Universiteit Leiden ICT in Businessliacs.leidenuniv.nl › assets › Uploads ›...

Universiteit Leiden ICT in Business

Privacy Maturity Model: Towards Privacy-by-Design Best Practices

Name: Xin Qi Student-no: s1534408 Date: 18/07/2016 1st supervisor: Dr. Amr Ali-Eldin 2nd supervisor: Dr. Steve F. Foster 1st external supervisor: Dr. Haiyun Xu 2nd external supervisor: Dr. Bárbara Vieira MASTER'S THESIS Leiden Institute of Advanced Computer Science (LIACS) Leiden University Niels Bohrweg 1 2333 CA Leiden The Netherlands

ii

ABSTRACTTherapiddevelopmentoftechnologieshasbroughtriskstodataprotectionasabyproduct.InformationPrivacythereforebecomesincreasinglycrucialintheICTenvironment.Inthisstudy,aPrivacyMaturityModelisproposedtoanalyzereal-worldPrivacy-by-Designbestpractices.BasedonISO/IEC29100(2011)privacyprinciples,achecklistofPrivacy-by-Designactivitiesisgenerated.Furthermore,eachactivityisassignedwithaprivacymaturitylevel.Themodelisanalyzedbycasestudies,viaaprivacyquestionnairethatmeasurestheprivacyaspectsofICT-systems.WebelievethatthePrivacyMaturityModelindicatesasystematicwayofadvisingmodernorganizationsonhowtogetprivacyright.

Keywords:InformationPrivacy;DataProtection;Privacy-by-Design;PrivacyMaturityModel.

iii

ACKNOWLEDGEMENTSItisofgreatexperiencetoliveandstudyinadifferentcontinent.DuringthepasttwoyearsthatIhavespentwiththeMasterProgramICTinBusinessinLeidenUniversity,manyprofessors,lecturersandstaffhavebeensupportivetome.IappreciatethemfortheacademicknowledgeIobtained,theamazingbusinesseventsIattended,andthekindhelpIreceivedasaninternationalstudent.

Livinginaremotecountryyetwithlittlehomesick,Iwouldoweittomyfamilyandfriends.Myfamilysupportedmebothemotionallyandfinancially,whichmadethingssoeasyandcomfortable.Myfriends,especiallytheonesImetinHolland,haveaddedenjoyableflavorsintomylife.Besides,creditsgotomyICTiBclassmatesfromLeidenUniversityaswellascolleaguesfromSoftwareImprovementGroupB.V.(SIG);thankstothem,theprevioustwoyearswerefulloffunandinspiration.

Atlast,Iwouldliketogivemyspecialthankstomythesisadvisors:Dr.AmrAli-Eldin:myfirstuniversitysupervisor;Dr.SteveFoster:mysecondreader;Dr.HaiyunXu:myfirstexternalsupervisoratSIG;andDr.BárbaraVireira,mysecondexternalsupervisoratSIG.Theyhavesacrificedagreatamountoftime,fromcoachingmeintheresearchdesigntoreadingmythesisandguidingmeinwriting.Theirsuggestionsarealwaysintime,andaremorethanvaluableformetoconductthissix-monthresearch.

iv

TABLEOFCONTENTS1. Introduction.........................................................................................................9

1.1. Privacy:StateoftheArt................................................................................9

1.2. ResearchQuestions....................................................................................10

1.3. ResearchObjectivesandContributions.....................................................11

1.4. ResearchMethods......................................................................................11

1.4.1. ExploratoryStudy...............................................................................11

1.4.2. LiteratureReview...............................................................................12

1.4.3. ModelConstructionandQuestionnaireImprovement(iterative).....12

1.4.4. DataCollectionandInterviews...........................................................12

1.4.5. DataAnalysisandResultValidation...................................................13

1.5. OrganizationoftheThesis..........................................................................13

2. LiteratureReview...............................................................................................14

2.1. PrivacyanditsPrinciples............................................................................14

2.2. Privacy-by-Design.......................................................................................17

2.3. PrivacyImpactAssessment........................................................................18

2.4. RelatedstudiesonPrivacyMaturity...........................................................19

2.5. MaturityModelasanAnalogue.................................................................20

3. DevelopmentofPrivacyMaturityModel...........................................................21

3.1. TheMergeofISO29100PrivacyPrinciples................................................22

3.2. TheChecklistofPrivacy-by-DesignActivities.............................................23

3.3. PrivacyMaturityLevels..............................................................................28

3.4. ThePrivacyQuestionnaire.........................................................................30

3.5. TheEvaluationFramework.........................................................................33

3.5.1. CompliancewithPrivacyMaturityLevels...........................................33

3.5.2. TheActionPlan...................................................................................38

4. CaseStudies.......................................................................................................40

4.1. OutcomesofCaseStudy.............................................................................40

4.1.1. CaseStudy1.......................................................................................41

4.1.2. CaseStudy2.......................................................................................41

v

4.2. FeedbacksonthePrivacyMaturityModel.................................................42

4.3. FindingsfromCaseStudies.........................................................................43

4.3.1. Non-CompliancewithBasicActivities................................................43

4.3.2. TheNon-ApplicableActivities.............................................................43

4.3.3. OverallComparisonontheCaseStudies............................................44

5. Discussions.........................................................................................................45

5.1. RefinementonthePrivacyMaturityModel...............................................45

5.2. ImprovementontheEvaluationFramework.............................................45

5.2.1. ALimitedNumberofDataPoints.......................................................46

5.2.2. ThePartiallyImplementedPbDActivities..........................................46

5.2.3. PossibilityofAPrivacyMaturityRatingSystem.................................47

6. Conclusions........................................................................................................50

6.1. PrivacyRequiresaProactiveThinking........................................................50

6.2. ImprovementofthePrivacyMaturityModel............................................51

6.3. LimitationsandFurtherResearch..............................................................52

References..................................................................................................................53

Appendices.................................................................................................................56

AppendixA:ThePrivacyQuestionnaire.................................................................56

AppendixB:TheInvitationLetter..........................................................................57

AppendixC:TheMappingbetweenPbDActivitiesandQuestions........................58

vi

LISTOFABBREVIATIONSAICPA/CICA:TheAmericanInstituteofCertifiedPublicAccountantsandtheCanadian

InstituteofCharteredAccountants

BSIMM:BuildingSecurity-InMaturityModel

CMMI:CapabilityMaturityModelIntegration

ENISA:EuropeanNetworkandInformationSecurityAgency

GDPR:GeneralDataProtectionRegulation

ICT:InformationandCommunicationsTechnology

ISO:InternationalOrganizationforStandardization

IEC:InternationalElectrotechnicalCommission

OECD:OrganizationforEconomicCo-operationandDevelopment

OWASP:OpenWebApplicationSecurityProject

(OWASP)ASVS:(OWASP)ApplicationSecurityVerificationStandard

PbD:Privacy-by-Design

PIA:PrivacyImpactAssessment

PII:PersonalIdentifiableInformation

PMM:PrivacyMaturityModel

PRIPARE:PReparingIndustrytoPrivacy-by-designbysupportingitsApplicationinREsearch

SDLC:SoftwareDevelopmentLifeCycle

SNS:SocialNetworkingService

vii

LISTOFFIGURESFigure[3.1].TheCompositionofthePrivacyMaturityModel...................................21

Figure[3.2].OutlineofthePrivacyQuestionnaire.....................................................31

Figure[3.3].TheCompositionofthePrivacyMaturityModel...................................34

Figure[4.1].ProcessofAdoptingthePrivacyMaturityModel..................................40

viii

LISTOFTABLESTable[2.1].MatchingofdifferentversionsofPrivacyPrinciples...............................17

Table[3.1].SummarizingISO29100PrivacyPrinciples..............................................22

Table[3.2].Privacy-by-DesignActivities:Lawfulness&Consent(LC)........................25

Table[3.3].Privacy-by-DesignActivities:DataMinimization(DM)...........................25

Table[3.4].Privacy-by-DesignActivities:Individualrights&DataQuality(IRDQ)....26

Table[3.5].Privacy-by-DesignActivities:Purposebinding&limitation(PBL)...........26

Table[3.6].Privacy-by-DesignActivities:Transparency&Openness(TO).................27

Table[3.7].Privacy-by-DesignActivities:InformationSecurity(IS)............................27

Table[3.8].Privacy-by-DesignActivities:Accountability&Compliance(AC).............28

Table[3.9].AComparisonofPrivacyRequirements..................................................29

Table[3.10].PrivacyMaturityLevelsofPbDActivities..............................................30

Table[3.18].QuestionExample1:OneActivity–MultipleQuestions......................32

Table[3.19].QuestionExample2:MultipleActivities–OneQuestion.....................32

Table[3.20].QuestionExample3:System-specificQuestion....................................33

Table[3.11].EvaluationofCompliance:Lawfulness&Consent(LC).........................35

Table[3.12].EvaluationofCompliance:DataMinimization(DM).............................35

Table[3.13].EvaluationofCompliance:Individualrights&DataQuality(IRDQ).....36

Table[3.14].EvaluationofCompliance:Purposebinding&limitation(PBL).............36

Table[3.15].EvaluationofCompliance:Transparency&Openness(TO)..................37

Table[3.16].EvaluationofCompliance:InformationSecurity(IS).............................37

Table[3.17].EvaluationofCompliance:Accountability&Compliance(AC)..............38

Table[4.4].PrivacyMaturityLevels:OrganizationX..................................................41

Table[4.5].PrivacyMaturityLevels:CompanyY.......................................................41

Table[5.1].EvaluationofCompliance(Updated):DataMinimization(DM).............45

Table[5.2].TheTransitionTableforPrivacyStarRating...........................................48

Table[5.3].ThresholdsofPrivacyStarRating:Basic-focused....................................48

Table[5.4].ThresholdsofPrivacyStarRating:Optimistic.........................................49

Table[5.5].ThresholdsofPrivacyStarRating:Stringent...........................................49

9

1. Introduction

1.1. Privacy:StateoftheArt

Therapidevolutionoftechnologies,alongwiththeexplosivegrowthoftheamountofdata,havebeenimpactingthewaywelive.Whileenjoyingtheefficiencyfromnewlyavailabletechnologies,onethingthatmustnotbeneglectedisthebyproduct:riskstoprivacy.

Privacybreacheshavebeenhappeningmoreoftenandbringingsevererresultsthanwethought.1InDecember2015,191millionU.S.voters’informationwasuncoveredbyanindependentcomputersecurityresearcher–duetoanincorrectconfiguration,thedatabasewasexposedontheopenInternet,whichincludednames,phonenumbers,emails,addresses,birthdates,andpartyaffiliations[Finkle&Volz,2015].InMarch2016,VerizonEnterpriseSolutions,whoconductsbusinessinprovidingsolutionsintermsofprivacybreaches,claimedthattheysufferedfromtheirownbreachofcontactinformationof1.5millionbusinesscustomers[McGee,2016].Inthefirstexample,theindividualvictimsgotpanicked:ifwelookatthetypesoftheleakedpersonaldata,thechanceofindividualsbeingidentifiedandtrackedbecameextremelyhigh.Inthesecondexample,Verizon’sclientshadtodealwithpotentialriskssuchasfraudandphishingattack.Facingprivacybreaches,notonlythevictimsbecomeweak;Theorganizationwhichholdsthedataalsohastopayahugeamountofcompensation,nottosaytheruinedreputation.

Themechanismsbehindinternetencouragepeopletopostmoreandsharemore,notonlyaboutthemselves,butsometimesaboutotherpeopleaswell.However,neithersufficientnumberofpeopleareawareofprivacyissues–especiallywiththefactthatSocialNetworkingService(SNS)tendtobemuchmorepopularamongyoungergenerations[PewResearchCenter,2013],norsufficientnumberofSNSsystemsandapplicationsaredesignedwithappropriateprivacyprotectionmethods.LetustaketheexampleofGoogle.WhenusingGoogleMapstobrowsealocation,theoptiontoaddapictureofthatlocationcanbeeasilyfound.Aclaimappearsbeforeuploading,sayingthepicturewillbesharedwithpublic.However,whathappensifsomeonemistakenlyuploadsaselfie?Anexperimenthasbeen

1Therearecurrentlymultipleonlineresourcesrecordingthedatabreachesthathappenedinrecentyears.Oneofthevisualizationsisavailableat:http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

10

conducted.2Googledoesnotevenremindtheuserwhetherthepicturecanstillberemoved(theanswerisyes),nottosayrespectingtheconsentchoiceoftheuser.Googlecouldhavedonemore,forinstance,implementingfacial-recognitiontechniquestoasktheuser“Wehavedetectedhumanface(s)inyourpicture.Doyoustillwanttosharethispicturetothepublic?”Unfortunately,thisisnotthecase;andthisisjustoneofthecountlessexampleswherebothserviceusersandserviceprovidershappento“forget”aboutprivacy.

AninspiringnewsinApril2016isthat,theGeneralDataProtectionRegulation(GDPR)hasbeenadoptedbytheEuropeanCouncilandtheEuropeanParliament[EuropeanCommission,2016].Thismarksareplacementofthedataprotectiondirective(Directive95/46/EC),whichalreadyhasitshistoryofmorethan20years.SoonaftertheadoptionofGDPR,Facebooklaunchedaspecialversionofitsfacial-recognitionAppinEuropeandCanada.Thespecialversionwasdesignedinalignmentwithprivacylawsandregulations.However,partofthefunctionalityhadtobedisabledfromtheoriginalversionduetothelegalrequirements[Kelion,2016].Infact,howtobalancebetweenpeople’sdemandofusingtheserviceandpursuingamorematurelevelofprivacystillremainsachallengingtopic.

