweenvarioustypesofassessments

§ practicalyetessentialmatters:§ whichvendortotrust?§ howtotrustcloud-basedsolutions(security)?

§ intheEU:verification after25May2018

(under construction)

A wish list: software that…

§ …aids theassessorandnotreplacesher(i.e.decision-makingvs.decision-support)§ helping discoveringproblems(risks,…)§ suggesting solutions

§ … doesnot absolvetheleadershipfromaccountability

§ …ensures (formal)legalcompliance(e.g.necessity,proportionality&risksinDPIA)

§ …offersusable documentationoftheD/PIAprocess(e.g.areportforaDPA;abridgedforthepublic)

§ …

dariusz.kloza@vub.beistvan.mate.borocz@vub.bemarco.giacalone@vub.be

@darekkloza@istvan_borocz@MarcoGiacalon

vub.ac.be/LSTSdpialab.org@dpialab

Danke schön!