Black Hat Sessions 2018 - Management session GDPR - Privacy by Design and Accountability by Wolter Karssenberg, Fabian van den Broek and Ruud Kerssens
Between all keynote speakers, we offered during the Black Hat Sessions 2018 a large number of lectures given by prominent Dutch and international speakers in multiple technical and non-technical tracks. Below you will read a brief report by Achraf Bekkali, intern at Secura, about the management session GDPR - Privacy by Design and Accountability by Wolter Karssenberg (management consultant privacy and senior privacy officer for ABN AMRO), Fabian van den Broek (post-doctoral researcher at Open University and Raboud University) and Ruud Kerssens (Manager Service Line Advisory & Audit at Secura). Here you will find the link to all brief reports and recordings.
Privacy is slowly getting more attention in the board rooms. Organizations are starting to realize that privacy and privacy risks are primarily concerning data subjects instead of organizations. In order to help organizations to take the first step to tackle privacy risks there are privacy principles that organizations should adhere to.
With the introduction of the accountability principle in the GDPR, emphasis has been placed on demonstrating compliance with these privacy principles. The accountability principle aims to guide organizations in demonstrating that privacy principles are implemented and maintained. For instance, accountability is demonstrated through GDPR obligations such as Data Protection by Design, Data Protection Impact Assessments and certifications.
In his presentation, Wolter highlighted four steps that organizations should think about when implementing their privacy governance:
First, organizations should develop a strategy regarding personal data processing. It is important to recognize that personal data processing is about trust, balance, ethics, culture and of course law. Therefore, privacy is not a one-dimensional challenge.
Second, organizations should think about the organization of their privacy governance. Privacy governance should adapt as much as possible to existing organizational structures. Besides, it may be more than helpful to think about appoint a data protection officer (DPO).
Third, organizations should use existing privacy guidelines or frameworks such as the ones the developed by NOREA, Europrise, OECD etc. These frameworks should be implemented as much as possible in existing processes.
Finally, privacy governance should be integrated in the existing management cycle and reflected in internal and external reporting.
Data Protection Impact Assessment
Ruud Kerssens started his presentation about the Data Protection Impact Assessment (DPIA) by explaining the goal of the newly introduced obligation.
By performing a DPIA prior to the processing of personal data, controllers can efficiently and effectively address privacy risks and comply with the principle of Privacy by Design. Besides, a DPIA is intended to be a measure of accountability: demonstrating that the controller has done its best to address the privacy risks as best as possible.
Article 35(1) of the GDPR states that a DPIA should be performed when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. A DPIA should take account of the nature, scope, context and purposes of the processing and is particularly required when using new technologies.
A DPIA is a systematic description of the intended processing operations, the purposes of the processing and the legitimate interest pursued by the controller. Besides, a DPIA should assess the necessity of the processing, its proportionality in relation to the purposes and the risks that it poses to rights and freedoms. Furthermore, the measures that address the risks should be reflected in the DPIA. Basically, a DPIA is meant to describe the context, risks, controls and decisions regarding the processing of personal data.
The Article 29 Working Party has published a list with nine criteria that should be taken into consideration by controllers when determining whether a processing operation will result into high risk. In most cases, meeting two criteria will require a DPIA to be carried out. Furthermore, a DPIA should be a continuing process that should be integrated in change management processes, since changes in risks, activities and processes can initiate the need for a DPIA.
Privacy by Design
There are several strategies that aim to help controllers to integrate privacy in the design of products and services. Fabian van den Broek, Post Doc at the Open University and privacy researcher at the digital security group of the Radboud university of Nijmegen, highlighted some key privacy strategies. For instance, the 7 Foundational Principles of Ann Cavoukian and the Privacy Protection Goals of Marit Hansen are well-known Privacy by Design strategies. Similarly, the Dutch privacy researcher Jaap-Henk Hoepman has developed the eight privacy design strategies. Fabian van de Broek has explained these eight strategies:
By giving examples of several case studies, Fabian van de Broek has demonstrated the usefulness of these eight strategies in integrating privacy in the design stage of the development of products and services.
Another product that helps users to protect their privacy is the application IRMA (I Reveal My Attributes) developed by the digital security group of the Radboud University. IRMA is a privacy friendly authentication solution that only shows attributes that are necessary for making use of the product or service. Besides, it can be used for giving informed consent and signing privacy statements.
Ruud Kerssens ended this management stream with: What is the importance of accountability in the GDPR? The accountability principle states that the controller is responsible for demonstrating compliance with the requirements of the GDPR. The implementation of the accountability principle in the GDPR is meant to close the loop of compliance to the new data protection legislation.
As a sign of compliance with the GDPR, the European Union stimulates the development of certifications, seals and marks. An example of such a mark is the Privacy-Audit-Proof that can be gained by controllers when successfully passing an independent audit.
A starting point in performing an independent privacy audit and gaining the Privacy-Audit-Proof is by using the Privacy Control Framework (PCF) that NOREA developed. The PCF provides guidance to professionals in assessing whether an organization has achieved its privacy and data protection control objectives.