1.2. ResearchQuestions

Privacyisincreasinglyimportanttoindividualsaswellasorganizations.InformationandCommunicationsTechnology(ICT)systemandapplicationsshouldplayabetterroleinprotectingprivacy-sensitivedata.Whileexistingprivacyassessmentmethodsaddressprivacyprotectionatabroadorganizationallevel(whichwillbeelaboratedinChapter2),theneedhasbeenarisingforpracticalapproachesthatdojusticetothisemergingroleofICTapplications.Hence,theoverallresearchquestionhasbeendefinedas:

HowtodesignaPrivacyMaturityModelthatisapplicabletoassessPrivacy-by-Designbestpractices?

ToanswerthemainResearchQuestionstepbystep,threesub-questionshavebeenfurtherdeveloped:

• WhatPrivacy-by-Designactivitiesshallbeincludedinthemodel?• Toreachacertainprivacymaturitylevel,whataretherequirements,i.e.

whichPrivacy-by-Designactivitiesshallbeimplemented?

2ArandomlocationonGoogleMapswaspicked.Whenapicturewhichcontainsrecognizablehumanfacesisselected,itwillbeautomaticallyuploadedtothesystem,andthepictureisalmostimmediatelyavailableforeveryonewhohasaccesstoGoogle.

11

• IsthePrivacyMaturityModelcreatedinthisresearchapplicable,i.e.thegapbetweentheactivitiesthatcompanies/organizationsareexpectedtodoandwhattheyactuallydoisinsignificant?

1.3. ResearchObjectivesandContributions

Theresearchobjectivesarementionedasthefollowingaspects,eachaligningwithonesub-researchquestion:

• GenerateaconcretelistofPrivacy-by-Designactivities.• DerivethePrivacyMaturityModel.Thatis,foreachmaturitylevel,define

whichPrivacy-by-Designactivitiesshallbelongtothatlevel.• AssessthevalidityofthePrivacyMaturityModelbycasestudies.

Withanaccomplishmentoftheresearchobjectives,Privacy-by-DesignactivitiesofanICTsystemorapplicationcanbepracticallyanalyzed.ThelistofPrivacy-by-Designactivitieswillleadtosuggestionsonhowtofurtherimprovethesystemtomovetowardsahigherprivacymaturitylevel.

ThePrivacyMaturityModeliscrucialforraisingprivacyalarmsthroughouttheentireSoftwareDevelopmentLifeCycle(SDLC)–andespeciallyintheearlystages.Forcompaniesandorganizations,themodelencouragesthemtoproactivelyimplementPrivacy-by-Design.Havingmoresafeguardedandtrustworthysystemsinthefirstplace,theriskofpayingforunwillingcosts(suchaslargeamountsofcompensationcausedbyprivacybreaches)canbeminimized.

1.4. ResearchMethods

1.4.1. ExploratoryStudy

ThisstudyaimstofirstgatheralistofpracticalPrivacy-by-Designactivities,andlatercreatethePrivacyMaturityModelbymappingeachactivityintoapropermaturitylevel.Theactualperformanceofthemodelshallbeassessedbyfeedbacksfromrealworldcases,andadjustmentsshallbemadetothemodelwheneverneeded.

InordertoinductivelycomeupwithanapplicablePrivacyMaturityModel,theresearchisdesignedasananaloguetoboththeBuildingSecurity-InMaturityModelversion6[BSIMM6,2015]andOWASPApplicationSecurityVerificationStandardversion3.0[OWASPASVS3.0,2015].

Moredetailedresearchstepsareexplainedseparatelyinthefollowingsections.

12

1.4.2. LiteratureReview

ThePrivacy-by-Designactivitiesshallbelistedinaclearandstructuredway.Aheadofcreatingthemodel,severalconceptsneedtobeelaboratedtoavoidambiguityinlaterstages:1)relevantinformationprivacyterminologies,2)variousversionsofwide-acceptedprivacyprinciples,and3)previousstudies,i.e.,PrivacyImpactAssessment(PIA)frameworks/models.TheresultsofliteraturereviewwillbepresentedinChapter2.

1.4.3. ModelConstructionandQuestionnaireImprovement(iterative)

ThePrivacyMaturityModelconsistingofPrivacy-by-Designactivitieswillbegeneratedaccordingtoprivacyprinciples.Asthefoundationofthemodel,theprivacyprinciplesusedinthisresearchwillbebasedonanoverallunderstandingofmultipleexistingprivacyprinciples.Meanwhile,theconstructionofthemodelwillbesupervisedbySoftwareImprovementGroupB.V.(SIG)experts.

ThePrivacyMaturityModelwillcontainalistofmaturitylevels,whichactasmeasuringsticksforPrivacy-by-Designactivities.Afterthat,anevaluationframeworkwillbedevelopedtoanalyzetheactualperformanceofPrivacy-by-Designactivities.Thismeanswhenareal-worldcaseiscollectedbytheprivacyquestionnaire,wewillbeabletoapproachtheevaluationframeworktodeterminetheprivacymaturitylevelsforthatspecificcase.

Finally,thePrivacyMaturityModelwillbevalidatedviacasestudies.Inthisresearch,aprivacyquestionnaireisusedtocollectinformationaboutthereality(i.e.whatPrivacy-by-Designactivitiescompanies/organizationsactuallyconduct,howistheperformanceoftheseactivities,etc.).Initially,SIGprovidesthisresearchwithadraftversionquestionnaire.Beforesendingoutthecopiestoparticipants(i.e.SIGclientsaswellasexternalcompanies/organizations),thequestionnairerequirestoberevisedtosatisfyourresearchobjectives.AthoroughdescriptionaboutthedesignoftheprivacyquestionnairecanbefoundinChapter4.1.

1.4.4. DataCollectionandInterviews

Theprivacymaturityquestionnaireneedstobefilled-inona“onespecificsystemperquestionnaire”basis.Whenourparticipantsfeelnecessary,asemi-structuredinterviewsessionwillbearrangedtodiscussaboutthecontentofthequestionnaire.Participantsshallbewellinformedthatinterviewswillberecorded.Estimatednumberofparticipantsforthepurposeofmodelvalidationis5–10intotal.Thatis,2–3participantspercompany/organization:atleastonebeingthesystemdesigner/architect,andtheotherbeingthepersoninchargeoforganization’sprivacypolicy.Inreturn,participantswillreceiveaPrivacyMaturityReportalongwithaninteractivesession.

13

1.4.5. DataAnalysisandResultValidation

Basedonthedatacollectedfromquestionnairesaswellasfeedbacksfromparticipants,thePrivacyMaturityModelwillbeevaluated.ThemappingbetweenPrivacy-by-designactivitiesandmaturitylevelsmightfacewithslightadjustments,duetothefeedbacksfromrespondents.SIGexpertsshallbeinvitedtosuperviseanymodificationstothePrivacyMaturityModel.

1.5. OrganizationoftheThesis

Therestofthethesisisstructuredinthefollowingway:Chapter2presentsanoverviewofexistingliteraturesandstudiesinthefieldofprivacy,whichperformsasascientificfoundationofourresearch.Chapter3explainstheprocessesofconstructingthePrivacyMaturityModelandthemodelitself.Chapter4describesthemodelvalidationbytheanalysisofrealworldcases.FollowingisChapter5,wherefindingsfromcasestudiesandpossibleimprovementtothemodelarediscussed.Atlast,theconclusionandthelimitationofthisstudy,aswellasfurtherresearchpathscanbefoundinChapter6.

14

2. LiteratureReviewThisliteraturereviewbuildsageneralresearchfoundationbylookingintoalistofprivacy-relatedissuesandunderstandingthem,suchasprivacyprinciples,theconceptofPrivacy-by-Design,andPrivacyImpactAssessment.Ontheotherhand,whenreadingaboutstudiesconductedonPrivacyMaturity,insightsaswellaswonderspoppedup.Furthermore,tograsptheideaofhowamaturitymodelworks,otherstudiessuchasaprocessimprovementprogramandsecuritymaturitymodelsarebeingreviewedasananalogue.Notethat,althoughBanisar&Davies[Banisar&Davies,1999]andlaterresearchersclaimedthatprivacycouldbespecifiedindifferentcategories,thetermisusedtoreferinformationprivacy(or,dataprotection)inourstudy.

2.1. PrivacyanditsPrinciples

Amongtheearliestprivacyquotes,themostfamousonedescribesprivacyasthe“righttobeletalone”[WarrenandBrandeis,1890].Privacyissuchacommonwordinoursocietythatgivinganaccuratedefinitiontoitbecomeshard.Nevertheless,ISO/IEC29100–alsoknownas“thePrivacyFramework”[ISO/IEC29100:2011]hassuggestedusapossibledefinition:

“Privacyistheconcernofnaturepersonsandorganizationsspecifying,procuring,architecting,designing,developing,testing,maintaining,administering,andoperatinginformationandcommunicationtechnology(ICT)systemsorserviceswhereprivacycontrolsarerequiredfortheprocessingofPersonallyIdentifiableInformation(PII).”

Thatis,privacyrequiresrightpeopletoconductpropertaskstowardsspecificpiecesofpersonalinformation.Yetinanotherstudy[Schwaig,Kane&Storey,2006],researchersarguethatprivacyinmostcontextsisnolongerviewedasanabsoluteright,butmustbebalancedagainsttheneedsofsociety.

Privacyprotectionreliesverymuchonobeyingtheinstructionofprivacyprinciples.In1980,theOrganizationforEconomicCo-operationandDevelopment(OECD)[OECD,1980]summarized8widelyusedprivacyprinciples,andthusearneditsglobalfame.TheOECDprivacyprinciplescanbesummarizedas:

1. CollectionLimitation:anycollecteddatashouldbeobtainedbylawfulandfairmeansand,whereappropriate,withtheknowledgeorconsentofthedatasubject.

2. DataQuality:personaldatashouldbeaccurate,completeandkeptup-to-date,andrelevanttothepurposesforwhichtheyaretobeusedandtotheextentnecessaryforthosepurposes.

15

3. PurposeSpecification:Thepurposesforpersonaldatacollectionshouldbespecifiednotlaterthanatthetimeofdatacollection.

4. UseLimitation:personaldatashouldnotbedisclosed,madeavailableorotherwiseusedforpurposesotherthanthosespecified(unlesswiththeconsentofthedatasubject,orbytheauthorityoflaw).

5. SecuritySafeguards:datashouldbeprotectedbyreasonablesecuritysafeguardsagainstriskssuchasloss,unauthorisedaccess,destruction,use,modificationordisclosureofdata.

6. Openness:ageneralpersonaldatapolicyshouldbeintroducedwithopennessondevelopments,practicesandpolicies,forestablishingtheexistenceandnatureofpersonaldata,andthemainpurposesoftheiruse,aswellastheidentificationandusualresidenceofthedatacontroller.

7. IndividualParticipation:theindividualshouldhavetherighttoobtainfromadatacontroller,orotherwise,confirmationofwhetherornotthedatacontrollerhasdatarelatingtohim;tohavecommunicatedtohim,datarelatingtohimwithinareasonabletime,atacharge,ifany,thatisnotexcessive,inareasonablemanner;andinaformthatisreadilyintelligibletohim;tobegivenreasonsifarequestisdenied,andtobeabletochallengesuchdenial;andtochallengedatarelatingtohimand,ifthechallengeissuccessful,tohavethedataerased,rectified,completedoramended.

8. Accountability:datacontrollershouldbeaccountableforcomplyingwithmeasures,whichgiveeffecttotheprinciplesstatedabove.

Threedecadeslater,facingrapidchangesofboththesocietyandtechnologies,OECDdecidedtopublishanamendmentversionin2013,addingdetailstotheprinciples.Butthisnewversionhasnotbecomethesameauthorityastheoriginalone.

ApartfromOECD,ISO/IEC29100defines11privacyprinciplesfortheprivacyframework,whichcanbeconcludedas[ISO/IEC29100:2011]:

1. Consentandchoice:PIIprincipal’schoicemustbegivenfreely,specificandonaknowledgeablebasis;

2. Purposelegitimacyandspecification:purposeofdataprocessingcomplieswithapplicablelegislationandiscommunicatedtothePIIprincipalbeforecollection;

3. Collectionlimitation:limitdatacollectiontothestrictlynecessaryforthespecificpurpose(onlycollectthedataindispensableforprovisioningaparticularservice);

4. Dataminimization:minimizethePIIthatisprocessedandavoidobservabilityandlinkabilityofPIIcollected;DeleteanddisposeofPIIwheneverthepurposeforPIIprocessinghasexpired;

16

5. Use,retentionanddisclosurelimitation:limittheuse,retentionanddisclosureofPIItospecificpurposes,unlessadifferentpurposeisrequiredbylaw;

6. Accuracyandquality:PIIprocessedmustbeaccurate,completeandup-to-date;

7. Openness,transparencyandnotice:provideclearandeasytoaccessinformationaboutpolicies,proceduresandpracticesofPIIprocessing;

8. Individualparticipationandaccess:providePIIprinciplestheabilitytoaccessandreviewtheirowndata;enforceaccesscontrol;

9. Accountability:assignthetaskofimplementingtheprivacy-relatedpolicies,proceduresandpracticestoaparticularindividualwithintheorganization;providesuitabletrainingtotheorganizationmembershandlingPII;

10. Informationsecurity:enforceconfidentiality,integrityandavailabilityofPII;preventunauthorisedaccess,destruction,modification,disclosureanduseofPII;

11. Privacycompliance:verifyanddemonstratethatPIIprocessingmeetsdataprotectionandprivacysafeguardingrequirements.

Inaddition,EuropeanNetworkandInformationSecurityAgency(ENISA)[Danezisetal.,2014]providesalistof9privacyprinciples,whichisonabasisofunderstandingthelegalframework:

1. Lawfulness:datamustbecollectedorprocessedeitherbasedonthedatasubject’sexplicitconsentorthereislegalobligation;

2. Consent:thedatasubjectshouldgiveunambiguousandexplicitconsentondatacollectionandprocessing;

3. Purposebinding:apurposemustbewell-definedforbothdatacollectionandprocessing;

4. Necessity&Dataminimisation:onlynecessarydatamustbecollected;5. Transparency&Openness:privacypoliciesmustbewelldefinedandpublicly

known;6. Rightsoftheindividual:datasubjectsshouldhavetherighttoaccess,

changeanddelete(theirown)collecteddata;7. Informationsecurity:confidentiality,integrityandavailabilitymustbe

enforced;8. Accountability:responsibilitiesonenforcingprivacypoliciesshouldbeclearly

assignedtospecificperson(s)fromtheorganisation;9. Dataprotectionbydesignandbydefault:dataprotectionshouldbetaken

intoaccountfromtheinitialdesignphaseofthesystem.

