Tools – Privacy Design®

June 30, 2021June 30, 2021

Spain, AEPD: “Risk management and impact assessment in personal data processing” guide (160 pages) (DPIA guidance)

Announcement:
https://www.aepd.es/es/es/prensa-y-comunicacion/notas-de-prensa/agencia-presenta-guia-riesgo-tratamiento-datos-y-evaluaciones-impacto

Report:
https://www.aepd.es/es/documento/gestion-riesgo-y-evaluacion-impacto-en-tratamientos-datos-personales.pdf

April 20, 2021April 20, 2021

Fraunhofer: Die Datenschutz-Folgenabschätzung nach Art. 35 DSGVO – Ein Handbuch für die Praxis

http://publica.fraunhofer.de/starweb/servlet.starweb?path=urn.web&search=urn:nbn:de:0011-n-586394-15

Volltext (Online):
http://publica.fraunhofer.de/eprints/urn_nbn_de_0011-n-586394-15.pdf

March 3, 2021March 3, 2021

The Netherlands: Privacy Assessment of Google Workspace G Suite Enterprise suite (DPIA)

“Commissioned by the Ministry of Justice and Security, Privacy Company investigated the privacy risks of G Suite Enterprise, with work and communication apps such as Gmail, Chat, Meet, Forms, Docs and Slides. Meanwhile, Google has renamed these services into Google Workspace.”

https://www.privacycompany.eu/blogpost-en/privacy-assessment-google-workspace-g-suite-enterprise-dutch-government-consults-dutch-data-protection-authority-on-high-privacy-risks

Google Workspace DPIA for Dutch DPA (in English)
at https://www.rijksoverheid.nl/documenten/publicaties/2021/02/12/google-workspace-dpia-for-dutch-dpa
“Google has also published a guide for system administrators, explaining the rules and the available privacy choices, the Google Workspace data protection implementation guide.”
at https://services.google.com/fh/files/misc/google_workspace_data_protection_guide_en_dec2020.pdf

January 4, 2021January 4, 2021

Switzerland: Minimal security standards and assesment tool

from 2018… (modelled on NIST cybser security framework with some modifications)

hhttps://www.bwl.admin.ch/bwl/en/home/themen/ikt/ikt_minimalstandard.html

October 29, 2020

Jersey: DPIA for Covid Alert App

https://github.com/StatesOfJersey/Jersey-COVID-Alert-Documentation

(DPIA example)

October 21, 2020May 19, 2021

EDPB: Criteria for an acceptable DPIA

From Annex 2 of wp248 rev.01 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 at https://ec.europa.eu/newsroom/article29/items/611236:

Annex 2 – Criteria for an acceptable DPIA
The WP29 proposes the following criteria which data controllers can use to assess whether or not a DPIA, or a methodology to carry out a DPIA, is sufficiently comprehensive to comply with the GDPR:

a systematic description of the processing is provided (Article 35(7)(a)):
- nature, scope, context and purposes of the processing are taken into account (recital 90);
- personal data, recipients and period for which the personal data will be stored are recorded;
- a functional description of the processing operation is provided;
- the assets on which personal data rely (hardware, software, networks, people, paper or paper transmission channels) are identified;
- compliance with approved codes of conduct is taken into account (Article 35(8));
necessity and proportionality are assessed (Article 35(7)(b)):
- measures envisaged to comply with the Regulation are determined (Article 35(7)(d) and recital 90), taking into account:
  - measures contributing to the proportionality and the necessity of the processing on the basis of:
  - specified, explicit and legitimate purpose(s) (Article 5(1)(b));
  - lawfulness of processing (Article 6);
  - adequate, relevant and limited to what is necessary data (Article 5(1)(c));
  - limited storage duration (Article 5(1)(e));
- measures contributing to the rights of the data subjects:
  - information provided to the data subject (Articles 12, 13 and 14);
  - right of access and to data portability (Articles 15 and 20);
  - right to rectification and to erasure (Articles 16, 17 and 19);
  - right to object and to restriction of processing (Article 18, 19 and 21);
  - relationships with processors (Article 28);
  - safeguards surrounding international transfer(s) (Chapter V);
  - prior consultation (Article 36).
risks to the rights and freedoms of data subjects are managed (Article 35(7)(c)):
- origin, nature, particularity and severity of the risks are appreciated (cf. recital 84) or, more specifically, for each risk (illegitimate access, undesired modification, and disappearance of data) from the perspective of the data subjects:
  - risks sources are taken into account (recital 90);
  - potential impacts to the rights and freedoms of data subjects are identified in case of events including illegitimate access, undesired modification and disappearance of data;
  - threats that could lead to illegitimate access, undesired modification and disappearance of data are identified;
  - likelihood and severity are estimated (recital 90);
- measures envisaged to treat those risks are determined (Article 35(7)(d) and recital 90);
interested parties are involved:
- the advice of the DPO is sought (Article 35(2));
- the views of data subjects or their representatives are sought, where appropriate (Article 35(9)).