Everything you always wanted to know about privacy impact assessments but where afraid to ask

Size: px

Start display at page:

Download "Everything you always wanted to know about privacy impact assessments but where afraid to ask"

Diane Cummings
5 years ago
Views:

1 PON Congres 13 Oktober 2016 Everything you always wanted to know about privacy impact assessments but where afraid to ask Albert Holl

2 Introduction Strategy, Governance, & People Digital security assessment & strategy and Canada risk management Transformation Build & Operations United States Mexico Colombia Cybersecurity awareness & training Guatemala Security transformation, operating model implementation, program management Brazil Application Chile security testing & technical security testing Argentina (e.g. SCADA) Implementation of security solutions & managed security services (e.g. SOC) 2,500+ Capgemini resources worldwide with Cybersecurity skills Morocco South Africa Agenda: Introduction to Privacy Impact Assessments (PIA) All over Europe Privacy impact assessment of the Japan United organization People s Republic Arab Emirates of China Taiwan PIA tooling India during implementation Vietnam Philippines and operation Malaysia PIA & Privacy-by-design as an enabler for new digital Singapore initiatives Australia New Zealand 2

3 What is a Privacy Impact Assessment? There is a lot of confusion in the market on when and how to conduct a PIA. Literally, the GDPR defines the PIA (data protection impact assessment) as the assessment of new technologies of personal data processing (art.35), while recitals put it in the broader context of compliance management. In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. [ ] GDPR recital 84 [ ] types of processing [ ] involve using new technologies [ ] In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. GDPR recitals 89, 90 3

4 Privacy Impact Assessments (PIA s) can be performed for various purposes and therefore different approaches are needed in particular contexts Three different PIA approaches are presented 1. PIA on organization - scope: privacy governance & policies The organizational privacy impact assessment reviews basically all GDPR articles and gives insight to define the organizations privacy governance and policy framework. 2. PIA on operations scope: business processes, systems & people The operational privacy impact assessment is very much related to the responsibility of the controller (art.24, GDPR). It reviews the technical & organizational measures of the existing operations to be compliant with the GDPR. 3. PIA on new business initiatives scope: new product & service development, marketing programs, campaigns, etc. Data protection impact assessment (as described in art.35, GDPR) are required, where the usage of new technologies is likely to result in a high risk to the rights and freedoms of natural persons. Risk mitigating measures have to be designed into products by default (art.25, GDPR). 4

5 1. Organizational PIA Stepping stone to create a comprehensive GDPR governance & policy framework

6 The Organizational PIA is based on the new EU data privacy regulation, common industry standards and best practices. Organizational PIA Deliverables & Reporting The main objective of the Organizational PIA is to determine the needed measures to make the organization privacy compliant at a governance and policy level. In practice, the NYMITY standard provides a good framework to perform the assessment, it contains 55 compliance controls and 84 optional performance indicators. The Operational PIA is clustered in the following 13 privacy management categories: 1. Governance Structure 2. Personal Data Inventory 3. Privacy Policy 4. Privacy Into Operations 5. Training & Awareness 6. Information Security Risk 7. Manage Third-Party Risk 8. Maintain Notices 9. Right of Individuals 10. New Operational Practices 11. Data Breach Management 12. Data Handling Monitoring 13. Track External Criteria The Organizational PIA delivers the following output: Compliance report vs. GDPR baseline GDPR readiness benchmark vs. industry peers Roadmap of GDPR measures to reach GDPR compliance Reporting is arranged according to the NYMITY privacy management categories and based on the individual compliance and performance indicators. 6

Organizations are requested to be GDPR compliant by May 25, 2018. A phased program approach is advisable to ensure in-time implementation completion.

activities 1-3 month ±6 month ±6 month ±6 month 1. Conduct stakeholder analysis. 2. Create data protection & privacy target picture 2018. 3. GDPR gap-analyse (as-is / to-be). 4.

