SlideShare a Scribd company logo

DPbD, DPIA: Aligning technical and legal views

Brussels Legal Hackers
Brussels Legal Hackers

This document discusses the interdisciplinary nature of data protection by design and data protection impact assessments. It notes that while software engineers and lawyers both aim to ensure compliance, they often take different approaches - with engineers focusing on technical risks and lawyers on legal concepts. The document proposes aligning these perspectives through a shared understanding of a system using a meta-model that incorporates both technical and legal requirements. This would facilitate transparency and demonstration of compliance. It also discusses how design scientists can help develop user-friendly solutions to meet transparency obligations through approaches like interactive interfaces and privacy languages.

Education
1 of 27
Download to read offline
Data Protection Impact Assessment and Data Protection by Design The need for an interdisciplinary approach Pierre Dewitte – KU Leuven CiTiP-imec pierre.dewitte@kuleuven.be @PiDewitte
DPbD, DPIA: A tale of two methodologies 2
According to Articles 24(1) and 25(1) GDPR, NSA and legal literature, controllers are under the obligation to: 1. Adopt a risk-based approach o Requires taking into account elements such as the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, the risks for the rights and freedoms of data subjects 2. When implementing appropriate technical and organisational measures o Suggests a close collaboration between experts in various disciplines 3. To ensure and demonstrate compliance with the Regulation o Requires the implementation of appropriate mitigation strategies o Requires a layer of demonstrability (accountability) 4. Both at the time of the determination of the means for processing and at the time of the processing itself o As of the design stage, and throughout the entire data processing lifecycle Data Protection by Design
Following the combined reading of Article 35(7), WP29, NSA and legal literature, a DPIA essentially consists of the following steps: Data Protection Impact Assessment (Threshold assessment) Description of the processing activities Identification and documentation of the risks Implementation of appropriate mitigation strategies A degree of accountability for the whole process (External review) (Publication of the outcome) Continuous review and update
Not so different? Description of the system Risk assessment and implementation of appropriate mitigation strategies Accountability
Not so different? DPbD DPIA Risk assessment
• DPbD, DPIA and risk assessment are essentially interdisciplinary approaches, involving both software engineers and lawyers • Clear dichotomy between the way software engineers and lawyers practically implement those requirements: Yet, in practice… Software engineers • Technical concepts • Technical view on the system, overinclusive • Risks understood from a narrower perspective • Agile, (partially) automated Lawyers • Legal concepts • Legal view, often disconnected from reality • Risks to data subject’s rights and freedoms • Rigid, manual E.g. LINDDUN privacy threat modelling methodology E.g. CNIL PIA guidance and open source tool
• Meaningful transparency, either ex-ante or ex-post, relies on the premise that one does know exactly what happens within a system o As underlined earlier, lawyers often lack the technical knowledge to understand all the processing activities happening within a system o This negatively impacts the drafting of comprehensive, adequate and up- to-date privacy policies since understanding is a prerequisite o As demonstrated during the empirical study on the right of access, this also hinder the exercise of data subject’s rights Impact on transparency An efficient DPbD methodology aligning the technical and legal views of a system would significantly facilitate the compliance with transparency requirements, but not only
Aligning: Of software engineers and lawyers 9
The PRiSE project Privacy-by-design Regulation in Software Engineering (PRiSE), KU Leuven CiTiP and DistriNet, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/prise> Description of the system Risk assessment and implementation of appropriate mitigation strategies Accountability Meta-model (input) Meta-model (output) Extraction of documents
The PRiSE meta-model (input) Dewitte et al., ‘A Comparison of System Description Models for Data Protection by Design’, Proceedings of the 2019 Symposium on Applied Computing, Limassol, 8 April 2019. • Software engineers rely on threat modelling techniques such as STRIDE or LINDDUN for the elicitation of security and privacy threats. • Those methodologies are based on Data Flow Diagrams (DFD) which are mainly built using the following architectural modelling requirements: events, processes, responses, data sources and recipients. Fig. 1: Example of DFD using UML
The PRiSE meta-model (input) • A DPIA usually starts with the systematic description of the processing activities. • Guidance has been issued by the Article 29 Working Party as to the elements that must be documented, which led to the extraction of the following legal modelling requirements: personal data, data subject, processing, purpose, lawful ground, controller, processor, third party, recipient, representative, storage period and supporting assets. Fig. 2: Example of system description using CNIL’s template Dewitte et al., ‘A Comparison of System Description Models for Data Protection by Design’, Proceedings of the 2019 Symposium on Applied Computing, Limassol, 8 April 2019.
The PRiSE meta-model (input) • No methodology supports both legal and architectural modelling requirements. • Both assessments therefore rely on a different conception of the system. o DPIAs overlook technical specificities that could nonetheless prove relevant from a data protection perspective (e.g. non personal data flows). o Threat modelling methodologies, on the other hand, omit GDPR-specific concepts (e.g. lawful grounds (Art. 5(1)a and 6(1) and purposes (Art. 5(1)b) that are crucial to achieve in-depth, efficient compliance with the Regulation. Tab. 1: Evaluation of existing DPIA/threat modelling methodologies w.r.t. legal and architectural modelling requirements Dewitte et al., ‘A Comparison of System Description Models for Data Protection by Design’, Proceedings of the 2019 Symposium on Applied Computing, Limassol, 8 April 2019.