Fromthedescriptionsofthe3groupsofprivacyprinciples,itisobvioustotellthat,indifferentversions,differentnameshavebeengiventothesamecontent–andthisisacommonsituation.Ontheonehand,withacomparisonofthedescriptions,

17

theISO29100principlescanberegardedasanextensionofOECD’s8principles.Ontheotherhand,beinganinternationalstandard,ISO29100describesprivacyprinciplesinamorestructuredandthoroughwaythanOECDandENISA.Therefore,tominimizeambiguity,thisresearchwillregardtheISO29100versiondescriptionsasafoundationofcreatingthePrivacyMaturityModel.ThefollowingtabledepictsamatchingbetweenISO29100privacyprinciplesandOECDaswellasENISAprivacyprinciples.Althoughnamesinonespecificrowaredifferent,theyactuallyrefertothesamecontent.

Table[2.1].MatchingofdifferentversionsofPrivacyPrinciples

# ISO/IEC29100(2011) MatchingPrivacyPrinciplesInOECD(1980)

MatchingPrivacyPrinciplesInENISA(2014)

1 Consentandchoice CollectionLimitation,UseLimitation Consent

2 Purposelegitimacyandspecification PurposeSpecification Lawfulness

3 Collectionlimitation CollectionLimitation PurposeBinding

4 Dataminimization CollectionLimitation PurposeBinding,NecessityandDataMinimization

5 Use,retentionanddisclosurelimitation UseLimitation NecessityandData

Minimization

6 Accuracyandquality DataQuality -

7 Openness,transparencyandnotice Openness TransparencyandOpenness

8 Individualparticipationandaccess IndividualParticipation RightoftheIndividual

9 Accountability Accountability Accountability

10 Informationsecurity SecuritySafeguards Informationsecurity

11 Privacycompliance - -

Dataprotectionbydesignandbydefault

2.2. Privacy-by-Design

TheconceptofPrivacy-by-Design(PbD)wasfirstdevelopedinthe1990s.Overtheyears,itsuggeststhatprivacycanbebetterprotectedifitisembeddedintothedesignspecificationsoftechnologies,businesspractices,andphysicalinfrastructures3.Nowadays,becauseoftheurgencyindataprotection,PbDhas

3ToviewadetailedintroductiontoPrivacy-by-Design,readersaresuggestedtovisit:https://www.ipc.on.ca/english/privacy/introduction-to-pbd/

18

receiveditsevenmoreproponents.ENISAisoneoftheorganizationsthatadvocatePbD.AccordingtoENISA’sdefinition,PbDisaprocessofimplementingprivacyanddataprotectionprinciples,whichinvolvesnotonlytechnologicalbutalsoorganizationalcomponents[Danezisetal.,2014].

Privacy-EnhancingTechnologies(PETs)isregardedasatoolkittoassisttheimplementationofPbD.PETsaredefinedas“coherentICTmeasuresthatprotectprivacybyeliminatingorreducingpersonaldata,orbypreventingunnecessaryand/orundesiredprocessingofpersonaldata;allwithoutlosingthefunctionalityofthedatasystem”[Borking&Raab,2001].Standardtechnologiesusedforprivacyprotectionsare:pseudo-identity,encryption,digitalsignatures,privacypolicylanguages(P3P),etc.However,relyingonlyonimplementingPETsisfarlesssufficienttorealizePbD[Heurixetal.,2015].

2.3. PrivacyImpactAssessment

IntheEuropeanDataProtectionDirective[Directive95/46/EC,1995],Recital71aclaims:“Dataprotectionimpactassessmentsshouldconsequentlyhaveregardtotheentirelifecyclemanagementofpersonaldata”.

OnewidelyacceptdeliverableofprivacysafeguardingrequirementsisPrivacyImpactAssessment(PIA).Beingariskassessmenttoolfordecision-makers,PIAisabletoaddresslegalaswellasmoralandethicalissues,andithelpstoringtheprivacyalarmfororganizationsattheplanningstage[Flaherty,2000].APIAchecklistcanbefoundatDutchProfessionalAssociationforIT-auditors(NOREA)4.ThisPIAchecklistisbasedontheOECDprivacyprinciples.

Upuntiltoday,moreandmorecountriesandallianceshavesetregulationstoenforcePIAasamandatoryprocess.

InthereportofPauldeHertandhiscolleagues[DeHert,Kloza&Wright,2012],theauthorsmentionedthatPIAcouldruntheriskofbeingtoocomplicatedandburdensomefororganizationstoconductactualprivacyacts.ItisafactthatPIAwillleadtoincreasingcost,whichisdependingonthecomplexityandseriousnessoftheprivacyrisks.However,researchersholdanoptimisticviewonPIA,becausePIAisvaluableinreducingcostintermsofmanagementtime,legalexpenses,and

4ApresentationonNOREAPIA(cache):https://webcache.googleusercontent.com/search?q=cache:naeZQ1PHSr8J:https://www.pilab.nl/wp-content/uploads/2013/12/2013-12-05-PIL-Presentatie-PIA-namens-NOREA.pdf+&cd=6&hl=en&ct=clnk&gl=nl&client=safari

19

potentialmediaorpublicconcerns[Wright,2013].A16-stepoptimizedPIAmethodologyisalsoproposedinthesamepaperasanoutline.

2.4. RelatedstudiesonPrivacyMaturity

AnidealPrivacyMaturityModel(PMM),inouropinion,shouldbemoredown-to-the-earth.ItshouldbeabletofirstsuggestpracticalPbDactivities,andthenexaminehowtheprivacyinanorganizationperformsaccordingtothematuritylevelofeachactivitythataredefinedinthePMM.ThePMMwillthenpragmaticallyguidetheorganizationstoimplementprivacybydesignandbydefault,andthusbenefitthecontrolofPII.

Nowadays,duetotheurgencyofdataprotection,thenumberofstudiesthatdesiretoanalyzeprivacyactivitiesandtheirmaturitylevelskeepsincreasing,anditbecomescommontousetheterm“PrivacyMaturityModel”.However,thesestudieseitherfocusonarelativelynarrowdomain,suchasthestudyofAPrivacyMaturityModelforCloudStorageService[Revoredoetal.,2014],ormerelyfunctionasalegislation/management-orientedPIA.ThePMMproposedbytheAmericanInstituteofCertifiedPublicAccountantsandtheCanadianInstituteofCharteredAccountants[AICPA/CICA,2011]isagoodexampleofhigh-levelguidelines,ratherthanapracticalmodelthatiseasytofollow.

Inadditiontothat,therealsoexistsseveralpublishedstudies,whichhavebeenusingthetermsofPIAandPMMinterchangeably.OneexampleisthePrivacyMaturityAssessmentFrameworkofNewZealandgovernment[NewZealandgovernment,2014(1)&(2)].Whilethedocumentclaimsitselftobe“simple,pragmatic,andeasytouse”,thecontentdoesnotreflectso－unlesstheuserisenthusiasticaboutreadingthroughpagesofpolicies.Actually,thisPMMcontainsmoreofgeneralrisk-reducingstrategiesfordecisionmakers,ratherthananeasy-to-followactionplanonPbDactivities.

Moreover,HindeproposedaPMMforassessingSouthAfricaorganizationsinformationprivacyonthetopicofProtectionofPersonalInformation(PoPI)[Hinde,2014].Buttheemphasisofthisdissertationwasstillprivacypolicies,andsomediscussionsseemedtobetoowideandoff-topic.

Tothebestofourknowledge,aPrivacyMaturityModelthatassignsmaturitylevelstoPbDactivitiesaccordingtotheirrealperformancestilldoesnotexist.Therefore,itiscrucialtointroducesuchmodelthatcanreallyassistorganizationstorecognizethematurityleveloftheirprivacy,tocomparewithsame-industryorganizations,ortoimplementsufficientPbDactivitiesforacertainprivacymaturitylevel.

20

2.5. MaturityModelasanAnalogue

DevelopedbyCarnegieMellonUniversity,theCapabilityMaturityModelIntegration(CMMI)isusedforprocessimprovementbyawide-rangeofdomainsandindustries.CMMIv1.3[CMMIv1.3,2011]mentionedfivematuritylevels,namelyInitial,Managed,Defined,QuantitativelyManaged,andOptimizing.Maturitylevelsindifferentprocessareasmayvary.Forexample,RiskManagementhasbeenintegratedwithmaturitylevelthree,whileOrganizationalPerformanceManagementhasbeenintegratedwithmaturitylevelfive.

ApartfromCMMI,twosecuritymaturitymodelshavealsobeenexaminedinordertodevelopthePrivacyMaturityModelasananalogue.ThefirstoneisApplicationSecurityVerificationStandard3.0,whichprovidesabasisfortestingwebapplicationtechnicalsecuritycontrols,aswellasalistofsecuredevelopmentrequirementsfordevelopers[OWASPASVS3.0,2015].OWASPASVSv3.0definedthreelevelsforapplicationsecurityverifications,andeachlevelcontainsalistofsecurityrequirements.Toreachacertainlevel,thebeing-analyzedsoftwareshouldbindwithallrequirementsunderthatlevel.

ThesecondsecuritymaturitymodelisBuildingSecurity-InMaturityModel6,whichpaysmoreattentiononthemanagementsideofsoftwaresecurity.Byinterviewingbothsecurityexpertsand78firms,BSIMM6defined4domainsfortheSoftwareSecurityFramework(SSF),namely:Governance,Intelligence,SecureSoftwareDevelopmentLifecycle(SSDL)Touchpoints,andDeployment.Eachdomaincontains3practicesandseveralsoftwaresecurityactivities.TheSSFincludes112activitiesintotal,andeachactivityisassignedwithacertainmaturitylevelaccordingtoitsactualperformanceinthefirms.Therefore,BSIMMcanhelporganizationscomparetheirsoftwaresecuritymaturitylevelstotheothers[BSIMM6,2015].

21

3. DevelopmentofPrivacyMaturityModelThePrivacyMaturityModelisvaluableinexaminingtowhichlevelPrivacy-by-Designisembeddedintoreal-worldICTsystems.Ofcourseinreality,notallorganizationsareexpectedtoachievethesamelevelofprivacymaturity.Forinstance,whiletheprivacyrequirementsforalibraryregistrationsystemmayjustberankedasaverageamongdifferentindustries,aninsuranceapplicationsystemshouldreachahigherlevelofprivacymaturity,sinceitcollects,storesandprocessesmuchmoresensitivePIIs(suchashealthconditionsandbankdetailsofindividuals).Butbeingameasuringinstrument,allorganizationscanbenefitfromthePrivacyMaturityModel,i.e.theycanreceivenotonlyaclearviewofthestatusquooftheirownsystem’sprivacymaturity,butalsoaninstructiononhowtobetterconductactivitiestopursueahigherprivacymaturitylevel.

AsFigure3.1shows,thePrivacyMaturityModelisformattedasaPrivacy-by-Designchecklist,inwhichdifferentcategoriesofPbDactivitiesarearrangedundertheirbelongingprivacyprinciples.TheISO29100privacyprinciplesaresummarizedandknownasSIGprivacyprinciples(whichwillbeexplainedinChapter3.1).Furthermore,themodeldefinesalistofmaturitylevelwhichincreasesindepth.EachPbDactivityisassignedwithoneofthematuritylevels.

Figure[3.1].TheCompositionofthePrivacyMaturityModel

FollowingsectionswillexplaintheconstructionofPrivacyMaturityModelstepbystep.

22

3.1. TheMergeofISO29100PrivacyPrinciples

AnupfrontandconsistentunderstandingofprivacyprinciplesisvaluableforalaterattempttogeneratePbDactivities.Thus,theaimofthissectionistoprovidethefoundationforourstudyintermsofprivacyprinciples.

ItisobviousthattheISO29100’s11privacyprinciplesaremoreorlessoverlappingwitheachotherincontents.Toenhancetheconsistencyofourwork,the11ISO29100principleshavebeengroupedinto7byaninterpretationofthedescriptionsintheISO29100PrivacyFramework.Besides,theresultofgroupingisalsoaligningwiththeENISA’s9privacyprinciples.

