Evaluating privacy impact assessment methods: guidelines and best practice

Vemou, Konstantina; Karyda, Maria

doi:10.1108/ics-04-2019-0047

Cited by 13 publications

(17 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To facilitate an understanding of the PIA process, as well as the core components that are essential for establishing a riskbased approach, we illustrate a generalized PIA process inspired by works from [21] and [30] in Fig. 1.…”

Section: B Pia Processmentioning

confidence: 99%

“…Given the context and purpose of processing personal data, a data controller can assess whether the processing will result in high risk; hence, a threshold analysis should be performed [31]. The threshold analysis provides an overview of whether a full-blown PIA process is necessary [30], [31]. If a PIA process is necessary, the system is comprehensively described to model its behavior and characteristics.…”

Section: B Pia Processmentioning

confidence: 99%

See 1 more Smart Citation

On the Evaluation of Privacy Impact Assessment and Privacy Risk Assessment Methodologies: A Systematic Literature Review

Wairimu,

Iwaya,

Fritsch

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Assessing privacy risks and incorporating privacy measures from the onset requires a comprehensive understanding of potential impacts on data subjects. Privacy Impact Assessments (PIAs) offer a systematic methodology for such purposes, which are closely related to Data Protection Impact Assessments (DPIAs), particularly outlined in Article 35 of the General Data Protection Regulation (GDPR). The core of a PIA is a Privacy Risk Assessment (PRA). PRAs can be integrated as part of full-fledged PIAs or independently developed to support PIA processes. Although these methodologies have been identified as essential enablers of privacy by design, their effectiveness has been criticized because of the lack of evidence of their rigorous and systematic evaluation. Hence, we conducted a Systematic Literature Review (SLR) to identify published PIA and PRA methodologies and assess how and to what extent they have been scientifically validated or evaluated. We found that these methodologies are rarely evaluated for their performance in practice, and most of them have only been validated in limited studies. Most validation evidence is found with PRA methodologies. Of the evaluated methodologies, PIAs were the most evaluated, where case studies were the predominant evaluation method. These evaluated methodologies can be easily transferred to an industrial setting or used by practitioners, as they provide evidence of their use in practice. In addition, the findings in this study can be used to inform researchers of the current state-of-the-art, and practitioners can understand the benefits and current limitations of the methodologies and adopt evidencebased practices.

show abstract

Section: B Pia Processmentioning

confidence: 99%

Section: B Pia Processmentioning

confidence: 99%

On the Evaluation of Privacy Impact Assessment and Privacy Risk Assessment Methodologies: A Systematic Literature Review

Wairimu,

Iwaya,

Fritsch

et al. 2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Privacy impact assessment (PIA) is a risk management approach which complement the privacy by design context [33] [34], evaluating the risk of every processing regarding to a specific initiative. PIA is necessarily carried out especially, in case of a (a) systematic and extensive evaluation of personal aspects (profiling), (b) existence of big data sensitive (Article 9) or (c) data about criminal convictions and offences (Article 10) and (d) a systematic monitoring of a publicly accessible area on a large scale.…”

Section: Security Of Personal Data (Articles 25 32-35)mentioning

confidence: 99%

GDPR Interference With Next Generation 5G and IoT Networks

Rizou

Alexandropoulou-Egyptiadou

Psannis

2020

IEEE Access

View full text Add to dashboard Cite

This article examines the specific data protection framework with regards to 5G networks, which is the current high-end evolution of the previous four generations of cellular technology networks [1]. Taking into consideration practical issues, that have emerged from 5G (Fifth Generation) technology, the scope is the presentation of legal solutions. As this digital mobile transformation will begin from 2020, affecting applications of a wide range of services in energy sector, transport services, banking sector, health field, as well as in industrial control systems [2], and progressively in everyday life through all smart devices. Ιt is crucial to specialize and sum up the interference between European data protection legal framework and 5G networks, in order to provide a new path to the addressing issues.

show abstract

“…The paramount importance of privacy preservation, along with the establishment of the General Data Protection Regulation (GDPR) that governs the European territory, has rendered the privacy risk assessment a rapidly changing field, due to notable standardisation actions and legal establishments. However, a common language and a practical methodology that is flexible enough to address diverse privacy needs is still missing [10], while the community has identified the need for further research towards the implementation of tools to support Privacy Impact Assessment (PIA) conduction [12].…”

Section: Introductionmentioning

confidence: 99%

“…This is rather contradictory considering the NIST proposed guidelines [10], according to which, the data protection lies in the intersection of the cybersecurity and privacy risks. Therefore, the lack of sufficient tools and methodologies that can offer the PIA a level of automation [12], so that risk impact assessment can be extracted in a timely manner, but most importantly the lack of proper metrics that can steer the decisions of the assessor in identifying, prioritising, anticipating and, finally, mitigating the risks, could raise questions on the effectiveness of the tools and the thoroughness of the assessments. Indeed, the diversity and complexity of proposed privacy properties makes an informed choice of metrics rather challenging [13] and sets the challenge ahead on how to efficiently converge the usually contradicting security and privacy requirements, of a business ecosystem, towards a better risk assessment and estimation.…”

Section: Introductionmentioning

confidence: 99%

A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly

et al. 2021

View full text Add to dashboard Cite

As the upsurge of information and communication technologies has become the foundation of all modern application domains, fueled by the unprecedented amount of data being processed and exchanged, besides security concerns, there are also pressing privacy considerations that come into play. Compounding this issue, there is currently a documented gap between the cybersecurity and privacy risk assessment (RA) avenues, which are treated as distinct management processes and capitalise on rather rigid and make-like approaches. In this paper, we aim to combine the best of both worlds by proposing the APSIA (Automated Privacy and Security Impact Assessment) methodology, which stands for Automated Privacy and Security Impact Assessment. APSIA is powered by the use of interdependency graph models and data processing flows used to create a digital reflection of the cyber-physical environment of an organisation. Along with this model, we present a novel and extensible privacy risk scoring system for quantifying the privacy impact triggered by the identified vulnerabilities of the ICT infrastructure of an organisation. We provide a prototype implementation and demonstrate its applicability and efficacy through a specific case study in the context of a heavily regulated sector (i.e., assistive healthcare domain) where strict security and privacy considerations are not only expected but mandated so as to better showcase the beneficial characteristics of APSIA. Our approach can complement any existing security-based RA tool and provide the means to conduct an enhanced, dynamic and generic assessment as an integral part of an iterative and unified risk assessment process on-the-fly. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them, so that such holistic security and privacy mechanisms can reach their full potential towards solving this conundrum.

show abstract

Evaluating privacy impact assessment methods: guidelines and best practice

Cited by 13 publications

References 15 publications

On the Evaluation of Privacy Impact Assessment and Privacy Risk Assessment Methodologies: A Systematic Literature Review

On the Evaluation of Privacy Impact Assessment and Privacy Risk Assessment Methodologies: A Systematic Literature Review

GDPR Interference With Next Generation 5G and IoT Networks

A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly

Contact Info

Product

Resources

About