• When building the meta-model, the following choices were made: o Rely on GDPR terminologies and concepts, rather than on technical abstractions (entity, process, data store, data flow, etc. but rather controller, processor, processing, further processing, etc.) o Rely on software engineer’s way to describe a system rather than on the overly simplified descriptions often found in most DPIA methodologies (UML class diagram) o Rely on the abstractions that are necessary to perform the various checks that are required by the GDPR (avoids overinclusivity, allows superposition of the technical view if necessary) The PRiSE meta-model (input) A sound description of the system which reconciles the data protection and technical views of a system is the essential first step of a consistent, in-depth and agile DPbD methodology Sion et al., ‘An Architectural View for Data Protection by Design’, Proceedings of the 2019 International Conference on Software Architecture, Hamburg, 29 March 2019
Work in progress, for demonstration purposes only Sion et al., ‘An Architectural View for Data Protection by Design’, Proceedings of the 2019 International Conference on Software Architecture, Hamburg, 29 March 2019
• Modelling a system using the meta-model allows for: o Fully automated checks (constraints imposed by the meta-model itself) o Semi automated checks (‘Clippy’-like support providing relevant guidance, resources and indications) o Manual checks (checks that are not directly supported by the meta- model, but whose assessment is facilitated by the meta-model). The PRiSE meta-model (output) Example with Art. 5(1)b GDPR - Purpose specification is fully automated, since the meta-model will requires one or more ProcessingPurpose for every CollectionActivity - Compatibility assessment is semi automated, since the meta-model will pair every FurherProcessingActivtiy with the original ProcessingPurpose, the LegalBasis, the DataSubjectType and the DataType and raise the necessity to conduct such an assessment, together with guidance as to the relevant criteria. Sion et al., ‘An Architectural View for Data Protection by Design’, Proceedings of the 2019 International Conference on Software Architecture, Hamburg, 29 March 2019
• Thanks to correspondence rules introduced between the technical and the data protection view, changes in the former are reflected in the latter, and vice-versa o Addresses architectural erosion o For instance, the introduction of a new data flow in the technical view will be considered as a new FurherProcessingActivtiy, which, in turn, will trigger all the necessary checks (i.e. compatibility assessment, new actor, rules on transfer, etc. ) and pair them with the relevant information • Tool support will be developed to allow the extraction of documents reflecting the data protection view built according to the meta-model o Streamlines the production of accountability documents o Format and content of the documents flexible The PRiSE meta-model (agility and extraction of documents) Sion et al., ‘An Architectural View for Data Protection by Design’, Proceedings of the 2019 International Conference on Software Architecture, Hamburg, 29 March 2019
Of software engineers and lawyers
Communicating: Of design scientists and lawyers 19
• Once the controller is fully aware of what is exactly happening within its system, it must communicate that information to data subjects • Article 12(1) GDPR pairs the obligation of transparency with several modalities, be it for information included in the privacy policy or provided to data subject following the exercise of their rights o See Article 29 Working Party guidelines on transparency (WP260) • Concise + Transparent = data controllers should present the information/ communication efficiently and succinctly in order to avoid information fatigue + clearly differentiated from other non-privacy related information such as contractual provisions; online: layered privacy notice Modalities surrounding transparency
• Intelligible = understood by an average member of the intended audience ( = (1) identify intended audience + (2) ascertain level of understanding; + (3) regularly check) • Easily accessible = data subject should not have to seek out the information (=immediately apparent); online: by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface • Clear and plain language = best practices for clear writing: avoid complex sentences + concrete (≠ “may”, “might”, “some”, “often”, “possible”, “research”, “personalisation”) + active voice – legalese, technical vocabulary + translation when targeting data subjects speaking different languages Modalities surrounding transparency
• In writing or by other electronic means = method chosen to provide information must be appropriate to the circumstance (e.g. written only for screenless devices such as IoT is wrong); means: layered privacy notice; “just-in-time” contextual pop-up notices, 3D touch or hover- over notices, privacy dashboards, cartoons, infographics or flowcharts • Appropriate measures = taking into account the device used, the nature of the user interfaces/interactions with the controller and the relevant limitations; trial different modalities by way of user testing • Other means = for specific environments: hard copy, oral explanation, icons, GR codes, videos, SMS, email, public signage, newspapers campaigns, notice in media, etc. Modalities surrounding transparency A job for lawyers only?
• Most interactions between data subjects and controllers happen through computerized interfaces, especially in the context of: o Transparency requirements (e.g. legibility/availability of a privacy policy; c.f. WP29 guidelines) o The exercise of data subject’s rights (e.g. erasure, access, etc.) The role of design scientists GDPR and HCI, perfect match? A data protection lawyer’s perspective on CHI 2018, CiTiP blog, <https://www.law.kuleuven.be/citip/blog/gdpr-and-hci-a-perfect-match-a- data-protection-lawyers-perspective-on-chi-2018/> Controller Data subject
• Many initiatives in the field of HCI (Human Computer Interaction) address the need for user-friendly, efficient transparency: o Methodology taking both controllers’ and data subjects’ expectation into account at the interface design stage (Eiband et al.) o Exploration of design spaces for effective privacy notice (Schaub et al.) o Field-testing user’s expectations of transparency (Lyngs et al.) o Exposing nudges for privacy and security (Acquisti et al.) o Development of privacy languages (Zhao et al.) o Interactive display visualizing data subject’s exposure to third party tracking activities on smartphone app (Van Kleek et al.) The role of design scientists GDPR and HCI, perfect match? A data protection lawyer’s perspective on CHI 2018, CiTiP blog, <https://www.law.kuleuven.be/citip/blog/gdpr-and-hci-a-perfect-match-a- data-protection-lawyers-perspective-on-chi-2018/> Design science is a fertile ground to develop intrinsically interdisciplinary solutions to address the many challenges raised by transparency
Of design scientists and lawyers
Transparency – and GDPR compliance altogether – is a truly interdisciplinary endeavour
Thanks for your attention! KU Leuven Centre for IT & IP Law (CiTiP) – imec www.law.kuleuven.be/citip