Table[3.1].SummarizingISO29100PrivacyPrinciples

ISO29100PrivacyPrincipleSummarizedPrivacyPrinciple(SIGPrinciple)

collection process protection

Consentandchoice

Lawfulness&Consent x Purposelegitimacyandspecification

Dataminimization DataMinimization x

IndividualparticipationandaccessIndividualRights&DataQuality x

Accuracyandquality

Collectionlimitation

PurposeBinding&Limitation x Use,retentionanddisclosurelimitation

Openness,transparencyandnotice Transparency&Openness x

Informationsecurity InformationSecurity x

PrivacycomplianceAccountability&Compliance x

Accountability

TheabovetableindicatesawayofmergingtheISO29100principles,withanaimofminimizingtheoverlapsandredundancy.

• ConsentandchoiceandPurposelegitimacyandspecificationaremergedintoLawfulness&Consent,whichmeansthatPIIshouldbecollectedwitheitherconsentofdatasubjectorlawrequirements;

• DataMinimizationremainsDataMinimization,whichmeansonlynecessaryPIIshouldbecollected;

23

• IndividualparticipationandaccessandAccuracyandqualityaremergedintoIndividualRights&DataQuality,whichmeansPIIshouldbekeptuptodate,anddatasubjectsshouldbeallowedtoadd,changeordeleteassociatedPII;

• CollectionlimitationandUse,retentionanddisclosurelimitationaremergedintoPurposeBinding&Limitation,whichmeansPIIbeingcollectedshouldhaveawell-definedpurposeaswellasbindingwiththelawrequirements;

• Openness,transparencyandnoticebecomesTransparency&Openness,whichmeansthepurposesofPIIcollectionandprocessingshouldbepubliclyknown;

• InformationsecurityremainsInformationSecurity,whichmeanstheconfidentiality,integrityandavailabilityofsysteminformationshouldbeenforced;

• Finally,PrivacycomplianceandAccountabilityaremergedintoAccountability&Compliance,whichmeanstheprivacy-relatedresponsibilitiesshouldbeassignedandenforced.

Thecolumns“collection”,“process”and“protection”refertothemainstageswherePIIisinvolved.Onamostrelevantbasis,themergedprinciplesaremappedintothesestages.InthePIIcollectionstage,theprinciplesthatapplyare:Lawfulness&Consent,DataMinimization,andIndividualRights&DataQuality.Later,whenPIIarebeingprocessed,theprinciplesthatapplyare:PurposeBinding&LimitationandTransparency&Openness.ApartfromPIIcollectionandprocessing,PIIprotectionmustalsonotbeneglected,andtheprinciplesthatapplyare:InformationSecurityandAccountability&Compliance.

3.2. TheChecklistofPrivacy-by-DesignActivities

IntheISO/IEC29100document,eachprivacyprincipleisfollowedbyseveralsuggestions,sometimesalongwithafewlinesofdescription.Foraspecificprivacyprinciple,thesuggestionsbringupguidelinesfortheadherentdesignandimplementationofICTsystems;andthedescriptioninstructsonhowtoconductprivacy-preservingactivities,andsometimescontainsadditionalinformationaboutlegislations.

However,foraratherlargenumberoforganizations,thesystematicimplementationofPbDactivitiesstillremainsprettyvague,becausetheseorganizationseitherdonothavesufficienttime/personneltoderiveato-dolistbythemselves,orconductmerelyPIAand/orprivacyauditinginsteadofPrivacy-by-Design.Thus,adoablechecklistofPbDactivitiesbecomesapremisefortheseorganizationstogetprivacyright.

24

Thechecklistwasgeneratediteratively.ThefollowingparagraphsexplainontheconstructionofthePbDchecklist.Theoverallchecklistisprovidedattheendofthissection.

TheoriginalversionofPbDchecklistwaspurelybasedonaninterpretationofISO29100privacyprinciples,andcontained92activitiesintotal.Later,thesizeofthechecklistexpandedinto108:ontheonehand,withacomparisonbetweenISO29100-basedactivitiesandPRIPARE’ssuggestiononPbDactivities[Leetal.,2015(AnnexB)],afewactivitiesthatwereinitiallymissinginourchecklistbutmentionedbyPRIPAREwereadopted.SomeactivitieswerealsorenamedaccordingtothePRIPAREpapertoenhanceclarity.Ontheotherhand,sincethenecessityoftakingintoaccountwhatisactuallybeingconductedinreality,severalactivitiesweregeneratedfromacomprehensionofprivacypoliciesofworld-leadingcompanies/organizations.5differentindustrieswerechosen:Communications,Accommodations,Banking,Transportation,andConsulting.Allofthechosencompanies/organizationshavetheiroperationsbindingwiththeEuropeanlegalframework.Incaseofanyfutureupdates,thebeing-examinedprivacypolicieshavebeenarchived.

AdiscussionwithSIG’sexpertsrevealedthat,anumberofPbDactivitiesinchecklistversion2wereoverlappingwitheachother.Thereasonbehindthisproblemwas,althoughtheseactivitieswerelyingunderdifferentISO29100privacyprinciples,theyactuallydescribedsimilarsituations.Hence,theoverlappingactivitieswereeithermergedintoone,orredefinedtobedistinctivefromeachother.Inaddition,SIG’sexpertsconsideredthatsomeactivitiesgeneratedfromthepolicieswereonlyapplicableinoneortwospecificindustries.Therefore,afewactivitieswereremovedduetotheirinapplicabilityinmorethanhalfoftheindustriesthatwerelookedinto(Thatis,morethan3outof5).

Thefollowingtablespresentanoverviewofthefinalizedchecklist.

25

Table[3.2].Privacy-by-DesignActivities:Lawfulness&Consent(LC)

ActivityID Lawfulness&Consent(LC)

LC1 AllowPIIprincipaltofreelyopt-inandopt-out

LC2 DefinelawfulpurposesforcollectingandprocessingPIIbeforePIIcollection

LC3 NotifyPIIprincipalsaboutmandatorycollectionofPII(e.g.forlegalpurpose)

LC4 EnsurePIIprincipalsunderstandtheprivacypoliciesbeforeprovidingconsentwithoutspecialknowledge

LC5 ProvideeasytoaccessandunderstandableinformationregardingPIIcollection

LC6 DisplaynotificationsofprivacypoliciesattheentranceofphysicallocationswherePIIiscollected

LC7 CollectPIIinaprivacyfriendlyway

LC8 Specifythetrackingtechnologiesthathavebeenused(cookies,webbeacons,clickingbehavior,etc.)forPIIcollection

LC9 NotifyPIIprincipalsthatprovidingadditionalPII(e.g.formarketingpurpose)isoptional

LC10 ObtainconsentbeforeusingordisclosingPII

LC11 MakeprovisionsforPIIprincipalstowithdrawconsent

LC12 InformPIIprincipalsabouttheconsequencesofapproveordeclinetheconsent

LC13 OfferequitableconditionstoPIIprincipalswhodonotconsenttoprovidePII

LC14 ConductactivitiesonanyPIIonlywithuserconsentoronalegalbasis

Table[3.3].Privacy-by-DesignActivities:DataMinimization(DM)Activity

ID DataMinimization(DM)

DM1 MinimizePIIcollectedforeachpurpose

DM2 SeparatethestorageofPIIcollectedfromdifferentsources

DM3 SetupaggregationmechanismsbeforePIIprocessingandstorage

DM4 SetupanonymizationmechanismsbeforePIIcollection,processingandstorage

26

Table[3.4].Privacy-by-DesignActivities:Individualrights&DataQuality(IRDQ)Activity

ID Individualrights&Dataquality(IRDQ)

IRDQ1 CollectPIIdirectlyfromPIIprincipalswheneverpossible

IRDQ2 OnlycollectPIIfromsourceswhosereliabilitycanbeattested

IRDQ3 MakesurethattheautomaticallygeneratedPIIdoesnotleadtofalsejudgements

IRDQ4 AllowPIIprincipalstoaccesstheirindividualizedPIIstoredinthesystem

IRDQ5 AllowPIIprincipalstoamend,correctandremovetheirownPII

IRDQ6 AllowPIIprincipalstoobjectthecollection,processing,andsharingoftheirPIIatanytime

IRDQ7 Enabletimelyandfree-of-chargeindividualparticipation

IRDQ8 Checkregularlytheaccuracy,completeness,up-to-date,adequacyandrelevanceofPII

IRDQ9 ProvidePIIchangesintimetoanyrelevantprivacystakeholders

IRDQ10 RecordtheunresolvedPIIchallenges

IRDQ11 InformprivacystakeholdersintimeabouttheunresolvedPIIchallenges

Table[3.5].Privacy-by-DesignActivities:Purposebinding&limitation(PBL)

ActivityID Purposebinding&limitation(PBL)

PBL1 NotifyPIIprincipalsaboutthelegalreasonformandatoryprocessingofPII

PBL2 IdentifyanddocumentthepurposesforconductingactivitiesinvolvingPII

PBL3 DefineanddocumentthepurposesandtechnologiesusedforPIIprocessing

PBL4 InformPIIprincipals/serviceusersaboutthepurposes/servicesforwhichPIIisused

PBL5 PeriodicallyevaluatethealignmentbetweenPIIanditspurpose

PBL6 ExcludeunnecessaryPIIwhichneedstoberetainedfromregularprocessing

PBL7 RevealPIIprincipalsidentityaslessaspossible(e.g.avoidcreatingde-anonymizedprofiles)

PBL8 Deleteanddisposenon-purposebindingPIIandback-upsassoonasthepurposeexpires

PBL9 RetainPIIforalimitedtimespanonlyasneededorasrequiredbylaw

PBL10 EvaluatewhethertheprivacypolicyneedstobeexpandedforsharingnewtypesofPII

27

Table[3.6].Privacy-by-DesignActivities:Transparency&Openness(TO)Activity

ID Transparency&Openness(TO)

TO1 DocumentthetypeofPIIcollected

TO2 DefineanycasesthatmaydisclosePII

TO3 MakePIIprocessingexplicitlyannouncedanddescribed

TO4 Specifypoliciesandpracticesaboutpublic-availablePII

TO5 EnsurethepolicyisavailableinanynaturallanguagesthatPIIprincipalsmightuse

TO6 InformPIIprincipalsabouttheirrightsandchoices

TO7 Providecontactinformationforquestionsandcomplaints

TO8 InformPIIprincipalsaboutprivacystakeholdersandPIIcontroller

TO9 Archiveandprovideeasyaccesstothehistoricalversionsofpolicy

TO10 DesignandmaintainaPrivacyDashboard

TO11 MakesurethePIIprincipalreadtheprivacynotice(byimplementinganaffordance)

TO12 SpecifyaPIIdecommissionplaninthesystemdesign

Table[3.7].Privacy-by-DesignActivities:InformationSecurity(IS)Activity

ID InformationSecurity(IS)

IS1 RestrictthenumberofPIIstakeholdersandtheiraccesstotheminimumneedofPII

IS2 Minimizeriskssuchasunauthorizedaccess,destruction,use,modification,disclosureorloss

IS3 Conductattacksurfaceanalysisandprivacythreatmodeling

IS4 Identifyandprioritizeprivacythreats

IS5 Validateandverifythesystem'salignmentwiththeprivacyrequirements

IS6 Defineprivacyrequirementsexplicitly

IS7 DesignandimplementadequatePrivacy-EnhancingTechnologies(PETs)

IS8 PreventthirdpartiesfromprofilingPII

28

Table[3.8].Privacy-by-DesignActivities:Accountability&Compliance(AC)Activity

ID Accountability&Compliance(AC)

AC1 NotifyPIIprincipalsaboutprivacybreaches

AC2 NotifytheSupervisoryAuthoritywhenthereareprivacybreaches

AC3 Providesanctionand/orremedyproceduresforprivacybreaches

AC4 Placeinternalcontrolsthatalignwithexternalsupervisionmechanisms

AC5 Specifyanentityresponsibleforprivacyrelatedissues

AC6 Arrangeregularpersonneltraining

AC7 Checkregularlyifsecuritysafeguardsareup-to-date

AC8 SetuppolicyforinternalPIIsharing

AC9 ChoosereliablePIIprocessorsthathaveanequivalentprivacymaturity

AC10 Specifytheresponsibilitiesofexternalentities

AC11 MinimizePIIsharedwithexternalentities

AC12 InformPIIprincipalsaboutsharingtheirPII

AC13 Conductprivacyriskassessments(PIA)andimplementperiodicreviewandreassessment

AC14 ImplementPIIprotectionmechanismswhenconductingtesting,researchortraining

AC15 Conducteitherinternalorthird-partyprivacyauditing

AC16 Cooperatewithsupervisoryandregulatoryauthorities

3.3. PrivacyMaturityLevels

Maturitylevel1to3aredefinedforthePrivacyMaturityModel.Thematuritylevelsincreaseindepth:

• Level1istheinitialprivacymaturitylevel.ItrequirestheimplementationofboththemostfundamentalPbDactivitiesregardlessofindustries,andthelaw-bindingPbDactivities.Level1isregardedastheprivacylevelforallcompanies/organizationstoachieveinorderto“makeprivacywork”.

• Level2isthestandardprivacymaturitylevel,whichisfordata-sensitivecompanies/organizationstoreach.ItrequirestheimplementationofallPbDactivitiesfromLevel1,plusalistofPbDbestpracticesregardingtotheprivacystatus-quo;

• Level3isthecutting-edgeprivacymaturitylevel.ToreachLevel3,acompany/organizationshouldnotonlyimplementallPbDactivitiesfromtheprevioustwomaturitylevels,butalsomoreadvancedoneswhichare

29

supposedtobemoreproactiveacts,andcostmoreresources(i.e.time,moneyandknowledge)intheory.

Toreachanyofthematuritylevels,requirementsintheimplementationofPbDactivitiesdiffer.Therequirementforeachmaturitylevelisdefinedaccordingly,namelyBasic,Intermediate,andAdvanced.