7 Organizations are requested to be GDPR compliant by May 25, A phased program approach is advisable to ensure in-time implementation completion. Proposal for a phased program approach towards GDPR compliance Phase 1 early 2017 mid 2017 end Phase 2 Phase 3 Phase 4 Organizational PIA Concept Implementation Roll-out Typical activities 1-3 month ±6 month ±6 month ±6 month 1. Conduct stakeholder analysis. 2. Create data protection & privacy target picture GDPR gap-analyse (as-is / to-be). 4. Formulate transition planning and roadmap 2017/ Define operating model, program structure and planning for the next phases. 6. Develop Business Case to justify investments in data protection & privacy. Development of GDPR policy framework and operating model - Design of data protection and privacy assets Activities are detailed, based on the Organizational PIA Pilot & organisation-wide Roll-out Budget cycle 2017 Data Protection & Privacy Program 7

8 2. Operations PIA Embedding GDPR requirements in current processes, systems and the hearts & minds of people

An Operations PIA should be performed to assess and consolidate the privacy impact on existing business processes, IT systems and the people involved Operations PIA The main objective of the

9 An Operations PIA should be performed to assess and consolidate the privacy impact on existing business processes, IT systems and the people involved Operations PIA The main objective of the Operations PIA is to measure the gap between the privacy policy framework and the actual operations (read: processes, systems and the hearts and minds of people). During the execution of the Operations PIA, an individual policy might be applied to hundreds of processes and systems, engaging with large numbers of individuals in the organization. Therefore, a practical and (semi-) automated approach is needed to manage the Operations PIA processes. Tooling There are different tools available to support Operations PIA s. Usually these tools are workflow based, offer rolebased reporting (e.g. privacy officer, systems owner, etc.) and provide a privacy compliance dashboard. Two examples of Operations PIA tools are the NYMITY Attestor and the Capgemini SMART PIA. Usage of large numbers of spreadsheets has proven not to be practical in performing Operational PIA s. Key characteristics of the Operations PIA are: Assessment of large numbers of processes & systems Organizational wide engagement with management, policy makers and employees Risk-based identification of critical assets Embedded procedure to select processes and systems to perform the Operations PIA s on Reporting facilities on GDPR compliance status Delivery of mitigation proposals Monitoring of mitigation execution 9 9

Tool example: SMART PIA offers an number of standard features and reporting facilities to support Operations PIA s Features The SMART PIA tool allows fast and repeatable Operations PIA s on lager

10 Tool example: SMART PIA offers an number of standard features and reporting facilities to support Operations PIA s Features The SMART PIA tool allows fast and repeatable Operations PIA s on lager numbers of processes and systems. Due to its automated workflow, the assessments are efficient and easy to manage. The individual results can be consolidated in the tool. Build-in questionnaires are based on the GDPR regulation, and can be enriched with other baselines, e.g. BCRs. Currently the following features are available, or can be provided through configuration: Deliverables & Reporting SMART PIA provides role-based reporting (e.g. privacy officer, systems owner, etc.) with dashboards on the following topics: Triage progress PIA progress Gap description Risk description Proposed mitigations Overall PIA Impact Privacy Impact Assessments/BCRs Workflow to support Business/ IT involvement Management reporting Data inventory per systems Vendor risk management assessments Business impact assessments Multi-lingual assessments Multiple jurisdictions supported Example of an overall PIA impact report 10 10

11 3. New Business PIA The GDPR data protection impact assessment and privacy-by-default

12 When is a New Business PIA needed? Make the approach easy, so you can ALWAYS perform a New Business PIA! Art. 35 says... still waiting for DPA advice When do I have to perform a New Business PIA? ALWAYS! EASY!? 12

You want to conduct new business, not be bothered by privacy constraints.

, e.g. Personalization and customization of product & services Omni-channel customer experience requires consistent view on customer data (incl.

13 You want to conduct new business, not be bothered by privacy constraints... Business drivers New business initiatives rely more and more on personal data usage, e.g. Personalization and customization of product & services Omni-channel customer experience requires consistent view on customer data (incl. permissions given) New Business PIA characteristics Large numbers (100+) of initiatives, projects and use cases that need to be assessed Quick insight provided in risk profile of all new initiatives Short execution lead-times to avoid ROI delay CPO has limited time so primary focus on decision making and high risk initiatives Build privacy compliance into solutions by default Align with external customer privacy expectations Digital Airport Program Schiphol Source: Privacy Please: Why Retailers Need to Rethink Personalization, Capgemini Consulting research, 2015, Marketing Program BMW 13

Set-up a workflow to conduct structural New Business PIA s on digital transformation programs in a effective and efficient way During the first steps of the workflow the privacy risk will be assessed

14 Set-up a workflow to conduct structural New Business PIA s on digital transformation programs in a effective and efficient way During the first steps of the workflow the privacy risk will be assessed PIA-Flow Steps 1. Select business use cases / business initiative. 2. Determine privacy impact in Privacy Risk Assessment. 3. Perform legal compliance check against privacy policy. 4. Check initiative against the company s privacy commitments 5. Determine individual consent requirements (e.g. opt-in). 6. Provide Privacy guidance to business initiative. 7. Derive Privacy requirements for business initiative. 8. Deliver privacy requirements to business initiative. Enable the Business to determine Privacy Impact: Low Standard set of privacy requirements applies. Medium Tailored set of privacy requirements is generated by PIA-Flow. High Generate PIA-Flow requirements and involve external stakeholders (e.g. regulators, consumer organizations, NGO s) 14

15 An organization should make clear and concise privacy commitments to its customers and other stakeholders, and keep that promise. The New Business PIA ensures that all initiatives are checked against the privacy commitments PIA-Flow Steps 1. Select business use cases / business initiative. 2. Determine privacy impact in Privacy Risk Assessment. 3. Perform legal compliance check against privacy policy. 4. Check initiative against the company s privacy commitments 5. Determine individual consent requirements (e.g. opt-in). 6. Provide Privacy guidance to business initiative. 7. Derive Privacy requirements for business initiative. 8. Deliver privacy requirements to business initiative. Stakeholder engagement is crucial in the realization of personal-data driven strategies Research finds that customer privacy charter has great potential to differentiate companies from their competition Examples of new big data initiatives and profiling made negative headlines (also fully compliant with law) ING (2014); Equens (2013) 15

16 Examples of Customer (Privacy) Charters Printed Flyer Amsterdam Privacy Conference

17 Determine the individual consent requirements that are required and advisable to enable the organizations business initiatives The New Business PIA provides a consistent permission management framework PIA-Flow Steps 1. Select business use cases / business initiative. 2. Determine privacy impact in Privacy Risk Assessment. 3. Perform legal compliance check against privacy policy. 4. Check initiative against the company s privacy commitments 5. Determine individual consent requirements (e.g. opt-in). 6. Provide Privacy guidance to business initiative. 7. Derive Privacy requirements for business initiative. 8. Deliver privacy requirements to business initiative. Individual consent is a great opportunity for processing if personal data User consent allows processing of personal data in most of the cases. Be aware: consents-based relationships require sustainable customer value creation. Consent is a powerful instrument to reinforce the legitimate business purpose chosen for the processing of personal data ( does customer really agree that this is a legitimate business purpose ). 17

18 Nature of personal data Example of a permission management matrix, to determine the required means of consent for the various business purposes. Determine appropriate measures for obtaining individual consent (e.g. from customers) Business purpose: delivery of service, logistics optimization, product development, advertising, location based services, etc. Privacy Business purpose intruding Means of consent Nature of personal data: e.g. customer account data, traffic data, browsing behavior, financial data, health data, etc. Transactional Opt-in Opt-in Opt-out Transparency note No use Increasing sensitivity of data 18

19 The New Business PIA provides privacy guidance and delivers privacy requirements to the business initiatives Deliver a tailored set of privacy requirements during the project starting phase PIA-Flow Steps 1. Select business use cases / business initiative. 2. Determine privacy impact in Privacy Risk Assessment. 3. Perform legal compliance check against privacy policy. 4. Check initiative against the company s privacy commitments 5. Determine individual consent requirements (e.g. opt-in). 6. Provide Privacy guidance to business initiative. 7. Derive Privacy requirements for business initiative. 8. Deliver privacy requirements to business initiative. Deliver privacy requirements to the business initiatives Support privacy-by-design principle by delivering tailored set of requirements to the business initiatives. Build privacy compliance into solutions right from the start. Consider for high-impact projects to perform design & test audits during the development phase, to ensure privacy requirements are actually implemented. 19

Operations PIA objective: close the gap between the privacy governance & policy framework and the operations (business

20 Recap: Three types of Privacy Impact Assessments (PIA s) can be performed Different PIA approaches are needed to reach the desired objectives 1. Organizational PIA - objective: mature the privacy governance & policy framework. 2. Operations PIA objective: close the gap between the privacy governance & policy framework and the operations (business processes, systems & people). 3. New Business PIA objective: enable new business initiatives that increasingly rely on personal data usage. 20

21 21 Thank you Contact details Primary contact person Albert Holl Principal Manager Privacy Reykjavikplein 1 P.O. Box 2575, 3500 GN Utrecht The Netherlands Phone: albert.holl@capgemini.com