Recommended

Toward Trustworthy AI
Toward Trustworthy AIToward Trustworthy AI
Toward Trustworthy AINozha Boujemaa
 
20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AIBrussels Legal Hackers
 
To Regulate or not to Regulate - Opening the AI Black Box for Parliaments
To Regulate or not to Regulate - Opening the AI Black Box for Parliaments To Regulate or not to Regulate - Opening the AI Black Box for Parliaments
To Regulate or not to Regulate - Opening the AI Black Box for Parliaments Dr. Fotios Fitsilis
 
e-SIDES and Ethical AI
e-SIDES and Ethical AIe-SIDES and Ethical AI
e-SIDES and Ethical AIIDC4EU
 
Towards an Evidence-Based Policy Framework for Trustworthy AI
Towards an Evidence-Based Policy Framework for Trustworthy AITowards an Evidence-Based Policy Framework for Trustworthy AI
Towards an Evidence-Based Policy Framework for Trustworthy AIIulia Cioroianu
 
David Winickoff, Session 1
David Winickoff, Session 1David Winickoff, Session 1
David Winickoff, Session 1OECD Governance
 
Work Package 4 for valorisation meeting 1
Work Package 4 for valorisation meeting 1Work Package 4 for valorisation meeting 1
Work Package 4 for valorisation meeting 1disgi
 
Nick Malyshev, Session 1
Nick Malyshev, Session 1Nick Malyshev, Session 1
Nick Malyshev, Session 1OECD Governance
 

Recommended

Toward Trustworthy AI
Toward Trustworthy AIToward Trustworthy AI
Toward Trustworthy AINozha Boujemaa
 
20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AIBrussels Legal Hackers
 
To Regulate or not to Regulate - Opening the AI Black Box for Parliaments
To Regulate or not to Regulate - Opening the AI Black Box for Parliaments To Regulate or not to Regulate - Opening the AI Black Box for Parliaments
To Regulate or not to Regulate - Opening the AI Black Box for Parliaments Dr. Fotios Fitsilis
 
e-SIDES and Ethical AI
e-SIDES and Ethical AIe-SIDES and Ethical AI
e-SIDES and Ethical AIIDC4EU
 
Towards an Evidence-Based Policy Framework for Trustworthy AI
Towards an Evidence-Based Policy Framework for Trustworthy AITowards an Evidence-Based Policy Framework for Trustworthy AI
Towards an Evidence-Based Policy Framework for Trustworthy AIIulia Cioroianu
 
David Winickoff, Session 1
David Winickoff, Session 1David Winickoff, Session 1
David Winickoff, Session 1OECD Governance
 
Work Package 4 for valorisation meeting 1
Work Package 4 for valorisation meeting 1Work Package 4 for valorisation meeting 1
Work Package 4 for valorisation meeting 1disgi
 
Nick Malyshev, Session 1
Nick Malyshev, Session 1Nick Malyshev, Session 1
Nick Malyshev, Session 1OECD Governance
 
Introduction & Work Package 5 for valorisation meeting 1
Introduction & Work Package 5 for valorisation meeting 1Introduction & Work Package 5 for valorisation meeting 1
Introduction & Work Package 5 for valorisation meeting 1disgi
 
Work Package 3 for valorisation meeting 1
Work Package 3 for valorisation meeting 1Work Package 3 for valorisation meeting 1
Work Package 3 for valorisation meeting 1disgi
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...IDC4EU
 
e-SENS value story IT industry
e-SENS value story IT industrye-SENS value story IT industry
e-SENS value story IT industrye-SENS project
 
Samos Summit Innovative public services in Europe – taking stock and lookin...
Samos Summit Innovative public services in Europe – taking stock and lookin...Samos Summit Innovative public services in Europe – taking stock and lookin...
Samos Summit Innovative public services in Europe – taking stock and lookin...samossummit
 
Rainer Zimmermann (European Commission): The role of the European Commission ...
Rainer Zimmermann (European Commission): The role of the European Commission ...Rainer Zimmermann (European Commission): The role of the European Commission ...
Rainer Zimmermann (European Commission): The role of the European Commission ...ServiceWave 2010
 
Artificial intelligence - the role of universities
Artificial intelligence - the role of universitiesArtificial intelligence - the role of universities
Artificial intelligence - the role of universitiesThomas Ekman Jørgensen
 
Usman Wajid: Service-based Application Development by Ordinary End Users and ...
Usman Wajid: Service-based Application Development by Ordinary End Users and ...Usman Wajid: Service-based Application Development by Ordinary End Users and ...
Usman Wajid: Service-based Application Development by Ordinary End Users and ...ServiceWave 2010
 
GoOpen 2010: Ann Therese Lotherington
GoOpen 2010: Ann Therese LotheringtonGoOpen 2010: Ann Therese Lotherington
GoOpen 2010: Ann Therese LotheringtonFriprogsenteret
 
Sail regulation governance 101018
Sail regulation governance 101018Sail regulation governance 101018
Sail regulation governance 101018SAIL
 
Commission studies on eaccessibility
Commission studies on eaccessibilityCommission studies on eaccessibility
Commission studies on eaccessibilityJose Angel Martinez Usero
 