• Basic(B)istheminimumprivacyrequirement.ItreferstoaPbDactivitythatiseithermandatoryforlegalreason,orisexpected(byexpertopinion)tobeimplementedbyeveryorganizationdespitewhichindustrytheorganizationbelongsto.Besides,aBasicactivityisalwayseasytobeimplemented,intermsoflowercosts.SometimesaBasicactivityisthepreconditionforIntermediateand/orAdvancedactivities;

• Intermediate(I)istheaverageprivacyrequirement.ItreferstoaPbDactivitythathasnotyetsetasmandatorybylaws/regulations,buttheprerequisiteforimplementingthatactivitydoesnotsignificantlyvaryfromindustrytoindustry.AnintermediatePbDactivityisexpectedtobeimplementedbyaroundhalfoftheoverallpopulationintherealworld.Inafewcases,anIntermediateactivityisapreconditionforAdvancedactivities;

• Advanced(A)isthemostcomplexprivacyrequirement.ItreferstoaPbDactivitythatisneithermandatedbylaw,norconsideredtobepopularwiththemajorityyet,andtheimplementingratecanbestronglydistinctiveamongdifferentindustries.

FortheclassificationofPbDactivities,3indicatorsareanalyzed:Mandatory,Popularity,andComplexity.Acomparisonofthe3privacyrequirementscanbefoundinthefollowingtable:

Table[3.9].AComparisonofPrivacyRequirements

Requirement

IndicatorBasic Intermediate Advanced

Mandatory Inmostcases* Non-mandatory Non-mandatory

Popularity High Medium Low

Complexity Low Medium High

*:Mandatoryisasufficient(butnotnecessary)conditionforBasicPbDactivity.

Then,eachPbDactivityinthechecklistarematchedwithoneoftherequirements.InordertoexaminetheindicatorsPopularityandComplexity,previousreal-worldprivacypolicieswerealsotakenintoaccount.TheresulthasbeenvalidatedalongwithSIGexpertopinions.

30

Intheend,eachofthe75PbDactivitiesreceivedamatching:intotal,23beingBasic,28beingIntermediate,and24beingAdvanced.Thisdistributionisaligningwiththestatus-quooftheimplementationofPbDactivities.

Table3.10presentstheclassificationofPbDactivitiesintermsofdifferentrequirements.Undereachprivacyprinciple,the3columnsstandforBasic,Intermediate,andAdvancedfromlefttoright,whicharemarkedbythecolorofyellow,green,andblue,respectively.

Table[3.10].PrivacyMaturityLevelsofPbDActivitiesLawfulness&Consent(LC) DataMinimization(DM)

LC1 LC6 LC12 DM1 DM2

LC2 LC7 DM3

LC3 LC8 DM4

LC4 LC9 Transparency&Openness(TO)

LC5 LC10 TO6 TO3 TO1

LC13 LC11 TO7 TO4 TO2

LC14 TO8 TO5 TO9

Individualrights&Dataquality(IRDQ) TO10

IRDQ1 IRDQ2 IRDQ3 TO11

IRDQ4 IRDQ7 IRDQ6 TO12

IRDQ5 IRDQ9 IRDQ8 InformationSecurity(IS)

IRDQ10 IS1 IS3 IS6

IRDQ11 IS2 IS4 IS7

Purposebinding&limitation(PBL) IS5 IS8

PBL1 PBL3 PBL6 Accountability&Compliance(AC)

PBL2 PBL4 PBL7 AC1 AC6 AC8

PBL5 AC2 AC7 AC9

PBL8 AC3 AC10 AC14

PBL9 AC4 AC11 AC15

PBL10 AC5 AC13 AC12 AC16

3.4. ThePrivacyQuestionnaire

AsdiscussedintheResearchMethodssection(Chapter1.4),thevalidationofthePrivacyMaturityModelreliesonaprivacyquestionnairethatcollectinformationaboutreal-worldITsystems.Initially,SIGprovidedthestudywithadraftversionoftheprivacyquestionnaire(v1.1),whichcontained35questionsintotal.Later,basedontheiterativematchingwiththePbDchecklist,thequestionnairewasenlargedto50questions.

31

Thequestionnairecontainsacombinationofclose-endandopen-endquestions.Withclosed-endquestions,theparticipantsarerequiredtopickupthechoice(s)thatcouldmostcloselydescribethestatusquooftheirsystem.Withopen-endquestions,theparticipantsarerequiredtospecifytheuniqueaspect(s)oftheirsystem.

Thesequenceofquestionsfollowsthe3stagesofPIIworkflow(whichhasbeenspecifiedinChapter3.1).QuestionsundereachPIIworkflowarefurthergroupedtoindicatedifferentprivacyprinciples.Aseparatesectionisbeingaddedattheendofthequestionnairetocollectinformationaboutthesystemdesignandimplementation.Belowisanoutlineofthequestionnaire,witheachsectionfollowedbythenumberofquestionsaskedinthatpart.

Figure[3.2].OutlineofthePrivacyQuestionnaire

The50questionsensureallthe75PbDactivitiesinourchecklistaremeasurable–themappingbetweenthePbDactivitiesandthequestionsismultipletomultiple.Insomecases,onePbDactivityreferstomultiplequestions;inothers,severalPbDactivitiesaremeasuredbyonequestion.Besides,somequestionsaresystem-specificforgaininganimpressionofthecontext.Examplesofdifferentquestiontypesaregivenbythefollowingtables.

PrivacyQuestionnaire

Questionnaire

DataCollection

1. DataMinimization(5)2. Lawfulness&Consent(7)3. Individualrights&DataQuality(7)

DataProcessing

4. Purposebinding&limitation(4)5. Transparency&Openness(5)

DataProtection

6. InformationSecurity(4)7. Accountability&Compliance(12)

DesignandImplementation(6)

Systeminformation

Appendix

32

Table[3.18].QuestionExample1:OneActivity–MultipleQuestions

ActivityID

Question6.Whichofthefollowingactivesregardingdatacollectionareperformedbytheorganization?(Please,checkallthatapply.)

LC2

Options

TheorganizationdefineslawfulpurposesforcollectingandprocessingPIIbeforePIIcollection;

LC3TheorganizationnotifyPIIprincipalsaboutmandatorycollectionofPII(e.g.forlegalpurpose);

LC4TheorganizationensuresthatdatasubjectsunderstandtheprivacypolicieswhengivingconsentuponPIIcollection;

LC5TheorganizationprovidesunderstandableinformationregardingPIIpurposeandcollection;

LC6UponPIIcollection,theorganizationdisplaysnotificationsoftheassociatedprivacypolicies.

Table[3.19].QuestionExample2:MultipleActivities–OneQuestion

ActivityID

Question39.c.(IftheorganisationsharesPIIwithexternalentities)withwhichtypeoforganisation(s)isPIIshared?(Pleasecheckallthatapply)

AC11

Options

OutsourcedITpartner

Legalentity

Government

Other(s)

Question 39.d.Ifyes,howoftenisthePIIsharedwithexternalparties?

Options

Onetime

Periodically

Continuously

33

Table[3.20].QuestionExample3:System-specificQuestion

Question 45.Doestheorganizationhosttheapplicationwithinitsownpremises?

Options

Yes,theorganizationlocallyhostsandmanagestheapplicationandallelementsthatinteractwithit(e.g.:datastores,proxy,firewall,etc.);

Yes,theorganizationhoststheapplicationwithinitsownpremises,butanexternalpartyisresponsibleformanagingtheapplicationandallitsassociatedelements;

No,theorganizationdoesnothosttheapplicationandanexternalpartyisresponsibleformanagingtheapplicationandallitsassociatedelements;

Others:

3.5. TheEvaluationFramework

Basedonthesystemfactscollectedbytheprivacyquestionnaire,thePbDchecklistcanbereviewedandevaluated.

Theevaluationofprivacymaturityistwo-fold:Firstly,thecompliancewithprivacymaturitylevelswillbechecked.Secondly,anactionplanwillbeprovidedtothecompany/organization.ThetwopartsfunctiontogethertogiveaninsightonwhatPbDactivitiesarecurrentlybeingimplemented,andthereforeencouragesthecompany/organizationtomovetowardsahigherprivacymaturitylevel.

3.5.1. CompliancewithPrivacyMaturityLevels

Insteadofmerelyprovidinganoverallresultofcompliancebasedonthewholemodel,theevaluationaimstoprovideaseriesofresultsbasedoneachofthe7privacyprinciples.

Rulesforafullcompliancewithaspecificprivacyprinciplearedefinedasbelow:

• AfullcompliancewithPrivacyMaturityLevel1isachievedbya100%implementationofBasicPbDactivities;

• AfullcompliancewithPrivacyMaturityLevel2isachievedontopofafullcompliancewithLevel1,butalsorequiresa100%implementationofIntermediatePbDactivities;

• AfullcompliancewithPrivacyMaturityLevel3isachievedontopofafullcompliancewithLevel2,butalsorequiresa100%implementationofAdvancedPbDactivities.

Theaboverulesindicatethat,onlywhenasystem/applicationreachesafullcompliancewiththepreviousmaturitylevel,canthecompliancewithnextlevelbeachieved.

34

IfasystemdoesnotfullyimplementBasicPbDactivitieswhichisrequiredbyLevel1,thenitisregardedasLevel1non-compliance.AnyunimplementedIntermediateorAdvancedPbDactivitiesunderaspecificprivacyprinciplewillstopitfrombeingLevel2orLevel3fullcompliance,respectfully;thesecasesarethusclassifiedasnon-compliancewiththatprivacymaturitylevel,andthereforetheresultwilldegradetothepreviouslevel.

Theprivacymaturityleveldeterminationprocessisdepictedasthefollowingflowchart:

Figure[3.3].TheCompositionofthePrivacyMaturityModel

Tablesbelowrepresentsthefullcompliancecircumstanceofeachprivacyprinciple.Notethattheprivacymaturityevaluationalwaysstartsfromtheminimumlevel.UnlessallPbDactivitiesundertheminimalprivacyrequirement(Basic)are“checked”,oralternatively,afullcompliancewithLevel1isachieved,cantheevaluationmoveforwardtothenextlevel.Sincetheprivacymaturitylevelsareinlinewiththeprivacyrequirements(seeChapter3.3),thesamecolorset{yellow,green,andblue}hasbeenadoptedinthefollowingtablestorepresenttheconditionsforachievingdifferentmaturitylevels.

35

Table[3.11].EvaluationofCompliance:Lawfulness&Consent(LC)Activity

ID Lawfulness&Consent(LC) L1 L2 L3

LC1 AllowPIIprincipaltofreelyopt-inandopt-out ✓ ✓ ✓

LC2 DefinelawfulpurposesforcollectingandprocessingPIIbeforePIIcollection ✓ ✓ ✓

LC3 NotifyPIIprincipalsaboutmandatorycollectionofPII(e.g.forlegalpurpose) ✓ ✓ ✓

LC4 EnsurePIIprincipalsunderstandtheprivacypoliciesbeforeprovidingconsentwithoutspecialknowledge ✓ ✓ ✓

LC5 ProvideeasytoaccessandunderstandableinformationregardingPIIcollection ✓ ✓ ✓

LC6 DisplaynotificationsofprivacypoliciesattheentranceofphysicallocationswherePIIiscollected ✓ ✓ ✓

LC7 CollectPIIinaprivacyfriendlyway ✓ ✓

LC8 Specifythetrackingtechnologiesthathavebeenused(cookies,webbeacons,clickingbehavior,etc.)forPIIcollection ✓ ✓

LC9 NotifyPIIprincipalsthatprovidingadditionalPII(e.g.formarketingpurpose)isoptional ✓ ✓

LC10 ObtainconsentbeforeusingordisclosingPII ✓ ✓

LC11 MakeprovisionsforPIIprincipalstowithdrawconsent ✓ ✓

LC12 InformPIIprincipalsabouttheconsequencesofapproveordeclinetheconsent ✓ ✓

LC13 OfferequitableconditionstoPIIprincipalswhodonotconsenttoprovidePII ✓

LC14 ConductactivitiesonanyPIIonlywithuserconsentoronalegalbasis ✓ ✓ ✓

Table[3.12].EvaluationofCompliance:DataMinimization(DM)Activity

ID DataMinimization(DM) L1 L2 L3

DM1 MinimizePIIcollectedforeachpurpose ✓ ✓

DM2 SeparatethestorageofPIIcollectedfromdifferentsources ✓

DM3 SetupaggregationmechanismsbeforePIIprocessingandstorage ✓

DM4 SetupanonymizationmechanismsbeforePIIcollection,processingandstorage ✓

36

Table[3.13].EvaluationofCompliance:Individualrights&DataQuality(IRDQ)Activity

ID Individualrights&Dataquality(IRDQ) L1 L2 L3

IRDQ1 CollectPIIdirectlyfromPIIprincipalswheneverpossible ✓ ✓ ✓

IRDQ2 OnlycollectPIIfromsourceswhosereliabilitycanbeattested ✓ ✓

IRDQ3 MakesurethattheautomaticallygeneratedPIIdoesnotleadtofalsejudgements ✓

IRDQ4 AllowPIIprincipalstoaccesstheirindividualizedPIIstoredinthesystem ✓ ✓ ✓

IRDQ5 AllowPIIprincipalstoamend,correctandremovetheirownPII ✓ ✓ ✓

IRDQ6 AllowPIIprincipalstoobjectthecollection,processing,andsharingoftheirPIIatanytime ✓

IRDQ7 Enabletimelyandfree-of-chargeindividualparticipation ✓ ✓

IRDQ8 Checkregularlytheaccuracy,completeness,up-to-date,adequacyandrelevanceofPII ✓

