When do data become risk?

Since May 2018, anyone who processes data and could thereby endanger the rights of individuals must carry out a data protection impact assessment. The interdisciplinary “Forum Privacy” has compiled a white paper on how companies and public authorities can proceed.

Privacy impact assessment

A new white paper by Forum Privatheit, coordinated by the Fraunhofer Institute for Systems and Innovation Research ISI, deals with the possible design of future data protection impact assessments (DSFA) and provides guidance on their practical implementation. Because these instruments will become mandatory for technology providers and system operators with the introduction of the European Basic Data Protection Regulation in 2018, the White Paper "Data Protection Impact Assessment - A Tool for Better Data Protection" provides the first basic information on this innovation. The impact assessments are intended to help technology providers, data protection supervisory authorities and the public to assess the risks to data protection posed primarily by data processing technologies and to keep them as low as possible from the outset.

Many services and offers on the Internet, such as online shopping, social networking or even government websites, often collect personal data. So far, users have only been able to evade this practice if they expressly do not use certain services - or if they agree to the collection of data. The risks this entails have so far been little known to the public, even though the media repeatedly report on data misuse or data breakdowns.

In order to better assess possible risks from data processing practices in the future, many technology providers and system operators will have to carry out data protection impact assessments for their offerings and services from 2018. However, it remains to be seen how and according to what criteria this will be done. The White Paper "Data Protection Impact Assessment - A Tool for Better Data Protection" by the Forum Privatheit addresses this issue and develops the first outlines for the design of future data protection impact assessments and their practical implementation. This discussion is important, as the EU member states will immediately begin to put the basic data protection regulation into practice by 2018 following its adoption in 2016.

Impact assessments indicate data protection deficiencies at an early stage

Dr. Michael Friedewald, who conducts research at Fraunhofer ISI on the impact of new technologies on data protection and privacy and is one of the co-authors of the white paper, emphasizes the great importance of the impact assessments: "Data protection impact assessments not only enable a better assessment of the risks posed by existing data processing technologies, but also point out at an early stage and during the development stage as a kind of 'early warning system' possible negative consequences for data protection. Existing data protection deficiencies can thus be identified in good time and corrected during technology development. In the sense of 'Privacy by Design', data protection is thus better integrated from the outset when new devices or applications are introduced.

The data protection impact assessments that will be required by law in the future will bring advantages for very different target groups: technology providers and system operators will be able to better control technology development and will not have to make subsequent improvements to data protection.

The avoidance of data breakdowns also eliminates the costs of rectifying them, possible claims for damages and damage to public image. This will also benefit citizens, who in future will be able to decide more easily on the basis of impact assessments which online services they wish to use or not. Certificates could be used, for example, to quickly check whether providers or operators have taken account of affected parties' rights - and companies could thus also underscore their desire to respect these rights.

Data protection impact assessments help supervisory authorities to carry out their tasks

In addition to technology providers and users, data protection impact assessments are particularly useful for supervisory authorities: carrying out standardised impact assessments would, for example, improve the performance of their supervisory duties and help to identify weaknesses in data protection or infringements more quickly. In addition, technology vendors and system operators would be well served by regulators to provide guidance on how to improve products or overall data processing practices.

In order for data protection impact assessments to reach their full potential in the future, they should be carried out several times rather than just once, for example at the beginning of a product life cycle. This could change the overall practice of collection and make businesses more aware of the need to respect citizens' rights, which they often do not know in detail. "Control dilemmas" and delayed improvements to strengthen data protection at the end of the development phase would thus become obsolete, which would benefit all parties concerned.

In the BMBF-funded Forum Privatheit, national and international experts deal with issues relating to the protection of privacy on an interdisciplinary basis and over a period of three years. The project is coordinated by Fraunhofer ISI, partners being Fraunhofer SIT, the University of Hohenheim, the University of Kassel, Eberhard Karls University Tübingen, the Independent State Centre for Data Protection Schleswig-Holstein and Ludwig Maximilian University Munich. The research results of the Privacy Forum are not only incorporated into the scientific discourse, but are also intended to inform citizens about privacy issues.

Image by: www.freepik.com; Designed by Freepik

Further information on the privacy impact assessment can be found in the White Paper published by Forum Privatheit:
White Paper
privacy impact assessment
A tool for better data protection
Michael Friedewald, Hannah Obersteller, Maxi Nebel, Felix Bieker, Martin Rost
3rd edition, November 2017