Opening – Introductions and Welcome by the host
Opening – Introductions and Welcome by the hostOpening – Introductions and Welcome by the host
Opening – Introductions and Welcome by the hostsamossummit
 
I4ADA 2019 - Presentation Cedric Wachholz
I4ADA 2019 - Presentation Cedric WachholzI4ADA 2019 - Presentation Cedric Wachholz
I4ADA 2019 - Presentation Cedric WachholzPaul van Heel
 
Samos Summit Digital Europe 2040 [g.misuraca]
Samos Summit Digital Europe 2040 [g.misuraca]Samos Summit Digital Europe 2040 [g.misuraca]
Samos Summit Digital Europe 2040 [g.misuraca]samossummit
 
E-Government Stakeholder Involvement
E-Government Stakeholder InvolvementE-Government Stakeholder Involvement
E-Government Stakeholder InvolvementDanube University Krems, Centre for E-Governance
 
Keita Nishiyama, Opening session
Keita Nishiyama, Opening sessionKeita Nishiyama, Opening session
Keita Nishiyama, Opening sessionOECD Governance
 
LOTF2011 | Martin Gramatikov
LOTF2011 | Martin GramatikovLOTF2011 | Martin Gramatikov
LOTF2011 | Martin GramatikovHiiL
 
VoicE VoiceS - Requirements and Recommendations for E-Votin
VoicE VoiceS - Requirements and Recommendations for E-VotinVoicE VoiceS - Requirements and Recommendations for E-Votin
VoicE VoiceS - Requirements and Recommendations for E-VotinDanube University Krems, Centre for E-Governance
 
I4ADA the hague summitCAHAI
I4ADA the hague summitCAHAII4ADA the hague summitCAHAI
I4ADA the hague summitCAHAIPaul van Heel
 
Samos 2020 Summit - Digital Governance Overview
Samos 2020 Summit - Digital Governance OverviewSamos 2020 Summit - Digital Governance Overview
Samos 2020 Summit - Digital Governance Overviewsamossummit
 
Privacy Data Protection for Engineers - PDP4E
Privacy Data Protection for Engineers - PDP4EPrivacy Data Protection for Engineers - PDP4E
Privacy Data Protection for Engineers - PDP4EPrivacy Data Protection for Engineering
 
ADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELINGADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELINGcsandit
 

More Related Content

What's hot

Introduction & Work Package 5 for valorisation meeting 1
Introduction & Work Package 5 for valorisation meeting 1Introduction & Work Package 5 for valorisation meeting 1
Introduction & Work Package 5 for valorisation meeting 1disgi
 
Work Package 3 for valorisation meeting 1
Work Package 3 for valorisation meeting 1Work Package 3 for valorisation meeting 1
Work Package 3 for valorisation meeting 1disgi
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...IDC4EU
 
e-SENS value story IT industry
e-SENS value story IT industrye-SENS value story IT industry
e-SENS value story IT industrye-SENS project
 
Samos Summit Innovative public services in Europe – taking stock and lookin...
Samos Summit Innovative public services in Europe – taking stock and lookin...Samos Summit Innovative public services in Europe – taking stock and lookin...
Samos Summit Innovative public services in Europe – taking stock and lookin...samossummit
 
Rainer Zimmermann (European Commission): The role of the European Commission ...
Rainer Zimmermann (European Commission): The role of the European Commission ...Rainer Zimmermann (European Commission): The role of the European Commission ...
Rainer Zimmermann (European Commission): The role of the European Commission ...ServiceWave 2010
 
Artificial intelligence - the role of universities
Artificial intelligence - the role of universitiesArtificial intelligence - the role of universities
Artificial intelligence - the role of universitiesThomas Ekman Jørgensen
 
Usman Wajid: Service-based Application Development by Ordinary End Users and ...
Usman Wajid: Service-based Application Development by Ordinary End Users and ...Usman Wajid: Service-based Application Development by Ordinary End Users and ...
Usman Wajid: Service-based Application Development by Ordinary End Users and ...ServiceWave 2010
 
GoOpen 2010: Ann Therese Lotherington
GoOpen 2010: Ann Therese LotheringtonGoOpen 2010: Ann Therese Lotherington
GoOpen 2010: Ann Therese LotheringtonFriprogsenteret
 
Sail regulation governance 101018
Sail regulation governance 101018Sail regulation governance 101018
Sail regulation governance 101018SAIL
 
Opening – Introductions and Welcome by the host
Opening – Introductions and Welcome by the hostOpening – Introductions and Welcome by the host
Opening – Introductions and Welcome by the hostsamossummit
 
I4ADA 2019 - Presentation Cedric Wachholz
I4ADA 2019 - Presentation Cedric WachholzI4ADA 2019 - Presentation Cedric Wachholz
I4ADA 2019 - Presentation Cedric WachholzPaul van Heel
 
Samos Summit Digital Europe 2040 [g.misuraca]
Samos Summit Digital Europe 2040 [g.misuraca]Samos Summit Digital Europe 2040 [g.misuraca]
Samos Summit Digital Europe 2040 [g.misuraca]samossummit
 
Keita Nishiyama, Opening session
Keita Nishiyama, Opening sessionKeita Nishiyama, Opening session
Keita Nishiyama, Opening sessionOECD Governance
 
LOTF2011 | Martin Gramatikov
LOTF2011 | Martin GramatikovLOTF2011 | Martin Gramatikov
LOTF2011 | Martin GramatikovHiiL
 
I4ADA the hague summitCAHAI
I4ADA the hague summitCAHAII4ADA the hague summitCAHAI
I4ADA the hague summitCAHAIPaul van Heel
 
Samos 2020 Summit - Digital Governance Overview
Samos 2020 Summit - Digital Governance OverviewSamos 2020 Summit - Digital Governance Overview
Samos 2020 Summit - Digital Governance Overviewsamossummit
 

What's hot (20)

Introduction & Work Package 5 for valorisation meeting 1
Introduction & Work Package 5 for valorisation meeting 1Introduction & Work Package 5 for valorisation meeting 1
Introduction & Work Package 5 for valorisation meeting 1
 
Work Package 3 for valorisation meeting 1
Work Package 3 for valorisation meeting 1Work Package 3 for valorisation meeting 1
Work Package 3 for valorisation meeting 1
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
 
e-SENS value story IT industry
e-SENS value story IT industrye-SENS value story IT industry
e-SENS value story IT industry
 
Samos Summit Innovative public services in Europe – taking stock and lookin...
Samos Summit Innovative public services in Europe – taking stock and lookin...Samos Summit Innovative public services in Europe – taking stock and lookin...
Samos Summit Innovative public services in Europe – taking stock and lookin...
 
Rainer Zimmermann (European Commission): The role of the European Commission ...
Rainer Zimmermann (European Commission): The role of the European Commission ...Rainer Zimmermann (European Commission): The role of the European Commission ...
Rainer Zimmermann (European Commission): The role of the European Commission ...
 
Artificial intelligence - the role of universities
Artificial intelligence - the role of universitiesArtificial intelligence - the role of universities
Artificial intelligence - the role of universities
 
Usman Wajid: Service-based Application Development by Ordinary End Users and ...
Usman Wajid: Service-based Application Development by Ordinary End Users and ...Usman Wajid: Service-based Application Development by Ordinary End Users and ...
Usman Wajid: Service-based Application Development by Ordinary End Users and ...
 
GoOpen 2010: Ann Therese Lotherington
GoOpen 2010: Ann Therese LotheringtonGoOpen 2010: Ann Therese Lotherington
GoOpen 2010: Ann Therese Lotherington
 
Sail regulation governance 101018
Sail regulation governance 101018Sail regulation governance 101018
Sail regulation governance 101018
 
Commission studies on eaccessibility
Commission studies on eaccessibilityCommission studies on eaccessibility
Commission studies on eaccessibility
 
Opening – Introductions and Welcome by the host
Opening – Introductions and Welcome by the hostOpening – Introductions and Welcome by the host
Opening – Introductions and Welcome by the host
 
I4ADA 2019 - Presentation Cedric Wachholz
I4ADA 2019 - Presentation Cedric WachholzI4ADA 2019 - Presentation Cedric Wachholz
I4ADA 2019 - Presentation Cedric Wachholz
 
Samos Summit Digital Europe 2040 [g.misuraca]
Samos Summit Digital Europe 2040 [g.misuraca]Samos Summit Digital Europe 2040 [g.misuraca]
Samos Summit Digital Europe 2040 [g.misuraca]
 
E-Government Stakeholder Involvement
E-Government Stakeholder InvolvementE-Government Stakeholder Involvement
E-Government Stakeholder Involvement
 
Keita Nishiyama, Opening session
Keita Nishiyama, Opening sessionKeita Nishiyama, Opening session
Keita Nishiyama, Opening session
 
LOTF2011 | Martin Gramatikov
LOTF2011 | Martin GramatikovLOTF2011 | Martin Gramatikov
LOTF2011 | Martin Gramatikov
 
VoicE VoiceS - Requirements and Recommendations for E-Votin
VoicE VoiceS - Requirements and Recommendations for E-VotinVoicE VoiceS - Requirements and Recommendations for E-Votin
VoicE VoiceS - Requirements and Recommendations for E-Votin
 
I4ADA the hague summitCAHAI
I4ADA the hague summitCAHAII4ADA the hague summitCAHAI
I4ADA the hague summitCAHAI
 
Samos 2020 Summit - Digital Governance Overview
Samos 2020 Summit - Digital Governance OverviewSamos 2020 Summit - Digital Governance Overview
Samos 2020 Summit - Digital Governance Overview
 

Similar to DPbD, DPIA: Aligning technical and legal views

ADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELINGADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELINGcsandit
 
ADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELINGADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELINGcscpconf
 
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS cscpconf
 
Mcis 2018 DEFeND Project
Mcis 2018 DEFeND Project Mcis 2018 DEFeND Project
Mcis 2018 DEFeND Project DEFeND Project
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security FrameworkNorbi Hegedus
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer ForensicEditor IJCTER
 
Big Data: Privacy and Security Aspects
Big Data: Privacy and Security AspectsBig Data: Privacy and Security Aspects
Big Data: Privacy and Security AspectsIRJET Journal
 
Applying Baseline Technical Measures for Managing Data Privacy IN the Cloud a...
Applying Baseline Technical Measures for Managing Data Privacy IN the Cloud a...Applying Baseline Technical Measures for Managing Data Privacy IN the Cloud a...
Applying Baseline Technical Measures for Managing Data Privacy IN the Cloud a...ACCASecretariat
 
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) planCWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) planCapgemini
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
CLOUD CPOMPUTING SECURITY
CLOUD CPOMPUTING SECURITYCLOUD CPOMPUTING SECURITY
CLOUD CPOMPUTING SECURITYShivananda Rai
 
H2020 project WITDOM overview
H2020 project WITDOM overviewH2020 project WITDOM overview
H2020 project WITDOM overviewElsa Prieto
 