IRDQ9 ProvidePIIchangesintimetoanyrelevantprivacystakeholders ✓ ✓

IRDQ10 RecordtheunresolvedPIIchallenges ✓

IRDQ11 InformprivacystakeholdersintimeabouttheunresolvedPIIchallenges ✓

Table[3.14].EvaluationofCompliance:Purposebinding&limitation(PBL)Activity

ID Purposebinding&limitation(PBL) L1 L2 L3

PBL1 NotifyPIIprincipalsaboutthelegalreasonformandatoryprocessingofPII ✓ ✓ ✓

PBL2 IdentifyanddocumentthepurposesforconductingactivitiesinvolvingPII ✓ ✓ ✓

PBL3 DefineanddocumentthepurposesandtechnologiesusedforPIIprocessing ✓ ✓

PBL4 InformPIIprincipals/serviceusersaboutthepurposes/servicesforwhichPIIisused ✓ ✓

PBL5 PeriodicallyevaluatethealignmentbetweenPIIanditspurpose ✓ ✓

PBL6 ExcludeunnecessaryPIIwhichneedstoberetainedfromregularprocessing ✓

PBL7 RevealPIIprincipalsidentityaslessaspossible(e.g.avoidcreatingde-anonymizedprofiles) ✓

PBL8 Deleteanddisposenon-purposebindingPIIandback-upsassoonasthepurposeexpires ✓ ✓

PBL9 RetainPIIforalimitedtimespanonlyasneededorasrequiredbylaw ✓ ✓

PBL10 EvaluatewhethertheprivacypolicyneedstobeexpandedforsharingnewtypesofPII ✓ ✓

37

Table[3.15].EvaluationofCompliance:Transparency&Openness(TO)Activity

ID Transparency&Openness(TO) L1 L2 L3

TO1 DocumentthetypeofPIIcollected ✓

TO2 DefineanycasesthatmaydisclosePII ✓

TO3 MakePIIprocessingexplicitlyannouncedanddescribed ✓ ✓

TO4 Specifypoliciesandpracticesaboutpublic-availablePII ✓ ✓

TO5 EnsurethepolicyisavailableinanynaturallanguagesthatPIIprincipalsmightuse ✓ ✓

TO6 InformPIIprincipalsabouttheirrightsandchoices ✓ ✓ ✓

TO7 Providecontactinformationforquestionsandcomplaints ✓ ✓ ✓

TO8 InformPIIprincipalsaboutprivacystakeholdersandPIIcontroller ✓ ✓ ✓

TO9 Archiveandprovideeasyaccesstothehistoricalversionsofpolicy ✓

TO10 DesignandmaintainaPrivacyDashboard ✓

TO11 MakesurethePIIprincipalreadtheprivacynotice(byimplementinganaffordance) ✓

TO12 SpecifyaPIIdecommissionplaninthesystemdesign ✓

Table[3.16].EvaluationofCompliance:InformationSecurity(IS)Activity

ID InformationSecurity(IS) L1 L2 L3

IS1 RestrictthenumberofPIIstakeholdersandtheiraccesstotheminimumneedofPII ✓ ✓ ✓

IS2 Minimizeriskssuchasunauthorizedaccess,destruction,use,modification,disclosureorloss ✓ ✓ ✓

IS3 Conductattacksurfaceanalysisandprivacythreatmodeling ✓ ✓

IS4 Identifyandprioritizeprivacythreats ✓ ✓

IS5 Validateandverifythesystem'salignmentwiththeprivacyrequirements ✓ ✓

IS6 Defineprivacyrequirementsexplicitly ✓

IS7 DesignandimplementadequatePrivacy-EnhancingTechnologies(PETs) ✓

IS8 PreventthirdpartiesfromprofilingPII ✓

38

Table[3.17].EvaluationofCompliance:Accountability&Compliance(AC)Activity

ID Accountability&Compliance(AC) L1 L2 L3

AC1 NotifyPIIprincipalsaboutprivacybreaches ✓ ✓ ✓

AC2 NotifytheSupervisoryAuthoritywhenthereareprivacybreaches ✓ ✓ ✓

AC3 Providesanctionand/orremedyproceduresforprivacybreaches ✓ ✓ ✓

AC4 Placeinternalcontrolsthatalignwithexternalsupervisionmechanisms ✓ ✓ ✓

AC5 Specifyanentityresponsibleforprivacyrelatedissues ✓ ✓ ✓

AC6 Arrangeregularpersonneltraining ✓ ✓

AC7 Checkregularlyifsecuritysafeguardsareup-to-date ✓ ✓

AC8 SetuppolicyforinternalPIIsharing ✓

AC9 ChoosereliablePIIprocessorsthathaveanequivalentprivacymaturity ✓

AC10 Specifytheresponsibilitiesofexternalentities ✓ ✓

AC11 MinimizePIIsharedwithexternalentities ✓ ✓

AC12 InformPIIprincipalsaboutsharingtheirPII ✓ ✓ ✓

AC13 Conductprivacyriskassessments(PIA)andimplementperiodicreviewandreassessment ✓ ✓

AC14 ImplementPIIprotectionmechanismswhenconductingtesting,researchortraining ✓

AC15 Conducteitherinternalorthird-partyprivacyauditing ✓

AC16 Cooperatewithsupervisoryandregulatoryauthorities ✓ ✓

3.5.2. TheActionPlan

CompliancewithprivacymaturitylevelsreflecthowwellanICTsystemorapplicationisdoingintermsofprivacyprotection.Apartfromthat,havinganactionplanprovidingfeedbacksandtailoredsuggestionsiscrucialforcompaniesandorganizations;despitethatthePrivacyMaturityModelshowsmaturitylevelsunder7privacyprinciples,itisbelievedthatcompanyandorganizationswouldliketoknowthemeaningbehindtheresults,aswellashowtoconductPbDactivitiesinamoreconsistentway.

Thepotentialbenefitsofhavinganactionplanalongwiththematurityresultscanbedistinguishedassuch:Firstly,alistofunimplementedPbDactivitiesisabletobeidentifiedfromthespecificanswerstothequestionnaire;Secondly,aprioritizationoftheseunimplementedPbDactivitiescanbedeterminedbyconductingriskanalysisbasedonrelevantfactors(suchaslikelihood/impact/cost,etc.).However,sinceeachcompany/organizationhasitsspecificationintermsofbusinessresources,

39

itwillnotbefurtherdiscussedonhowtocalibratetheriskmanagementprocessinthisPrivacyMaturityModelresearch.

40

4. CaseStudiesFigure4.1representsaflowchartabouttheadoptionofthePrivacyMaturityModel.Itwillbedescribedindetailinthefollowingsections.

Figure[4.1].ProcessofAdoptingthePrivacyMaturityModel

4.1. OutcomesofCaseStudy

Overall,twocasestudieshavebeenperformedtoanalyzethePrivacyMaturityModel.Duetoaconsiderationofprotectingtheparticipantsfrombeingdisclosed,thetwoparticipantswillbeanonymizedandreferredasOrganizationXandCompanyYthroughoutthetext.OrganizationXresidesintheDutchGovernmentsector(51–200employees,retrievedfromtheorganization’sLinkedInpage);CompanyYisaleadingDutchcompanyintheUtilitiesindustry(1,001–5,000employees,retrievedfromthecompany’sLinkedInpage).

Bothparticipantshaveansweredtheprivacyquestionnaireinthefirstplace,eachwiththeirownsystemservingtheircorebusinessoperations.Later,aninterviewwithCompanyYhavealsobeenconducted(Chapter4.2willfocusonthisinterview).Thetwosetsofresponsestothequestionnaireareprocessedinthesameway:firstofall,theanswersaremappedintothePbDchecklist.Then,theimplementationofPbDactivitiesischeckedbytheevaluationframeworkmentionedinChapter3.5.

Onethingneededtobeclarifiedbeforeshowingthematuritylevelresultsisthat,inbothcasestudies,thereareafewquestionsthathaven’tbeenanswered.Thisisduetotheiterativeimprovementoftheprivacyquestionnaire,i.e.,newquestionshavebeenadded.Comparatively,CompanyYparticipatedinalaterstageofthisresearch,sotheyhavelessunansweredquestionsthanOrganizationX.TheseunansweredquestionsleadtotheunknownimplementationofPbDactivities.Thewayofdealingwiththissituationistochecktheunansweredquestionsadditionally.TakeprivacyrequirementBasicasanexample,thismeans,ifthequestion(s)mappingintoaBasicPbDactivityisunanswered,whichindicatestheimplementationofthatBasicactivityisunknown,thentheprivacymaturitywillbeconsideredasLevel1:partialcomplianceratherthanLevel1:fullcompliance,despitethatitmightbethecasethattherestofBasicactivitiesarefullyimplemented.

41

4.1.1. CaseStudy1

ThefollowingtableindicatestheresultsofprivacymaturitylevelsreceivedbyOrganizationX:

Table[4.4].PrivacyMaturityLevels:OrganizationX

PrivacyPrinciples MaturityLevel

Lawfulness&Consent(LC) Level1:partialcompliance

DataMinimization(DM) Level1:non-compliance

Individualrights&Dataquality(IRDQ) Level2:partialcompliance

Purposebinding&limitation(PBL) Level1:partialcompliance

Transparency&Openness(TO) Level1:non-compliance

InformationSecurity(IS) Level1:partialcompliance

Accountability&Compliance(AC) Level1:non-compliance

4.1.2. CaseStudy2

ThefollowingtableindicatestheresultsofprivacymaturitylevelsreceivedbyCompanyY:

Table[4.5].PrivacyMaturityLevels:CompanyY

PrivacyPrinciples MaturityLevel

Lawfulness&Consent(LC) Level2:fullcompliance

DataMinimization(DM) Level2:fullcompliance

Individualrights&Dataquality(IRDQ) Level3:partialcompliance

Purposebinding&limitation(PBL) Level2:partialcompliance

Transparency&Openness(TO) Level2:fullcompliance

InformationSecurity(IS) Level3:partialcompliance

Accountability&Compliance(AC) Level3:fullcompliance

42

4.2. FeedbacksonthePrivacyMaturityModel

Afterfillingoutthequestionnaire,CompanyYshowedwillingnesstoparticipateinafurtherdiscussionontheprivacytopic.ThiswasmainlybecauseCompanyYfeltthatduringfillingoutthequestionnaire,theyencounteredseveralsituationsthatthesystemfactsweremoreofambiguityratherthanblack-and-white.Therefore,afacetofacediscussionwasplannedbetweenSIGPrivacyResearchersandtheChiefPrivacyOfficerofCompanyY,alongwithhiscolleague,theSecurityOfficer.

Duringthemeeting,fundamentalinformationhasbeenbrieflysharedwithCompanyY,suchastheinitialmotivationofhavingthisresearchonprivacy,theoverallresearchprocess,thesummarizingofprivacyprinciples,andthedistributionofPbDactivitiesundereachprivacyprinciple.Then,theanswersprovidedbyCompanyYwerereviewedtogether.Ontheonehand,SIGexpertspointedoutseveralcasesthatCompanyYmightmisunderstoodthequestions,andthesecaseswereclarifiedduringthediscussion;Ontheotherhand,CompanyYstrengthenedtheiranswersbyexplainingmoreaccordingtothesystemfacts.

Mostcrucially,themeetingwithCompanyYrevealsthathavingthePrivacyMaturityModelinplacewillbevaluableinguidingtheimplementationofPbDactivities.TheopinionsheldbyCompanyYarethree-fold,eachfollowedbyabriefexplanation:

• Overall,havingaroadmapforsolvingprivacyissuesisofincreasinglyhigherimportancetomodernorganizations.Althoughmanyprivacyactshavebeenregulatedasmandatory,itisstillrarethatanorganizationimmediatelyownsaprivacychecklistcontainingbestpracticestofollow.Tocreateato-dolistforprivacy,theorganizationhastoeitherapproachin-housedevelopment,orhiresomeoneoutside.Bothareexpensiveandtime-consuming,andmightruntheriskofbeinginvolvedwithredtapeorlawyers;

• ImplementingonlyPrivacy-EnhancingTechnologieswillnotalwaysbesufficientfortheprotectionofpersonaldata,especiallysensitivedata.ApartfrompurelyimplementingPETs,theemergingissuessuchasgovernanceandcompliancearecrucialtobesolvedbytheorganization.Besides,customersarebecomingmoreandmoreeagertoprotectingtheirPII,whichrequirestheorganizationtobemoretransparentonsharingtheinformationofhowPIIisused;

• Organizationsneedtobeawareof,andconsidermoreonhowtoprovideservicesasmuchaspossiblewithlessPII.Theorganizationshouldalwaysthinkmoreaboutthequestion“IsthePIIwecollectreallynecessaryforprovidingservice?”.Previously,thetrendwas“collectasmuchasdataatfirst,andthinkhowtousethedatalater”;butnowadays,theorganizationiswarnedbythefactthat,themorePIItheorganizationholds,thelarger

43

amountofcompensationtheorganizationhastopayoncethedatabreachhappens.

RegardingtheaboveopinionsprovidedbyCompanyY,itisconvincingthatthePrivacyMaturityModelwillbeabletonotonlyactasaguidanceintermsofconductingPbDactivities,butalsobetterpreventcasessuchasrelyingonPETsaspanacea,or“actbeforethink”fromhappening.

4.3. FindingsfromCaseStudies

ThefocusofthissectionisonpresentingthefindingsintermsofprivacyissueswhenapplyingthePrivacyMaturityModel.Apartfromdescribingtheproblemsoccurredinthetwocasestudies,thissectionalsoexplainsthereasonsbehindthoseproblems,andpurposespossiblesolutions.

4.3.1. Non-CompliancewithBasicActivities

WhenlookingatthematuritylevelsofOrganizationX,itappearsthatcompliancewithPrivacyMaturityLevel1hasnotbeenfulfilledbythesystemunder3privacyprinciples:Lawfulness&Consent,Transparency&Openness,andAccountability&Compliance.ThismeansthatthesystemismissingouttheimplementationofsomeBasicPbDactivities,whichshouldbethemostcommonprivacypractices,orevenmightbemandatedbylaw.

Thereasonbehindnon-compliancewithLevel1isthat,OrganizationXisundergoingasystemredesign.ThepreviousversionoftheirsystemwaslaunchedfaraheadoftherecentreleaseofGDPR(April,2016),sothereexistquiteafewissuesthatdoesnotbindingwiththenewprivacyregulation.AccordingtothecommunicationbetweenSIGandOrganizationX,non-complianceissuesarenotonlylyinginthesystemdesign,butalsointheX’sorganizationalprocedures.Butthepositivethinkinginthiscasestudyisthat,OrganizationXwilltaketheevaluationresultsintoseriousconsideration,andregardthemasinputforthesystemre-design.

4.3.2. TheNon-ApplicableActivities

ThereexistafewsituationsthataPbDactivityisnotapplicabletothespecificsystem.Forexample,underprivacyprincipleAccountability&Compliance,oneBasicPbDactivityis“MakesuretheautomaticallygeneratedPIIdoesnotleadtofalsejudgements”.“MakesuretheautomaticallygeneratedPIIdoesnotleadtofalsejudgements”.Butinthereality,sincethebeinganalyzedsystemsofourparticipantsdonotgeneratePIIautomatically,thisactivityisregardedasnotapplicableinbothcasestudies.

44

WhengoingthroughtheprocessofmatchinganswerstothePbDchecklist,bothparticipantshavegotaround3non-applicablePbDactivities.Thesenon-applicableactivitieshavenotbeentakenintoconsiderationfortheevaluation.Therefore,theydonothamperthedeterminationofprivacymaturitylevels.

4.3.3. OverallComparisonontheCaseStudies

Beforesendingouttheprivacyquestionnaire,itisknownthatCompanyYemphasizesmoreontheprivacyissuethanOrganizationX.Therefore,theresultsoftheirprivacymaturitylevelsareinlinewiththeexpectation.

TheresultsalsoshowthatbothparticipantshavegainedahighermaturitylevelinIndividualRights&DataQualityaswellasInformationSecurity.Thecomprehensiontothisresultisthat,thesetwoprivacyprincipleshavecoveredmorePbDactivitieswhichcanbelabeledas“do’s”ratherthan“notice’s”.SinceOrganizationXandCompanyYarebothwillingtogetprivacyright,theimplementationof“do’s”arehigh.However,sometimesitmightbethecasethattheorganizationsonlyfocusonimplementing,butforgettoputthose“do’s”intodocumentation.AlthoughprivacyprinciplessuchasTransparencyandOpennesssuggestPbDactivitiesmoreaboutpublishingpolicies,theyareregardedasofequalimportanceinthePrivacyMaturityModel.Toenhancethematuritylevelofthesepreviouslyneglectedprivacyprinciples,bothparticipantsshouldfocusmoreonthe“notice’s”inthefuture.

45

5. DiscussionsThischapteraimstoproviderefinementtothePrivacyMaturityModelbasedonthecompanyinterviewinthefirstplace.Later,thischapterpresentsdiscussionsonalternativeapproachesofconductingtheevaluationframeworkofthePrivacyMaturityModel.

5.1. RefinementonthePrivacyMaturityModel

DuringtheinterviewwithCompanyY,theparticipantswereencouragedtosharetheiropinionsonthePrivacyMaturityModel.TheChiefPrivacyOfficerspokeoutaconcernwithpartofthemodel:AccordingtothedistributionofPbDactivitiesundertheDataMinimizationprinciple,itmightbeconfusingtohavezeroBasicactivityforMaturityLevel1.OnceacompanyimplementsnothingunderDataMinimization,itcanbejudgedasbothnon-compliancewithLevel1aswellasnon-compliancewithLevel2.

Thus,adiscussiononthisactivitydistributionissuewastakenplacewithSIGexperts.However,becausethereisonly4PbDactivitieslyingundertheDataMinimizationprinciple,acomparisonofthematurityofeachactivitywasmade.Therefore,activityDM1wasre-assignedasaBasicactivity,andDM2wasre-assignedasanIntermediateactivity.Besides,ithasalsoresultedinachangetothispartofthemodelevaluation:

Table[5.1].EvaluationofCompliance(Updated):DataMinimization(DM)Activity

ID DataMinimization(DM) L1 L2 L3

DM1 MinimizePIIcollectedforeachpurpose ✓ ✓ ✓

DM2 SeparatethestorageofPIIcollectedfromdifferentsources ✓ ✓

DM3 SetupaggregationmechanismsbeforePIIprocessingandstorage ✓

DM4 SetupanonymizationmechanismsbeforePIIcollection,processingandstorage ✓

TheupdatedDataMinimizationevaluationwillbeabletoeliminatetheambiguitybroughtupbyCompanyY.Insteadofconfusinglybeingjudgedasnon-compliancewitheithermaturitylevel1or2,acompany/organizationdoesnotimplementDM1willnowbejudgedasLevel1:non-complianceforcertain.

5.2. ImprovementontheEvaluationFramework

Duetothefactoffewer-than-expecteddatapointscollectedbytheprivacyquestionnaire,thecurrentapproachofevaluatingthePrivacyMaturityModelstill

46

hasitsconstraints.Forexample,thecurrentevaluationdoesnotindicateabenchmark.However,ifmoredatapointscouldbegatheredviaquestionnaireinthefuture,thechancewillbehighthattheevaluationframeworkdiffersfromhowitlooksnow.Inthefollowingsections,thereasonofhavingalowresponserateaswellasapotentialredesignoftheevaluationframework(i.e.astar-ratingsystem)arediscussed.

5.2.1. ALimitedNumberofDataPoints

Duringthewholeresearchprocess,themostchallengingissueistheunexpectedfewresponsestoourquestionnaire.Originally,anInvitationtoParticipateletterhasbeensentouttomorethan20companies/organizationsintotal.However,amongthesepotentialparticipants,onlyhalfrespondedtotheinvitation,andeventuallyonly2participatedinansweringthequestionnaire(andCompanyYparticipatedinaninterview).Later,theInvitationtoParticipatewasiteratively(i.e.monthly,fromApriltoJune)spreadviasocialnetworks,suchasSIGofficialLinkedInpage,SIGexpertspersonalLinkedInpages,aswellasSIGofficialTwitteraccounts.Yet,nofurtherresponsehasbeenreceiveduntiltheendofmodelvalidation.

Tosummarize,themajorreasonbehindthelowmotivationtoparticipatecanbeidentifiedfromthecommunicationswiththeinvitedcompanies/organizations:itishardtoavoidbureaucracyinlargeorganizations,whichreallyslowedthingsdown.Especially,theresearchhasfacedmoreresistancewhentheinternalcommunicationproceduresrequireseverythingtobekeptintrackbyvariousdepartments.Theworstcasewasthattheresearchevengotrejectedsimplybecauseoftheignoranceoflessrelevantpersonnel.

5.2.2. ThePartiallyImplementedPbDActivities

AnissueontheimplementationofPbDactivitiesisthat,forseveralactivities,itisnotenoughtomeasurethingsas“eitherblack,orwhite”.AfewquestionsweredesignedtoaskaboutthefrequencyofconductingaPbDactivity.Forinstance,onequestionaskshowoftendoestheorganizationplanapersonnelprivacytraining.Theanswerscouldbe“frequently”“once”and“never”.Theideais,ofcourse,nottomerelylookatifatraininghaseverbeendoneornottothepersonnel,buttoseewhetherthetraininghasbeendoneregularly.

Inthatsense,thespecificPbDactivitycanbemeasuredas“partiallydone”iftheparticipantanswered“once”.Tobetterunderstandthetypeof“partiallydone”situation,therespondentsarealsoaskedtospecifythefrequencybyenteringfreetexttothequestionnaire.

Thegoodnewsisthat,theanswersfrombothparticipantsshowedthatenteringfreetextisnotaburden.CompanyYisevenhappytowritedownsomeextrainformation

47

tobetterdescribethesituationtheyaregoingthrough,whichisindeedanappealingoutcomethatencouragesthedevelopmentofPrivacyMaturityModel.

InordertotakethepartialimplementationofPbDactivitiesintoaccount,theruleofcurrentmodelevaluationcanbefurtherdeveloped.TogetherwithSIGexperts,wesuggestapossibledefinitionofthepartialcompliancecircumstance:

• Asystem/applicationreachesLevel1partialcompliancewheneveryBasicactivityisatleastpartiallyimplemented;

• Asystem/applicationreachesLevel2partialcompliancewhenithasreachedfull-compliancewithLevel1,andeveryIntermediateactivityisatleastpartiallyimplemented;

• Asystem/applicationreachesLevel3partialcompliancewhenithasreachedfull-compliancewithLevel2,andeveryAdvancedactivityisatleastpartiallyimplemented.

5.2.3. PossibilityofAPrivacyMaturityRatingSystem

A5-starratingsystemisabletoprovidebenchmarkinformationoncetheamountofdatapointsisready.Thestarswillbeacompleteoverwriteoftheevaluationframework,andwillprovideadirectinsighttoacompany/organizationwhowouldliketoconductself-positioningwithineitheritsindustryorthegeneralcontext.

Thefollowingtransitiontablegivesafirstimpressiononhowthestarratingworks.Overall,therearefiverowsspecifyingthenumberofstarsfrom1to5,respectively.Foreachrow,asetofpercentagesisdefinedunderallthreeprivacymaturitylevels.Thepercentages,𝑃"#,𝑃$#,and𝑃%# (𝑖 = 1,2,3,4,5 ),indicatethat,forthetotalnumberofPbDactivities(i.e.,despiteoftheprivacyprinciples)belongingtoaspecificmaturitylevel,howmanyofthemareactuallybeingfullyimplemented.EachpercentagedeterminestheleastamountofPbDactivitiesthathavetobeimplemented.Forinstance,a3-starratingrequiresasystemtoconduct𝑃".ofallPbDactivitiesthatbelongtoBasic,𝑃$.ofIntermediate,and𝑃%.ofAdvanced.

Althoughoneargumentcanbethat,intheory,acompanycanimplementallPbDactivitiesinBasicandyetnoneoftheothertwo;butsincethepercentageswillbedeterminedbydata,itisstillpossibletoavoidthistheoreticalissue.

48

Table[5.2].TheTransitionTableforPrivacyStarRating

Star Basic Intermediate Advanced

HIIII 𝑃"/ 𝑃$/ 𝑃%/

HHIII 𝑃"0 𝑃$0 𝑃%0

HHHII 𝑃". 𝑃$. 𝑃%.

HHHHI 𝑃"1 𝑃$1 𝑃%1

HHHHH 𝑃"2 𝑃$2 𝑃%2

Furthermore,basedontheactualdata,3differentscenarioscanbesuggested,eachaimingataspecificpurposeofanalyzingthePbDchecklist.

• Basic-focused:ThisscenariostressestheimportanceofBasic.Toreachahigherstar-rating,organizationsshouldmakeapromiseonimplementingasmanyBasicPbDactivitiesaspossible;

• Optimistic:Thisscenarioprovidestolerantbasisforreachingdifferentstars,regardingtothecurrentreal-worldimplementations;

• Stringent:Thisscenariodefineschallengingpercentagesfororganizationstoreceiveahigherstar-rating.

Foreachscenario,theexampleofpercentagesettingcanbefoundinthefollowingtables,respectively:

Table[5.3].ThresholdsofPrivacyStarRating:Basic-focused


HIIII 0 0 0

HHIII 40% 25% 10%

HHHII 60% 35% 20%

HHHHI 80% 45% 30%

HHHHH 95% 55% 40%

49

Table[5.4].ThresholdsofPrivacyStarRating:Optimistic


HIIII 0 0 0

HHIII 30% 25% 15%

HHHII 50% 40% 30%

HHHHI 70% 55% 45%

HHHHH 90% 70% 60%

Table[5.5].ThresholdsofPrivacyStarRating:Stringent


HIIII 0 0 0

HHIII 35% 25% 15%

HHHII 55% 45% 35%

HHHHI 75% 65% 55%

HHHHH 95% 85% 75%

50

6. ConclusionsLivinginthedigitalera,moreandmorepeoplestarttorealizethecriticalnessofprivacyissues.Apartfromsimplyenjoyingtheadvancementoftechnologies,theproblemsincollectingandprocessing(sometimesirrelevant)PIIshavelongnotbeensolved.

ThisresearchonPrivacyMaturityModel,thus,hasitssignificanceinbothacademicandindustrialfield.Ontheonehand,thisresearchisabreakthrough,foritsdistinctivetechnology-specificfeaturesfromtheexistingPIA.Ontheotherhand,withthePrivacyMaturityModelworkingasaguidelineforimplementingPbDactivities,moderncompaniesandorganizationswhoseservicesarerelyingonthecollectionandprocessingofPIIwillbeabletobuildservicesandconductactivitieswithmorematureprivacyconcerns.

6.1. PrivacyRequiresaProactiveThinking

Althoughmoderncompaniesandorganizationsarespendingmoretimeandresourcesonfiguringoutissueswithprivacy,thedominanttrendisstill“changeonceweareforcedto”.Thiscanbesupportedby3aspects:

• ArecenttriggerforcompaniesandorganizationstorethinktheirprivacyisnotmuchthanthenewlyreleasedGDPR.Guidelinesforhowtoconductprivacy-bindingactivitieshavebeenemergingandcanbeeasilyfoundonline,butthecontentsofthemaremoreon“howtoavoidpayingfinesbyconductingactivitiesthathavebeensetasmandatoryinGDPR”.Foracompany/organizationwhointendtoimplementPrivacybyDesign,approachingtheseregulation-basedguidelinesisobviouslyfarfromsufficient,becausewhatcanbefoundintheseonlineaccessibleguidelinesismerelyseveralPbDactivitiescategorizedasBasicinourPrivacyMaturityModel.

• Itiscommonlyseenthatcompanies/organizationsonlyfocusondataprotection,withoutconsideringthewholePIIworkflowwhichincludesdatacollectionanddataprocessingaswell(seeChapter3.1).Severalcompaniesandorganizationswewitnessedduringthisresearchareregardingprivacythesameconceptasinformationsecurity;acommoncaseisthatatfirsttheycollectasmuchPIIaspossibletoenhancesecurityaspects,andlaterhavetosufferfromahigherriskofdatabreach.However,informationsecurityisonlyoneofthesevenprivacyprinciplesbeingcoveredbythePrivacyMaturityModel.

• Thegroupofpeoplewhoholdaproactivethinkingiscomparativelysmallinthewholeorganization.ThisaspectoftheproblemisrevealedbytheinterviewwithCompanyY.AlthoughCompanyYhasreceivedhigherprivacy

51

maturitylevels,employeeswhoareeagertothinkproactivelyaboutprivacyarestilllimitedtotheoneswhodirectlydealwithprivacyissues.AccordingtoCompanyY,itisstilloftenthecasethatanambitiousplanonprivacyreceivesignorancebythemanagementteam,andmighttakeseveralyearstobeactuallyimplemented.

Theaspectsabovereflecttheimportanceofhavingamodelthatcanbetterguidethecompanies/organizationstoreachahigherprivacymaturitylevel.ThePrivacyMaturityModelproposedinthisresearchispossibletoraisemoreprivacyawareness,aswellasencouragecompanies/organizationstoimplementPbDactivitiesfromreactivelytoproactively.

6.2. ImprovementofthePrivacyMaturityModel

Duringrecentyears,bothBSIMMandOWASPASVShavebeengoingthroughtheprocessoffurtherdevelopment.BSIMMnowreachesitssixthversionandOWASPASVSisinitsthirdversion.Iflookingatthehistoryversionsofbothmodels,itisobvioustotellthatboththeirsizeaswellasthecontenthavebeenrefined.Designedanalogouslytothesetwomaturitymodels,thePrivacyMaturityModelwillalsobesubjecttochangebothinsizeandincontentinthefuture.

ReviewingandrevisingthePrivacyMaturityModelcanbetriggeredbyeventssuchasthemainupdateofISO29100oranyEuropean/world-classprivacyregulations.TwomainaspectsshallbeconsideredinordertomakeadjustmentstothePrivacyMaturityModel:

• Completeness.ThismeanstocheckifPbDactivitiesmentionedundereachprivacyprincipleinthePrivacyMaturityModelarecomplete.WhenthereisthenecessityofaddingnewPbDactivities,modifyingexistingPbDactivities,orremovingoutdatedPbDactivities,expertopinionsshallbetakenintoconsideration.Thisalsoensuresnooverlapbetweenactivitieswillappear.

• Evolvementofprivacyrequirements.InChapter3.3,theprivacyrequirementsaredefinedasBasic,Intermediate,andAdvanced.ThemappingbetweenPbDactivitiesandtheserequirementsisdynamic.Inthefuture,withthedevelopmentontheconceptofPrivacy-by-Design,existingPbDactivitiesinthecurrentchecklistmightbecomemoreofcommonorevenobligatorypractices.Therefore,itiscrucialtomakesurethatthemappingbetweenPbDactivitiesandtheprivacyrequirementsisup-to-date.

52

6.3. LimitationsandFurtherResearch

Havingseenthefactsofhowmoderncompaniesandorganizationsaredealingwithprivacyissues,ithastobeadmittedthattheimprovementoninformationprivacyisnot,andwillnotbesomethingthathappensimmediately.AsdiscussedinChapter5.2.1,themostchallengingissueinthisresearchisthelower-than-expectedresponseratetotheprivacyquestionnaire.

Nevertheless,thisresearchonPrivacyMaturityModelperformsasaninitializerinthefield,andisexpectedtoraiseseveralrelevantresearchtopicsinthenearfuture.Oncealargernumberofdatapointsisavailable,itwillbeinterestingtoautomaticallyprocessthequestionnaireresultsforthemodelevaluation.Thefurtherresearchwillbefocusingondevelopingabenchmarkandmodelcalibrationwhichisbasedondatacollectedfromvariousindustries.

53

References

[AICPA/CICA, 2011] American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. (2011). Privacy Maturity Model. Retrieved from http://www.kscpa.org/writable/files/AICPADocuments/10-229_aicpa_cica_privacy_maturity_model_finalebook.pdf

[Banisar & Davies, 1999] Banisar, D., & Davies, S. (1999). Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments. Journal of Computer & Information Law, XVIII, 1–111. Retrieved from http://heinonlinebackup.com/hol-cgi-bin/get_pdf.cgi?handle=hein.journals/jmjcila18&section=4

[Borking & Raab, 2001] Borking, J. J., & Raab, C. (2001). Laws, PETs and other technologies for privacy protection. Journal of Information, Law and Technology, 1(February), 1–14.

[BSIMM6, 2015] ]Mcgraw, G., Ph, D., Migues, S., West, J., Arkin, A. B., Routh, A. J., … Derdouri, S. (2015). BSIMM6. Retrieved from http://www.inf.ed.ac.uk/teaching/courses/sp/2015/lecs/BSIMM6.pdf

[CMMI v1.3, 2011] CMMI for Development, Version 1.3. (2010). Retrieved from http://resources.sei.cmu.edu/asset_files/TechnicalReport/2010_005_001_15287.pdf

[Comparison of International Privacy Concepts] Comparison of International Privacy Concepts - AICPA. Aicpa.org. Retrieved 2016, from http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/Pages/InternationalPrivacyConcepts.aspx

[Danezis et al., 2014] Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J.-H., Metayer, D. Le, Tirtea, R., & Schiffner, S. (2014). Privacy and Data Protection by Design - from policy to engineering. Retrieved from http://arxiv.org/abs/1501.03726

[De Hert, Kloza & Wright, 2012] De Hert, P., Kloza, D., & Wright, D. (2012). Recommendations for a privacy impact assessment framework for the European Union.

[European Commission, 2016] Reform of EU data protection rules - European Commission. (2016). ec.europa.eu. Retrieved 2016, from http://ec.europa.eu/justice/data-protection/reform/index_en.htm

[Directive 95/46/EC, 1995] European Parliament. (1995). Directive 95/46/EC. Official Journal of the European Communities, L 281/31(L).

54

[Finkle & Volz, 2015] Finkle, J. & Volz, D. (2015). Database of 191 million U.S. voters exposed on Internet: researcher. Reuters UK. Retrieved from http://uk.reuters.com/article/us-usa-voters-breach-idUKKBN0UB1E020151229

[Flaherty, 2000] Flaherty, D. (2000). Privacy impact assessments: an essential tool for data protection. In Privacy Law and Policy Reporter (Vol. 7, p. 85). Retrieved from http://www.austlii.edu.au/au/journals/PLPR/2000/45.html

[Heurix et al., 2015] Heurix, J., Zimmermann, P., Neubauer, T., & Fenz, S. (2015). A taxonomy for privacy enhancing technologies. Computers and Security, 53, 1–17. http://doi.org/10.1016/j.cose.2015.05.002

[Hinde, 2014] Hinde, C. (2014). A Model to Assess Organisational Information Privacy Maturity against the Protection of Personal Information Act. University of Cape Town.

[Huijben, 2014] Huijben, K. (2014). A lightweight, flexible evaluation framework to measure the ISO 27002 information security controls. Radboud University.

[ISO/IEC 29100: 2011] INTERNATIONAL STANDARD ISO / IEC Information technology — Security techniques — Privacy framework. (2011)

[Kelion, 2016] Kelion, L. (2016). Facebook Moments facial-recognition app launches in Europe - BBC News. BBC News. Retrieved from http://www.bbc.com/news/technology-36256765

[Le et al., 2015] Le, D., Inria, M., Trilateral, I. K., & María, J. (2015). PRIPARE: Privacy- and Security-by-Design Methodology Handbook.

[McGee, 2016] McGee, M. (2016). Verizon Confirms Breach Affecting Business Customers. Databreachtoday.eu. Retrieved from http://www.databreachtoday.eu/verizon-confirms-breach-affecting-business-customers-a-8991

[New Zealand Government, 2014 (1)] New Zealand Government. Privacy Maturity Assessment Framework: Elements, attributes, and criteria (version 2.0). (2014).

[New Zealand Government, 2014 (2)] New Zealand Government. User guide for the Privacy Maturity Assessment Framework. (2014).

[OECD, 1980] Organisation for Economic Cooperation and Development guidelines Annex to the recommendation of the Council of 23 September 1980: Guidelines governing the protection of privacy and transborder flows of personal data. (1980).

[OWASP ASVS 3.0, 2015] Application Security Verification Standard 3.0. (2015). Retrieved from https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf

55

[Pew Research Center, 2013] Social Networking Fact Sheet. (2013). Pew Research Center: Internet, Science & Tech. Retrieved September 2014, from http://www.pewinternet.org/fact-sheets/social-networking-fact-sheet/

[Revoredo et al., 2014] Revoredo, M., Marcelo, C., Lutiano, J., Melo, R. M., Batista, R., Lucien, L. R., … Garcia, V. C. (2014). A Privacy Maturity Model for Cloud Storage Services. http://doi.org/10.1109/CLOUD.2014.135

[Roger, 2015] Roger, H. (2015). Right of Subject Access – From request to response: An analysis of process performance. Leiden University.

[Schwaig, Kane & Storey, 2006] Schwaig, K. S., Kane, G. C., & Storey, V. C. (2006). Compliance to the fair information practices: How are the Fortune 500 handling online privacy disclosures? Information and Management, 43(7), 805–820. http://doi.org/10.1016/j.im.2006.07.003

[Thiesse, 2007] Thiesse, F. (2007). RFID, privacy and the perception of risk: A strategic framework. Journal of Strategic Information Systems, 16(2), 214–232. http://doi.org/10.1016/j.jsis.2007.05.006

[Warren and Brandeis, 1890] Warren, S. D., & Brandeis, L. D. (1890). The Right to Privacy. Havard Law Review, 4(5), 193–220.

[Wright, 2013] Wright, D. (2013). Making Privacy Impact Assessment More Effective. The Information Society: An International Journal, 29, 307–315. http://doi.org/10.1080/01972243.2013.825687

56

Appendices

AppendixA:ThePrivacyQuestionnaireThisparthasbeenremovedfromthethesisduetotheconcernofconfidentiality.Thequestionnairehasbeenhandedinseparatelytothethesisadvisors.

57

AppendixB:TheInvitationLetter

ApracticalapproachtoassessprivacyprotectioninandaroundITapplications

Invitationtoparticipateinresearch

Privacyisincreasinglyimportanttocitizensandpolicymakers.Organizationsthatcollectandprocessprivacy-sensitiveinformationareunderrapidlyincreasingscrutiny.

ITapplicationsplayakeyroleinbothprocessingandprotectingprivacy-sensitiveinformation.Whileexistingprivacyassessmentmethodsaddressprivacyprotectionatabroadorganizationallevel,theneedarisesforpracticalapproachesthatdojusticetothiskeyroleofITapplications.

Injointresearch,LeidenUniversityandtheSoftwareImprovementGroup(SIG)aredevelopingaPrivacyMaturityModelthatappliestoanITapplicationinitsorganizationalcontext.

WenowinviteorganizationsthatrelyonITapplicationstoprocessandprotectprivacy-sensitiveinformationtoparticipateinourresearch.Participatingorganizationsareinvitedtogothroughthefollowingsteps:

1. Filloutaquestionnaire.Thiswilltakeapproximately2hoursintotal,dividedovertwoorthreeemployeeswithknowledgeofapplicationfunctionality,architecture,andprivacyrequirements.

2. Partakeinaninterview.Thiswilltakeapproximately1.5hours.Theinterviewincludesadiscussionofthefilled-outquestionnaire.

FeedbackwillbeprovidedtotheparticipatingorganizationsintheformofaPrivacyMaturityreporttogetherwithaninteractivesession.Allstudyresultswillremainanonymous.

Pleaseexpressyourinteresttoparticipateinthisstudyviaprivacypractice@sig.eu.Wewillcontactyoutomakeallnecessaryarrangements.

Wearelookingforwardtoyourcontribution!

Prof.dr.ir.JoostVisser(SoftwareImprovementGroup&RadboudUniversityNijmegen)

Dr.AmrAli-Eldin(LeidenInstituteofAdvancedComputerScience,LeidenUniversity)

58

AppendixC:TheMappingbetweenPbDActivitiesandQuestions

Thisparthasbeenremovedfromthethesisduetotheconcernofconfidentiality.Thisparthasbeenhandedinseparatelytothethesisadvisors.

Universiteit Leiden ICT in Businessliacs.leidenuniv.nl › assets › Uploads ›...

Documents

Transcript of Universiteit Leiden ICT in Businessliacs.leidenuniv.nl › assets › Uploads ›...