The document summarizes a presentation given on data protection impact assessments (DPIAs) and the challenges of conducting them. It discusses the GDPR requirements for DPIAs, potential challenges like ensuring the right expertise, transparency of the process, and quality of the assessment. It also provides a case study of the iTRACK project, which developed an intelligent tracking platform for humanitarian aid workers, and describes their experience conducting an ethics and privacy impact assessment.

1. Data Protection Impact
Assessments: Examining the
challenges
Rowena Rodrigues & Julia Muraszkiewicz, Trilateral Research Ltd.
Workshop on implementation of the EU GDPR Privacy Impact Assessment
Brussels Privacy Hub,
4 October 2016
4 October 2016

2. Trilateral Research Ltd.
• Impact assessments
• Policy & regulatory advice
• Research services
• Technology assessment
• Data Services
• Training
•Government
•Inter-govermental organisations
•Humanitarian agencies
•Critical infrastructure
• Social science
• Science & Technology
• Economics
• Law
• Data analytics
• Privacy & data protection
• Security & surveillance
• Data science
• Crisis & disaster management
Deep
Expertise
Multiple
Disciplines
Core
Services
Key
Sectors
 Trilateral Research Ltd is a leading
London-based research services
company.
 We provide research, risk analysis,
advisory services and technology
solutions related to privacy, data
protection, new and emerging
technologies and policy.
 Small enterprise (SME) ≈20 staff
members representing over 10
different countries.
 Almost all research and technical staff
have postdoctoral experience (≈90%
have PhDs).
 Extensive publication list and excellent
international profile.

3. • In 2000, 41 significant attacks on aid workers were recorded
across the globe. By 2014, that number had risen to 190. In this
15-year period, over 3,000 aid workers have been killed, injured
or kidnapped.
• A novel and innovative approach to tracking and decision-making
is needed. iTRACK will achieve this through an interdisciplinary,
socio-technical approach, which will draw on the latest advances
in sensor development, visual data collection, location tracking,
artificial intelligence, information management, risk analysis, and
humanitarian logistics.
• The system will take into account a range of ethical and privacy
principles.
• The iTRACK system will be deployed, implemented and tested in
simulations with humanitarian practitioners. Pilot applications
with the World Food Programme and iMMAP in the on-going
conflict disasters in the Middle East.
EU funded:
Horizon 2020
12 partners
from 8 EU
states and
UNWFP
Aim: next
generation
intelligent
tracking
platform
3 years

4. • Aims to develop a common European framework for ethical assessment of research and
innovation.
• A 4-year project funded by the European Commission.
• Some key outputs:
• Comparative analysis of ethics assessment practices
• Report (Handbook) of participatory processes
• Report on legal frameworks that guide or constrain ethical procedures within research in
the EU
• Report on international differences in research cultures, ethical standards and legal
frameworks
• CEN Workshop Agreement: Ethics Assessment of Research & Innovation: open for public
consultation till 15 Nov 2016.

5. Structure of presentation
1. GDPR and data protection impact assessments (DPIAs).
2. Challenges in conducting a DPIA: based on lessons
particularly from ethical impact assessment guidance
(SATORI) and ethical, legal and societal impact
assessment (PULSE).
3. Case study: iTRACK project E/PIA experience.

6. DPIAs: the benefits
Tool to support data protection compliance.
Help meet individuals’ expectations of privacy.
Help organisations identify risks, fix problems, at an early stage,
reducing associated costs and damage to reputation.
Help organisations create efficient and effective data handling
processes.
Facilitate engagement-led data protection good practice learnings.

7. GDPR on DPIAs: Recital 84
WHY: to enhance compliance with the Regulation where processing
operations are likely to result in a high risk to the rights and freedoms
of natural persons.
WHO SHOULD DO WHAT: the controller should be responsible for
carrying out of a DPIA to evaluate, in particular, the origin, nature,
particularity and severity of that risk.
BENEFIT: The outcome of the assessment should be taken into
account when determining the appropriate measures to be taken in
order to demonstrate that the processing of personal data complies
with the Regulation.