ADMINISTRATION SECURITY ISSUES IN CLOUD COMPUTING
ADMINISTRATION SECURITY ISSUES IN CLOUD COMPUTINGADMINISTRATION SECURITY ISSUES IN CLOUD COMPUTING
ADMINISTRATION SECURITY ISSUES IN CLOUD COMPUTINGijitcs
 
State of the Art in Cloud Security
State of the Art in Cloud SecurityState of the Art in Cloud Security
State of the Art in Cloud Securityijsrd.com
 
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, GermanyIOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, GermanyCharith Perera
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 

Similar to DPbD, DPIA: Aligning technical and legal views (20)

Privacy Data Protection for Engineers - PDP4E
Privacy Data Protection for Engineers - PDP4EPrivacy Data Protection for Engineers - PDP4E
Privacy Data Protection for Engineers - PDP4E
 
ADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELINGADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELING
 
ADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELINGADVANCED CLOUD PRIVACY THREAT MODELING
ADVANCED CLOUD PRIVACY THREAT MODELING
 
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
DATA SCIENCE METHODOLOGY FOR CYBERSECURITY PROJECTS
 
Dpm presentation
Dpm presentationDpm presentation
Dpm presentation
 
Mcis 2018 DEFeND Project
Mcis 2018 DEFeND Project Mcis 2018 DEFeND Project
Mcis 2018 DEFeND Project
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer Forensic
 
Big Data: Privacy and Security Aspects
Big Data: Privacy and Security AspectsBig Data: Privacy and Security Aspects
Big Data: Privacy and Security Aspects
 
Applying Baseline Technical Measures for Managing Data Privacy IN the Cloud a...
Applying Baseline Technical Measures for Managing Data Privacy IN the Cloud a...Applying Baseline Technical Measures for Managing Data Privacy IN the Cloud a...
Applying Baseline Technical Measures for Managing Data Privacy IN the Cloud a...
 
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) planCWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
CLOUD CPOMPUTING SECURITY
CLOUD CPOMPUTING SECURITYCLOUD CPOMPUTING SECURITY
CLOUD CPOMPUTING SECURITY
 
Ipen2018
Ipen2018Ipen2018
Ipen2018
 
H2020 project WITDOM overview
H2020 project WITDOM overviewH2020 project WITDOM overview
H2020 project WITDOM overview
 
ADMINISTRATION SECURITY ISSUES IN CLOUD COMPUTING
ADMINISTRATION SECURITY ISSUES IN CLOUD COMPUTINGADMINISTRATION SECURITY ISSUES IN CLOUD COMPUTING
ADMINISTRATION SECURITY ISSUES IN CLOUD COMPUTING
 
State of the Art in Cloud Security
State of the Art in Cloud SecurityState of the Art in Cloud Security
State of the Art in Cloud Security
 
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, GermanyIOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
Principles and risk assessment of managing distributed ontologies hosted by e...
Principles and risk assessment of managing distributed ontologies hosted by e...Principles and risk assessment of managing distributed ontologies hosted by e...
Principles and risk assessment of managing distributed ontologies hosted by e...
 

More from Brussels Legal Hackers

20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de WieleBrussels Legal Hackers
 
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie SmitsBrussels Legal Hackers
 
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen VingerhoetsBrussels Legal Hackers
 
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel BeelenBrussels Legal Hackers
 
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik PutmanBrussels Legal Hackers
 
20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practiceBrussels Legal Hackers
 
20190221 Data subject rights in practice
20190221 Data subject rights in practice20190221 Data subject rights in practice
20190221 Data subject rights in practiceBrussels Legal Hackers
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreementsBrussels Legal Hackers
 
20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentationBrussels Legal Hackers
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUNBrussels Legal Hackers
 
20170601 - Digital festival presentation
20170601 - Digital festival presentation20170601 - Digital festival presentation
20170601 - Digital festival presentationBrussels Legal Hackers
 
20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)Brussels Legal Hackers
 
20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptionsBrussels Legal Hackers
 
20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)Brussels Legal Hackers
 
20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehiclesBrussels Legal Hackers
 
20170122 intro MEETUP on autonomous vehicles
20170122 intro MEETUP on autonomous vehicles20170122 intro MEETUP on autonomous vehicles
20170122 intro MEETUP on autonomous vehiclesBrussels Legal Hackers
 

More from Brussels Legal Hackers (20)

20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
 
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
 
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
 
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
 
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
 
20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice
 
20190221 Data subject rights in practice
20190221 Data subject rights in practice20190221 Data subject rights in practice
20190221 Data subject rights in practice
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements
 
20180607 - Tech Summit presentation
20180607 - Tech Summit presentation20180607 - Tech Summit presentation
20180607 - Tech Summit presentation
 
20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase
 
20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation
 
20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN20171106 - Privacy Design Lab - LINDDUN
20171106 - Privacy Design Lab - LINDDUN
 
20170601 - Digital festival presentation
20170601 - Digital festival presentation20170601 - Digital festival presentation
20170601 - Digital festival presentation
 
20170801 GDPR Q&A intro
20170801 GDPR Q&A intro20170801 GDPR Q&A intro
20170801 GDPR Q&A intro
 
20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)
 
20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions
 
20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)
 
20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons
 
20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles
 
20170122 intro MEETUP on autonomous vehicles
20170122 intro MEETUP on autonomous vehicles20170122 intro MEETUP on autonomous vehicles
20170122 intro MEETUP on autonomous vehicles
 

