New process helps companies conduct data protection impact assessments
In May 2018, the European General Data Protection Regulation (GDPR) will enter into force. This requires companies and public authorities to carry out data protection impact assessments (DPIA) in certain cases. The aim of a DPIA is to identify, assess and contain potential risks that may arise for users as a result of data processing. However, currently there is a great deal of uncertainty as to how an impact assessment should be carried out in practice – and failure to do so may result in severe financial penalties. In this context, a new BMBF-funded project led by Fraunhofer ISI is testing a process for carrying out impact assessments. This will result in a detailed handbook on the practical implementation of DPIAs.
Data protection impact assessments, which will be mandatory in certain cases from May 2018 onwards, are intended to ensure that personal data is not subject to increased risk and that new technologies and data-processing procedures guarantee users the right to data protection and their other rights and freedoms. However, many companies and public authorities have little experience of carrying out such a risk assessment and need support. Since violations of the obligation to carry out an impact assessment can result in fines of up to EUR 10 million or 2 percent of global annual turnover, action is urgently needed.
To address this need, the project “Data Protection Impact Assessment for Companies and Public Authorities”, which is funded by the Federal Ministry of Education and Research (BMBF), was launched in September 2017. Together with Kiel University of Applied Sciences and FIZ Karlsruhe, Fraunhofer ISI will test a sophisticated method for conducting data protection impact assessments, which can be used in both large and small companies and by public authorities. Beyond fulfilling the legal DPIA obligations, the method also enables "privacy by design".
According to Dr. Michael Friedewald, coordinator of the project, the implementation of a data protection impact assessment is divided into four phases: "In the preparation phase, a company or an institution assesses whether a DPIA is necessary. If so, we move on to the second or assessment phase. In this phase the possible sources of risk and those affected by them are defined. Risks are then assessed on the basis of six fundamental protection goals (e. g. unlinkability of data, intervenability, confidentiality). Next, in the safeguard phase, appropriate safeguards must be identified, implemented and their effectiveness documented. Then, in the reporting phase, all the steps taken in the prior phases are written up in a report, to enable an independent assessment of the DPIA and inform the public.
In order to ensure the practicality of the method, tests will be started at the beginning of 2018 in cooperation with companies and public authorities. To maximise social benefits, the methodology will be tested with cases where sensitive data are processed that pose challenges for constitutional law or where technological progress is liable to give rise to social or political conflict. One such case is wearables, i.e. devices worn on the body such as smart bracelets or smart watches, which collect sensitive bodily data. They often require special protections to be implemented to safeguard users’ rights and interests. Other cases are Open Public Data – i.e. data collected by public authorities that is made freely available and useable –,and the health sector where the processing of sensitive patient data is a daily practice. Another focus is on video surveillance, which in recent years has led to more and more complete surveillance of citizens through ever more intelligent technology.
The DPIA process to be tested in the project is based on findings from previous research projects carried out by Fraunhofer ISI and the BMBF-funded "Privacy Forum", which has published a white paper entitled “Data Protection Impact Assessment – A Tool for Better Data Protection“. The new process will be described in detail in a handbook to enable companies and public authorities to carry out an impact assessment step by step themselves.
- Project web page “A Data Protection Impact Assessment (DPIA) Tool for Practical Use in Companies and Public Administration“
- White Paper “Data Protection Impact Assessment – A Tool for Better Data Protection“ (in German)
- Press release “Impact assessment as an 'early warning system' for better data protection“
- Web page “Privacy Forum“
The Fraunhofer Institute for Systems and Innovation Research ISI analyzes the origins and impacts of innovations. We research the short- and long-term developments of innovation processes and the impacts of new technologies and services on society. On this basis, we are able to provide our clients from industry, politics and science with recommendations for action and perspectives for key decisions. Our expertise is founded on our scientific competence as well as an interdisciplinary and systemic research approach.