https://www.nist.gov/itl/ai-risk-management-framework
2nd draft
https://www.nist.gov/system/files/documents/2022/08/18/AI_RMF_2nd_draft.pdf
with good control descriptions in teh tables
[protecting people by good design, solid security, efficient processes and trusted services]
https://www.nist.gov/itl/ai-risk-management-framework
2nd draft
https://www.nist.gov/system/files/documents/2022/08/18/AI_RMF_2nd_draft.pdf
with good control descriptions in teh tables
Announcement:
https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement
Link to complaint:
https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf
Link to settlement:
https://oag.ca.gov/system/files/attachments/press-docs/Proposed%20Final%20Judgment.pdf
(This seems to be quite different from EDPB wp248 – then again, CH is not EU/EEA)
From the Datenschutzbeauftragte des Kanton Zuerich:
“Die Datenschutzbeauftragte erstellte ein Formular und ein Merkblatt, das die datenbearbeitenden Stellen bei der Datenschutz-Folgenabschätzung unterstützt. Es hilft, alle wesentlichen Angaben zu sammeln und auszuwerten.
Die DSFA dient auch dazu, die Pflicht zur Vorabkontrolle abzuklären. Wenn besondere Risiken erkennbar sind, muss das Projekt der Datenschutzbeauftragten zur Vorabkontrolle unterbreitet werden.”
https://www.datenschutz.ch/datenschutz-in-oeffentlichen-organen/datenschutz-folgenabschaetzung
from https://www.datenschutz-mv.de/static/DS/Dateien/Datenschutzmodell/SDM-Methode_V20b_EN.pdf Emphasis incl reformatting for emphasis by me.
In order to fully cover personal data processing, it has proved useful to distinguish at least three different levels of representation of material parameters or elements when designing or auditing processing activities. It is essential to understand that a ‘processing activity’, for example, is not congruent with the use of a certain technology or a certain technical program.
Level 1 is the processing of personal data in the sense of data protection law.
The practical implementation of the processing and the purpose is located at level 2.
Level 3 houses the IT infrastructure that provides functions that are used by a level 2 application.
—
and from D2.3:
“The concrete functional design takes place at level 1, at which the need for protection is to be determined or specified by the controller on the basis of the data. This need for protection is inherited by all data, systems and processes used in concrete processing at the various levels. The catalogue of reference measures can be used to check whether technical and organisational measures taken or planned are appropriate to the need for protection “
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3248829
A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI
Columbia Business Law Review, 2019(2)
130 Pages Posted: 5 Oct 2018 Last revised: 25 Jun 2019
Sandra Wachter
University of Oxford – Oxford Internet Institute
Brent Mittelstadt
University of Oxford – Oxford Internet Institute
Date Written: October 5, 2018
Datenschutz-Reifegradmodell – Reifegradmodell zur Abbildung von technisch-organisatorischen Maßnahmen
bei der Auftragsverarbeitung
Betaversion zum Review
Press release: https://www.bitkom.org/Bitkom/Publikationen/Datenschutz-Reifegradmodell-technisch-organisatorische-Massnahmen-Auftragsverarbeitung
“Finally, the Court states that the processing of personal data that are liable indirectly to reveal sensitive information concerning a natural person is not excluded from the strengthened protection regime, (5) since such exclusion might well compromise the effectiveness of that regime and the protection of the fundamental rights and freedoms of natural persons that it is intended to ensure. Thus, the publication on the Chief Ethics Commission’s website of personal data that are liable to disclose indirectly the data subjects’ sexual orientation constitutes processing of sensitive data.”
—-
In German: Commentary from Switzerland – https://datenrecht.ch/eugh-c-184-20-verarbeitung-besonderer-kategorien-personenbezogener-daten-auch-bei-moeglichen-schluessen-auf-sensible-informationen/