Recently uploaded

Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 

Recently uploaded (20)

Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 

DPbD, DPIA: Aligning technical and legal views

  • 1. Data Protection Impact Assessment and Data Protection by Design The need for an interdisciplinary approach Pierre Dewitte – KU Leuven CiTiP-imec pierre.dewitte@kuleuven.be @PiDewitte
  • 2. DPbD, DPIA: A tale of two methodologies 2
  • 3. According to Articles 24(1) and 25(1) GDPR, NSA and legal literature, controllers are under the obligation to: 1. Adopt a risk-based approach o Requires taking into account elements such as the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, the risks for the rights and freedoms of data subjects 2. When implementing appropriate technical and organisational measures o Suggests a close collaboration between experts in various disciplines 3. To ensure and demonstrate compliance with the Regulation o Requires the implementation of appropriate mitigation strategies o Requires a layer of demonstrability (accountability) 4. Both at the time of the determination of the means for processing and at the time of the processing itself o As of the design stage, and throughout the entire data processing lifecycle Data Protection by Design
  • 4. Following the combined reading of Article 35(7), WP29, NSA and legal literature, a DPIA essentially consists of the following steps: Data Protection Impact Assessment (Threshold assessment) Description of the processing activities Identification and documentation of the risks Implementation of appropriate mitigation strategies A degree of accountability for the whole process (External review) (Publication of the outcome) Continuous review and update
  • 5. Not so different? Description of the system Risk assessment and implementation of appropriate mitigation strategies Accountability
  • 7. • DPbD, DPIA and risk assessment are essentially interdisciplinary approaches, involving both software engineers and lawyers • Clear dichotomy between the way software engineers and lawyers practically implement those requirements: Yet, in practice… Software engineers • Technical concepts • Technical view on the system, overinclusive • Risks understood from a narrower perspective • Agile, (partially) automated Lawyers • Legal concepts • Legal view, often disconnected from reality • Risks to data subject’s rights and freedoms • Rigid, manual E.g. LINDDUN privacy threat modelling methodology E.g. CNIL PIA guidance and open source tool
  • 8. • Meaningful transparency, either ex-ante or ex-post, relies on the premise that one does know exactly what happens within a system o As underlined earlier, lawyers often lack the technical knowledge to understand all the processing activities happening within a system o This negatively impacts the drafting of comprehensive, adequate and up- to-date privacy policies since understanding is a prerequisite o As demonstrated during the empirical study on the right of access, this also hinder the exercise of data subject’s rights Impact on transparency An efficient DPbD methodology aligning the technical and legal views of a system would significantly facilitate the compliance with transparency requirements, but not only
  • 10. The PRiSE project Privacy-by-design Regulation in Software Engineering (PRiSE), KU Leuven CiTiP and DistriNet, <https://www.law.kuleuven.be/citip/en/research/projects/ongoing/prise> Description of the system Risk assessment and implementation of appropriate mitigation strategies Accountability Meta-model (input) Meta-model (output) Extraction of documents
  • 11. The PRiSE meta-model (input) Dewitte et al., ‘A Comparison of System Description Models for Data Protection by Design’, Proceedings of the 2019 Symposium on Applied Computing, Limassol, 8 April 2019. • Software engineers rely on threat modelling techniques such as STRIDE or LINDDUN for the elicitation of security and privacy threats. • Those methodologies are based on Data Flow Diagrams (DFD) which are mainly built using the following architectural modelling requirements: events, processes, responses, data sources and recipients. Fig. 1: Example of DFD using UML
  • 12. The PRiSE meta-model (input) • A DPIA usually starts with the systematic description of the processing activities. • Guidance has been issued by the Article 29 Working Party as to the elements that must be documented, which led to the extraction of the following legal modelling requirements: personal data, data subject, processing, purpose, lawful ground, controller, processor, third party, recipient, representative, storage period and supporting assets. Fig. 2: Example of system description using CNIL’s template Dewitte et al., ‘A Comparison of System Description Models for Data Protection by Design’, Proceedings of the 2019 Symposium on Applied Computing, Limassol, 8 April 2019.
  • 13. The PRiSE meta-model (input) • No methodology supports both legal and architectural modelling requirements. • Both assessments therefore rely on a different conception of the system. o DPIAs overlook technical specificities that could nonetheless prove relevant from a data protection perspective (e.g. non personal data flows). o Threat modelling methodologies, on the other hand, omit GDPR-specific concepts (e.g. lawful grounds (Art. 5(1)a and 6(1) and purposes (Art. 5(1)b) that are crucial to achieve in-depth, efficient compliance with the Regulation. Tab. 1: Evaluation of existing DPIA/threat modelling methodologies w.r.t. legal and architectural modelling requirements Dewitte et al., ‘A Comparison of System Description Models for Data Protection by Design’, Proceedings of the 2019 Symposium on Applied Computing, Limassol, 8 April 2019.
  • 14. • When building the meta-model, the following choices were made: o Rely on GDPR terminologies and concepts, rather than on technical abstractions (entity, process, data store, data flow, etc. but rather controller, processor, processing, further processing, etc.) o Rely on software engineer’s way to describe a system rather than on the overly simplified descriptions often found in most DPIA methodologies (UML class diagram) o Rely on the abstractions that are necessary to perform the various checks that are required by the GDPR (avoids overinclusivity, allows superposition of the technical view if necessary) The PRiSE meta-model (input) A sound description of the system which reconciles the data protection and technical views of a system is the essential first step of a consistent, in-depth and agile DPbD methodology Sion et al., ‘An Architectural View for Data Protection by Design’, Proceedings of the 2019 International Conference on Software Architecture, Hamburg, 29 March 2019
