An Organizational Scheme for Privacy Impact Assessments

Vemou, Konstantina; Karyda, Maria

doi:10.1007/978-3-030-11395-7_22

Cited by 5 publications

(14 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several standardisation bodies and data protection authorities have established legal frameworks and guidelines which mandate the conduction of PIA, among them the GDPR regulation [ 8 ]. However, even though the initial notion of a PIA method dates back to 2009 [ 31 ] and several published frameworks and guidelines set the principles for the conduction of privacy impact assessment, PIA remains a challenging and difficult process due to the multiple aspects that an assessor needs to consider [ 33 ]. According to GDPR, a type of processing is likely to result in a high risk to the rights and freedoms of natural persons thus the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.…”

Section: Related Workmentioning

confidence: 99%

“…Privacy data protection standards (e.g., BS 10012:2017 [ 35 ], ISO/IEC 29151:2017 [ 36 ] and ISO/IEC 27018:2014 [ 37 ]), can be found in the literature focusing on PIA as a requirement in the execution of cybersecurity risk assessments. PIA and cybersecurity risk assessments are, however, treated as two different and uncorrelated processes [ 32 , 38 ], with a clear gap on automated tools, methods and models that implement PIA [ 33 ]. Even though standards (e.g., ISO/IEC 29134:2017 [ 39 ]) provide details and guidance to conduct privacy impact assessments, they are very generic, and provide high-level information that in some cases is insufficient to perform an appropriate privacy risk assessment [ 38 ].…”

Section: Related Workmentioning

confidence: 99%

“…These guidelines follow different approaches and propose diverse steps for conducting PIA. Thus, the adoption of a single methodology becomes a difficult task for an organisation and organising a PIA project becomes a maze-like process [ 33 ]. While there are differences in the aforementioned approaches, they are equally suitable for conducting a DPIA and produce largely similar results.…”

Section: Related Workmentioning

confidence: 99%

“…Thus, the inter-dependencies assist not only on the the data flows representation, but is also used to define the processing activities and the possible attack paths for privacy risk calculation. Yet, we offer a high level of automation, which has been documented as a gap in the state of the art of PIA conduction [ 33 ]. Overall, in order to meet the requirements of the regulatory frameworks and be in line with the requirement to increase automation in supporting the PIA processes, the privacy risk assessment module of AMBIENT offers the following advantageous characteristics: (i) Asset inter-dependencies documentation, (ii) Data processing flows identification, (iii) Automation and Dynamicity of PIA, (iv) Cyber risk consideration in PIA, (v) Mitigation controls, (vi) GDPR PIA support, and (vii) Automated privacy impact scoring.…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

Automated Cyber and Privacy Risk Management Toolkit

González-Granadillo

Menesidou

Papamartzivanos

et al. 2021

Sensors

View full text Add to dashboard Cite

Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Automated Cyber and Privacy Risk Management Toolkit

González-Granadillo

Menesidou

Papamartzivanos

et al. 2021

Sensors

View full text Add to dashboard Cite

show abstract

“…However, conducting a PIA remains a complicated and demanding task for organizations processing personal data, not only because of the lack of practical guidance (Meis and Heisel, 2015; Berendt et al , 2017; Van Puijenbroek and Hoepman, 2017; De and Le Métayer, 2017) but also because of the differences of methods available. While several methods and guidelines have been published by DPAs, they follow different approaches and provide limited practical assistance on how to organize a PIA project.…”

Section: Introductionmentioning

confidence: 99%

Evaluating privacy impact assessment methods: guidelines and best practice

Vemou

Karyda

2019

ICS

Self Cite

View full text Add to dashboard Cite

Purpose This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research. Design/methodology/approach This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard’s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed. Findings This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners. Practical implications The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance). Originality/value This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.

show abstract

Tool-Assisted Risk Analysis for Data Protection Impact Assessment

Dashti

Ranise

2020

Privacy and Identity Management. Data for Better Living: AI and Privacy

View full text Add to dashboard Cite

Unlike the classical risk analysis that protects the assets of the company in question, the GDPR protects data subject's rights and freedoms, that is, the right to data protection and the right to have full control and knowledge about data processing concerning them. The GDPR articulates Data Protection Impact Assessment (DPIA) in article 35. DPIA is a risk-based process to enhance and demonstrate compliance with these requirements. We propose a methodology to conduct the DPIA in three steps and provide a supporting tool. In this paper, we particularly elaborate on risk analysis as a step of this methodology. The provided tool assists controllers to facilitate data subject's rights and freedoms. The assistance that our tool provides differentiates our work from the existing ones.

show abstract

An Organizational Scheme for Privacy Impact Assessments

Cited by 5 publications

References 10 publications

Automated Cyber and Privacy Risk Management Toolkit

Automated Cyber and Privacy Risk Management Toolkit

Evaluating privacy impact assessment methods: guidelines and best practice

Tool-Assisted Risk Analysis for Data Protection Impact Assessment

Contact Info

Product

Resources

About