Topic 9 Data Protection Impact Assessments This guide

Topic 9: Data Protection Impact Assessments This guide was produced by the STAR project (Support Training Activities on the data protection Reform; 2017 -2019), which is co-funded by the European Union under the Rights, Equality and Citizenship Programme 2014 -2020 (RECRDAT-TRAI-AG-2016) under Grant Agreement No. 769138. More information, and other GDPR training resources can be found at: www. project-star. eu

Guidance for using these slides (remove before delivering) These slides are meant to be easily adaptable to different audiences. To facilitate this, each slide is assigned to a specific audience (see „relevant for: ” in the notes). In the notes-section below each slide, you find an indication of the slide’s degree of difficulty [i. e. whether it is suited for data protection beginners or not], its target audience [everyone vs authorities, lawyers, data protection officers, etc. ], and its degree of importance [whether it is essential that you deliver it, or if it can be removed without impacting the effectiveness of the training]. Prior to training delivery, please: Read the slides and the notes thoroughly Take a look at the reading materials – they also serve to assist you in your preparation Remove/hide the slides that you consider unnecessary [right click on the slide miniature on the left and click ‘hide slide’]. A provisional categorisation has been made based on the depth and importance of the respective content Adjust slides to national or sectoral requirements Add content that you consider essential for your particular audience Feel free to replace the default layout with your organisation’s layout

How to Read The Slides’ Colour Frames [Remove Before Delivering] Green – Is a basic slide: we encourage you to keep it Yellow – is a medium level slide: it is important, but does not jeopardise effectiveness if removed Red – is an advanced slide: consider adapting it to your audience, preparing your audience for it, or removing it if you deem it unnecessary Purple – advised adaptation: this slide should contain information regarding the national legislation complementing the EU Regulations; if the content regards a different Member State, we advise you replace it with the national, relevant content 3

Speaker Name Title Department Contact details

Table of content 1. Welcome and introduction a) objectives 2. What is a DPIA, and why do we do them? 3. DPIA in practice a) Success and failure b) Understanding necessity, proportionality and risk in DPIA c) Consultation and working with stakeholders 4. Tips and tricks on conducting a DPIA 5. Q&A 6. Wrap-up and feedback 5

Objectives Explain the core concepts of what a DPIA is, and when they are required. Provide some guidance on assessing data protection risks and impacts Point to sources of guidance Provide some hints and tips from our DPIA experience 6

Introductions What’s your level of experience and exposure with data protection? Have you carried out DPIAs before? Is there anything in particular you are hoping to get out of today? 7

Table of content 1. Welcome and introduction a) objectives 2. What is a DPIA, and why do we do them? 3. DPIA in practice a) Success and failure b) Understanding necessity, proportionality and risk in DPIA c) Consultation and working with stakeholders 4. Tips and tricks on conducting a DPIA 5. Q&A 6. Wrap-up and feedback 8

What is a Data Protection Impact Assessment? Any thoughts? 9

10

What is a Data Protection Impact Assessment? One of the novel elements of the GDPR. Didn’t exist in the prior legislation The Regulation introduces a new legal obligation for data controllers. Had precursors in optional impact assessment exercises and methodologies. E. g. Privacy Impact Assessments Has a use beyond compliance. . . 11

Information Commissioner’s Office’s perspective: “A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. ” (ICO) “A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks. ” (also ICO) 12

DPIA in the GDPR Recital 84: In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing. 13

DPIA in the GDPR Article 35(1) Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. 14

A brief history lesson Why assess impact? 15

A brief history lesson Historical precursors: Environmental Impact Assessments / Environmental Impact Statements (1960 s) Social impact assessments (1980 s) Privacy impact assessments (PIA, 1990 s-2000 s) 16