  • 15. Work in progress, for demonstration purposes only Sion et al., ‘An Architectural View for Data Protection by Design’, Proceedings of the 2019 International Conference on Software Architecture, Hamburg, 29 March 2019
  • 16. • Modelling a system using the meta-model allows for: o Fully automated checks (constraints imposed by the meta-model itself) o Semi automated checks (‘Clippy’-like support providing relevant guidance, resources and indications) o Manual checks (checks that are not directly supported by the meta- model, but whose assessment is facilitated by the meta-model). The PRiSE meta-model (output) Example with Art. 5(1)b GDPR - Purpose specification is fully automated, since the meta-model will requires one or more ProcessingPurpose for every CollectionActivity - Compatibility assessment is semi automated, since the meta-model will pair every FurherProcessingActivtiy with the original ProcessingPurpose, the LegalBasis, the DataSubjectType and the DataType and raise the necessity to conduct such an assessment, together with guidance as to the relevant criteria. Sion et al., ‘An Architectural View for Data Protection by Design’, Proceedings of the 2019 International Conference on Software Architecture, Hamburg, 29 March 2019
  • 17. • Thanks to correspondence rules introduced between the technical and the data protection view, changes in the former are reflected in the latter, and vice-versa o Addresses architectural erosion o For instance, the introduction of a new data flow in the technical view will be considered as a new FurherProcessingActivtiy, which, in turn, will trigger all the necessary checks (i.e. compatibility assessment, new actor, rules on transfer, etc. ) and pair them with the relevant information • Tool support will be developed to allow the extraction of documents reflecting the data protection view built according to the meta-model o Streamlines the production of accountability documents o Format and content of the documents flexible The PRiSE meta-model (agility and extraction of documents) Sion et al., ‘An Architectural View for Data Protection by Design’, Proceedings of the 2019 International Conference on Software Architecture, Hamburg, 29 March 2019
  • 18. Of software engineers and lawyers
  • 20. • Once the controller is fully aware of what is exactly happening within its system, it must communicate that information to data subjects • Article 12(1) GDPR pairs the obligation of transparency with several modalities, be it for information included in the privacy policy or provided to data subject following the exercise of their rights o See Article 29 Working Party guidelines on transparency (WP260) • Concise + Transparent = data controllers should present the information/ communication efficiently and succinctly in order to avoid information fatigue + clearly differentiated from other non-privacy related information such as contractual provisions; online: layered privacy notice Modalities surrounding transparency
  • 21. • Intelligible = understood by an average member of the intended audience ( = (1) identify intended audience + (2) ascertain level of understanding; + (3) regularly check) • Easily accessible = data subject should not have to seek out the information (=immediately apparent); online: by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface • Clear and plain language = best practices for clear writing: avoid complex sentences + concrete (≠ “may”, “might”, “some”, “often”, “possible”, “research”, “personalisation”) + active voice – legalese, technical vocabulary + translation when targeting data subjects speaking different languages Modalities surrounding transparency
  • 22. • In writing or by other electronic means = method chosen to provide information must be appropriate to the circumstance (e.g. written only for screenless devices such as IoT is wrong); means: layered privacy notice; “just-in-time” contextual pop-up notices, 3D touch or hover- over notices, privacy dashboards, cartoons, infographics or flowcharts • Appropriate measures = taking into account the device used, the nature of the user interfaces/interactions with the controller and the relevant limitations; trial different modalities by way of user testing • Other means = for specific environments: hard copy, oral explanation, icons, GR codes, videos, SMS, email, public signage, newspapers campaigns, notice in media, etc. Modalities surrounding transparency A job for lawyers only?
  • 23. • Most interactions between data subjects and controllers happen through computerized interfaces, especially in the context of: o Transparency requirements (e.g. legibility/availability of a privacy policy; c.f. WP29 guidelines) o The exercise of data subject’s rights (e.g. erasure, access, etc.) The role of design scientists GDPR and HCI, perfect match? A data protection lawyer’s perspective on CHI 2018, CiTiP blog, <https://www.law.kuleuven.be/citip/blog/gdpr-and-hci-a-perfect-match-a- data-protection-lawyers-perspective-on-chi-2018/> Controller Data subject
  • 24. • Many initiatives in the field of HCI (Human Computer Interaction) address the need for user-friendly, efficient transparency: o Methodology taking both controllers’ and data subjects’ expectation into account at the interface design stage (Eiband et al.) o Exploration of design spaces for effective privacy notice (Schaub et al.) o Field-testing user’s expectations of transparency (Lyngs et al.) o Exposing nudges for privacy and security (Acquisti et al.) o Development of privacy languages (Zhao et al.) o Interactive display visualizing data subject’s exposure to third party tracking activities on smartphone app (Van Kleek et al.) The role of design scientists GDPR and HCI, perfect match? A data protection lawyer’s perspective on CHI 2018, CiTiP blog, <https://www.law.kuleuven.be/citip/blog/gdpr-and-hci-a-perfect-match-a- data-protection-lawyers-perspective-on-chi-2018/> Design science is a fertile ground to develop intrinsically interdisciplinary solutions to address the many challenges raised by transparency
  • 25. Of design scientists and lawyers
  • 26. Transparency – and GDPR compliance altogether – is a truly interdisciplinary endeavour
  • 27. Thanks for your attention! KU Leuven Centre for IT & IP Law (CiTiP) – imec www.law.kuleuven.be/citip