8. DPIAs are required for cases of:
1. A systematic and extensive evaluation of personal aspects relating to
natural persons which is based on automated processing, including
profiling, and on which decisions are based that produce legal effects
concerning the natural person or similarly significantly affect the natural
person.
2. Processing on a large scale of special categories of data, or of personal
data relating to criminal convictions and offences or related security
measures.
3. A systematic monitoring of a publicly accessible area on a large scale.
Article 35 (3). See also Recitals 89-90.

9. Contents of the DPIA: Article 35 (7)
A systematic description of the envisaged processing operations, the purposes of the processing,
including, where applicable, the legitimate interest pursued by the controller.
An assessment of the necessity and proportionality of the processing operations in relation to the
purposes.
An assessment of the risks to the rights and freedoms of data subjects, and
The measures envisaged to address the risks, including safeguards, security measures and mechanisms to
ensure the protection of personal data and to demonstrate compliance with this Regulation taking into
account the rights and legitimate interests of data subjects and other persons concerned.

10. Risks of getting a DPIA wrong
Non-compliance with the Regulation.
Risk to the rights and freedoms of natural persons.
Resistance to products, services, schemes, by customers,
end users, citizens.
Loss of investment, funding and reputation.
Media censure.

11. The challenges
The right
expertise
Appropriateness
Adequacy
and
thoroughness
Engagement
Quality
Transparency

12. ‘The right expertise’
• Who will be the assessor: the data controller….project manager? In-
house staff member?
• Does the DPIA assessor have the right expertise?
• Team approach: use of in-house experts e.g. consult data protection
officer.
• Seek external inputs from experts: will help identify impacts + boost
trust in findings
• In high impact cases: use external assessors = robust and trustworthy
DPIA.

13. ‘Appropriateness’
• Is a DPIA the right type of assessment?
• Is it the only one that is needed in the situation?
• Is a broader one required ? I.e. one that takes into account
other legal, ethical and/or societal requirements?
• Who should take this decision, and on what basis?

14. ‘Adequacy’ & ‘thoroughness’
• DPIA should not be a ‘whitewash’.
• Is the assessment adequate for the type of processing?
• Has the assessment been thorough? Does it take into account the
four key elements: Origin+Nature+Severity+Mitigation
• Designate responsibility for adequacy: senior management? Board of
Directors? Coordinator of project?
• Carry out a review to assess adequacy and thoroughness.
• Consult with supervisory authority.

15. ‘Engagement’
• Has the DPIA process engaged stakeholders?
• Are they the appropriate ones? Do they cover relevant perspectives?
• Internal: project management team, data protection officer, technical
experts, senior management, researchers, data processors, compliance,
communications etc.
• External: affected parties, data subjects, their representatives, supervisory
authorities etc.
• Is it optimised so stakeholders can have meaningful impact? Early
enough?
• Have the right mechanisms been used?

16. ‘Quality’
• Run an Article 35(7) check:
• Does the DPIA properly describe the processing operations and the purposes,
including, legitimate interests pursued by the controller?
• Does it adequately assess the necessity and proportionality of the processing
in relation to the purpose?
• Does it adequately assess the risks to individuals?
• Does it clearly outline the measures to address risk, including security and to
demonstrate compliance? (including responsibilities?)
• Potentially, use other evaluation criteria to assess/review the quality of your
DPIA: e.g. Kush Wadhwa & Rowena Rodrigues (2013): Evaluating privacy impact
assessments, Innovation: The European Journal of Social Science Research,
http://dx.doi.org/10.1080/13511610.2013.761748

17. ‘Transparency’: Process and results
• Has the process of conducting the DPIA been transparent?
• E.g. external consultation
• Are results available to stakeholders? To the public?
• Publication of DPIA report in full or summary form highly recommended.
• Improves accountability.
• Increase the public’s understanding of how information is, or will be used.