A brief history lesson Predecessors to the DPIA Information Matching Privacy Impact Assessments, Privacy Act, New Zealand (1993). Article 20, Data Protection Directive 95/46/EC? (1995) PIA requisite for project approval, Management Board Secretariat, Ontario, Canada (1998) PIA Guide, Office of the Information and Privacy Commissioner (2001, 2010) Privacy Impact Assessment Questionaire, Office of the Information and Privacy Commissioner, Alberta Canada, (2001) PIA Handbook, Office of the Privacy Commissioner, New Zealand (2002, 2007) E-Government Act, United States (2002) PIA Guide, Office of the Victoria Privacy Commissioner (2004, 2009) Privacy Impact Assessment Guide, Office of the Privacy Commissioner, Australia (2006, revised 2010) Privacy Impact Assessment Handbook, Information Commissioner’s Office, UK (2007, 2009) Data Handling Review, Cabinet Office UK (2008) Madrid Resolution, International Conference of Privacy and Data Protection Commissioners (2009) PIA Guidance, Health Information and Quality Authority, Ireland, (2010) ISO 29134 – Guidelines for Privacy Impact Assessment (2017). 17

What is a DPIA? : Summary Process / exercise Systematic An assessment of risk (but not necessarily a “risk assessment” Legally required (for certain types of personal data processing) Opportunity to improve practices around privacy and handling of personal data. 18

Questions?

Table of content 1. Welcome and introduction a) objectives 2. What is a DPIA, and why do we do them? 3. DPIA in practice a) Success and failure b) Understanding necessity, proportionality and risk in DPIA c) Consultation and working with stakeholders 4. Tips and tricks on conducting a DPIA 5. Q&A 6. Wrap-up and feedback 20

DPIA potential and challenges Potential to achieve Protect social and data protection rights Bureaucratic spread Prompts reflection on technology development / procurement process. Wasted effort Token effort Lack of integration with project management Build in values Support informed decision making Early warning system Insular, minimum consultation Input to Privacy-by-design “Defensive” DPIA Prevent negative impact on organisation (e. g. reputation). Challenges to manage Demonstrates accountability Allows stakeholders to have input Sensitise multidisciplinary teams to data protection 21

Do I need to do a DPIA? (threshold analysis). Don’t always need to do a DPIA (not for every processing of personal data). When? (according to GDPR, recitals 89 & 91). Processing involves new technologies When no DPIA has been done before Long time since initial processing Large scale processing operations Considerable personal data Regional, national or supranational level Affect a large number of data subjects New technology used at large scale Taking decisions about natural persons based on systematic or extensive evaluation of personal aspects (profiling). Processing special categories, biometric data, data on criminal convictions, Monitoring public accessible areas on large scale Any operations where a supervisory authority considers that processing is likely to result in high risks where processing might prevent people exercising a right or using a service/contract. Systematic / large scale 22

Art 29 data protection working party DPIA criteria Evaluation or scoring, including profiling and predicting Automated-decision making with legal or similar significant effects Systematic monitoring Sensitive data or data of a highly personal nature Data processed on a large scale Matching or combining datasets Data concerning vulnerable subjects Innovative use or applying new technology or organisational solutions When the processing itself prevents data subjects from exercising a right or using a service or contract 23

ICO DPIA screening checklist We always carry out a DPIA if we plan to: Use systematic and extensive profiling or automated decision-making to make significant decisions about people. Process special category data or criminal offence data on a large scale. Systematically monitor a publicly accessible place on a large scale. Use new technologies. Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit. Carry out profiling on a large scale. Process biometric or genetic data. Combine, compare or match data from multiple sources. Process personal data without providing a privacy notice directly to the individual. Process personal data in a way which involves tracking individuals’ online or offline location or behaviour. Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them. Process personal data which could result in a risk of physical harm in the event of a security breach. 24

ICO DPIA screening checklist (2/2) We consider whether to do a DPIA if we plan to carry out any other: Evaluation or scoring. Automated decision-making with significant effects. Systematic processing of sensitive data or data of a highly personal nature. Processing on a large scale. Processing of data concerning vulnerable data subjects. Innovative technological or organisational solutions. Processing involving preventing data subjects from exercising a right or using a service or contract. We consider carrying out a DPIA in any major project involving the use of personal data. If we decide not to carry out a DPIA, we document our reasons. We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing. 25

[your organisation’s screeningcheck-list] [please fill in this slide with information about your organisation’s internal check list] 26

When is a DPIA not required? A DPIA is not required in the following cases: where the processing is not "likely to result in a high risk to the rights and freedoms of natural persons" (Article 35(1)); when the nature, scope, context and purposes of the processing are very similar to the processing for which DPIA have been carried out. In such cases, results of DPIA for similar processing can be used (Article 35(1)18); where a processing operation has a legal basis in EU or Member State law and has stated that an initial DPIA does not have to be carried out, where the law regulates the specific processing operation and where a DPIA, according to the standards of the GDPR, has already been carried out as part of the establishment of that legal basis (Article 35(10))19; where the processing is included on the optional list (established by the supervisory authority) of processing operations for which no DPIA is required (Article 35(5)20). Such a list may contain processing activities that comply with the conditions specified by this authority, in particular through guidelines, specific decisions or authorizations, compliance rules, etc. (e. g. in France, authorizations, exemptions, simplified rules, compliance packs…). In such cases, and subject to reassessment by the competent supervisory authority, a DPIA is not required, but only if the processing falls strictly within the scope of the relevant procedure mentioned in the list and continues to comply fully with the relevant requirements. 27

Exercise: Threshold analysis In groups of 4 -5 Pick a case study Pick a threshold or screening criteria National supervisory authority Article 29 Working Party Your organisation Run the case study through the screening criteria, and decide if this case study requires a full DPIA? Be prepared to justify your decision. 28

Your DPIA process The GDPR does not mandate a particular set process for a DPIA Nor does ICO It does set some requirements for a valid process. This allows organisations to develop their own internal approach, provided it meets those requirements. Allows for flexibility in terms of scope and scale. Allows for alignment with existing project management approaches So first step for many – check if your organisation has a process. 29

Minimum requirements from GDPR Article 35(7) A) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable the legitimate interests pursued by the controller; Nature, scope, purposes of processing Personal data, recipients, storage period Functional description of the processing operation Assets on which personal data rely are identified B) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; C) an assessment of the risks to the rights and freedoms of data subjects referred; Origin, nature, particularity and severity of risks are taken into account From perspective of data subject Impacts in case of illegitimate access, undesired modification, disappearance of data? Likelihood and severity estimated D) the measures envisaged to address risks, including safeguards, Measure to comply with GDPR are determined security measures Purpose, lawfulness and limited Measures contributing to rights of data subjects mechanisms to ensure the protection of personal data mechanisms to demonstrate compliance with the Regulation 30

(Further) development of technical organisational system Decision to implement a DPIA or change of circumstances since last DPIA Documentation required No Relevance threshold: Is a DPIA necessary? Yes Define scope and identify DPIA team Description of system, identification of data and data flows Identification of actors involved/ persons concerned Identification of relevant legal requirements Documentation of tasks and issues Evaluation stage Report and safeguard stage Identification of protection goals Identification of appropriate safeguards Identification of potential attackers, motives and objectives Documentation of evaluation results in standard form Identification of evaluation criteria and benchmarks Evaluation of risks Catalogue of typical objectives, attackers and consequences Catalogue of typical safeguards Implementation of safeguards Supervision and continuation Preparation stage Source: A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation – Felix Baker, Michael Friedewald, Marit Hansen, Hannah Obersteller, Martin Rost (2016) DPIA report Publication of DPIA report Auditing of evaluation results 31 End of DPIA cycle

The WP 29 process 32

The ICO process 33

Assessing risk Risk to the rights and freedoms of data subjects (people!) Not organisational risk management (e. g risk = we get fined by the DPA) Start from the perspective of the data subject whose personal data is going to be processed. Include other potentially impacted parties. Requires sensitising yourself (or project team) to potential privacy risks. 34

What's the biggest privacy harm that you have suffered? Discussion 35

Common privacy risks and harms Lack of consent Breaking commonly held assumptions about privacy Lack of meaningful choice Lack of transparency Excessive surveillance No responsibility for privacy Power asymmetries Data breach Manipulation (advertising, politics) Embarrassment / loss of dignity Allowing third party intrusion (e. g. government, criminals). Chilling effects Function creep Reduction in autonomy / choice Unjust inferences Reduction in private space (physical, mental). Loss of anonymity Social sorting / stereotyping Reputation damage Discrimination Loss of confidentiality Prevention of ability to exercise rights Basing decisions on incorrect information (“weapons of math destruction”). Prevention of ability to exercise data protection rights Increased vulnerability to cyber crime Insufficient information about processing Loss of data 36

Exercise: privacy risk assessment In small groups Pick a case study Identify as many potential privacy risks 37

Consultation The GDPR art 35(9) “Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations. ” ICO “Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts? ” 38

Who to consult? DPO All internal functions involved in the project CISO Data subjects Their representatives Unions, student bodies, industry associations, collective bodies etc. Potentially impacted third parties (e. g. if data subjects get special treatment what about those people who might be excluded from a process? ). Processors Technology/software vendors Security and privacy experts Ethicists, sociologists 39

How to consult Surveys (quantitative or qualitative) In-depth interviews Focus groups / user panels Prototype demonstrations / mock-ups / walk throughs Service blueprints / storyboards Existing research on attitudes 40

Questions?

Table of content 1. Welcome and introduction a) objectives 2. What is a DPIA, and why do we do them? 3. DPIA in practice a) Success and failure b) Understanding necessity, proportionality and risk in DPIA c) Consultation and working with stakeholders 4. Tips and tricks on conducting a DPIA 5. Q&A 6. Wrap-up and feedback 42

Involving the Data Protection Officer GDPR, Article 35 (2) The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment. What advice should you be seeking? What questions could you ask? Can the DPO do my DPIA for me? 43

The role of the statutory DPO The data controller (you) have an obligation to seek the statutory DPO’s advice when you carry out a DPIA We can provide advice as to : whether you need to do a DPIA in the first place; The best approach and methodology to carry out the DPIA; If a combination of internal data protection staff and process owners can effectively carry out the DPIA vis-à-vis additional support is required; The market standard safeguards you can take into account to mitigate risks; Whether you’ve done the DPIA correctly, from a methodological and/or substantive point of view; Finally, it is our task to give green light as to whether the processing can go ahead and, if you decide against our advice, you should keep records of the reasoning behind this decision. We might, from time to time and in liaison with the internal UCAM data protection specialists (Knapton, Wheeler, P riestley) decide to audit the implementation of the DPIA outcomes. Note: the statutory DPO cannot perform a DPIA, as it would conflict with its statutory duties to oversight and approve DPIAs. 44

Publishing your DPIA? Reasons to publish Reasons not to publish Demonstrate compliance Commercial sensitivity Transparency Competitive advantage Boost trust and confidence Demonstrate respect for privacy and protection of personal data Risk of cherry picking or misinterpreting the report. To customers “Cambridge University says its personal data processing poses a high risks to rights and freedoms!” To partner organisation 45

Do I need to send the DPIA to the data protection authority? No, unless… The DPIA identifies a high risk, and you cannot take measures to reduce that risk. You can’t being processing until you have consulted the supervisory authority. DPAs have freedom to choose their preferred mean of submission of the DPIA (e. g. in the UK, via email). Response is typically given within weeks, not days. Advise if risks acceptable Any further action May advise not to carry out processing 46

Information Commissioner’s Office DPIA guidance. General GDPR guidance: https: //ico. org. uk/for-organisations/guide-to-thegeneral-data-protection-regulation-gdpr/accountability-and-governance/dataprotection-impact-assessments/#dpia 5 DPIA template: https: //ico. org. uk/media/about-theico/consultations/2258461/dpia-template-v 04 -post-comms-review 20180308. pdf 47

ISO/IEC 29134 – Guidelines for privacy impact assessment Broader than DPIA Framed within organisation risk management framework International - Needs to be read alongside the GDPR Does contain Process guidance What should be in the report Risk assessment guidance Generic threats Criteria for assessing scale and likelihood of risk 48

DPIA online tools: CNIL DPIA tool The French DPA, CNIL developed a software tool to support DPIA. It is open source, and freely available (in English, French & Italian). https: //www. cnil. fr/en/open-source-pia-software-helps-carry-out-dataprotection-impact-assesment 49

Other useful sources of DPIA guidance Data protection authorities Professional literature Academic literature Other published DPIA Technology vendors/suppliers (caution) 50

We have covered: What is a DPIA, and why do we do them? DPIA in practice Success and failure Understanding necessity, proportionality and risk in DPIA Consultation and working with stakeholders Sources of guidance Tips and tricks on conducting a DPIA 51

Evaluation and feedback Evaluation forms Attendance sheet 52

Credits These training materials are based on standard training materials developed in the context of the project “Supporting Training Activities on the Data Protection Reform” – STAR (http: //www. project-star. eu/). This project has received funding from the European Union under the REC Action Grant programme. Grant Agreement No 769138 (2017 -2019). The default version of training materials are available free-of-charge on the STAR project website 53