18. Case study

19. It was 10 am in the morning, when the first iTRACK alert came about new attacks to a small town in the Middle
East.
The alert was sent from staff working in a hospital in a town using the iTRACK app. Immediately, other civilian
responders working in the regions received the report, and were advised to take protective measures. At the
same time, a humanitarian convoy en route to the hospital was automatically informed and re-routed to the
next warehouse with free capacity.
Meanwhile, the activated iTRACK sensing devices on the assets and vehicles in town, combined with satellite
imagery allowed for continuous updates of the threats and risks. Rather than having to rely on reports from
different, and unreliable sources, unfiltered social media feeds and updates by the armed actors, the iTRACK
system provided trusted and direct data from the ground. An analysis of threat patterns and the damages that
occurred, was used for a rapid assessment of humanitarian impact and needs. Updates were then sent to the
iTRACK subscribers, who started to preposition vehicles and goods to respond to the novel humanitarian
situations and alleviate the suffering of the people on the ground in a safer and more efficient way.
Fictitious case study

20. Approach
Agreeing on
principles and
definitions
Interviews
Mapping of
information flows
in the system
architecture
Stakeholder
workshop
Mapping out the
risks and solutions
Review and audit
of ethical and
privacy
assessments by an
independent third-
party
Publications

21. How to identify the risks emanating from threats and vulnerabilities:
 A threat has capabilities to exploit vulnerabilities, it can be accidental, deliberate, natural or
human and can originate from within or outside the project e.g. hackers, theft, natural hazards,
etc.,
 Vulnerability is a weakness that makes the technology susceptible to
problems/attacks/exploitation/etc. e.g., employee who does not understand data protection
laws
 A risk is the impact of a threat acting on a vulnerability, e.g. reputation loss
THREAT: Hacker
VULNERABILITY: Insecure server
RISK: Reputational damage due to loss of personal and potentially sensitive data.
What is a risk?

22. Key notions in ethics and data protection & privacy
 Dignity
 Consent
 Avoiding harm
 Safety
 Social solidarity, inclusion and exclusion
 Discrimination and profiling
 Accessibility
 Sustainability
 Collection limitation
 Data quality
 Use limitation
 Transparency
 Individual participation and access to data
 Anonymity
 Privacy of the person
 Privacy of personal behaviours

23. Root of principles - GDPR
 Article 17 – Right to erasure (“right to be forgotten”)
 Article 21 – Right to object – on grounds including profiling
 Article 22 – Right not to be subject to a decision based solely on automated processing,
including profiling
 Article 25 – Data protection by design and by default
 Implement appropriate technical and organisational measures designed to implement
data protection principles
 Article 32 – Security of processing
 Implement appropriate technical and organisation measures to ensure level of security
appropriate for risk
 Article 35 – Data Protection Impact Assessment

24. Root of principles - other
We also broadened out beyond the GDPR:
 ISO/IEC 29100:2011
 ISO/IEC 27001:2005
 Universal Declaration on Human Rights 1948
 European Convention on Human Rights 1953
 Charter of Fundamental Human Rights of the European Union
2009*

25. More than just a DPIA: ethics are important!
 iTRACK’s technologies require ethical analysis: location tracking, health monitoring, image surveillance, social
media data collection, messaging services.
 Potentially vulnerable users: humanitarian workers pressured in emergency situations.
 Thus, based on the Kantian idea of respect for the dignity of the person. When the self can be technologically
invaded without permission and even often without the knowledge of the person, dignity and liberty are
diminished.
 An E/PIA can help understand, assess, analyse and potentially mitigate, reduce, or avoid a range of risks.
 The E/PIA will also benefit the iTRACK consortium by ensuring that:
 Harm to individuals is reduced, avoided, minimised.
 Unnecessary costs are avoided.
 Trust and reputation are maintained.
 Ethical and privacy principles are taken into account.

26.  Rowena Rodrigues: rowena.rodrigues@trilateralresearch.com
www.satoriproject.eu
Follow us on Twitter: @SATORI_EU
 Julia Muraszkiewicz: julia.muraszkiewicz@trilateralresearch.com
www.itrack-project.eu
Follow us on Twitter:@iTRACKProject1
Contact us: