Abstract
Privacy Impact Assessments (PIAs) play a crucial role in providing privacy protection for data subjects and supporting risk management. From an engineering perspective, the core of a PIA is a risk assessment, which typically follows a step-by-step process of risk identification and risk mitigation. In order for a PIA to be holistic and effective, it needs to be complemented by an appropriate privacy risk model that considers legal, organisational, societal and technical aspects. We propose a data-centric approach for identifying and analysing potential privacy risks in a comprehensive manner.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alshammari, M., Simpson, A.: A UML profile for privacy-aware data lifecycle models. In: Katsikas, S.K., et al. (eds.) CyberICPS/SECPRE -2017. LNCS, vol. 10683, pp. 189–209. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72817-9_13
Alshammari, M., Simpson, A.: Personal data management: an abstract personal data lifecycle model. In: Teniente, E., Weidlich, M. (eds.) BPM 2017. LNBIP, vol. 308, pp. 685–697. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74030-0_55
Alshammari, M., Simpson, A.C.: Towards an effective PIA-based risk analysis: an approach for analysing potential privacy risks (2017). http://www.cs.ox.ac.uk/publications/publication11663-abstract.html
BSI (Bundesamt für Sicherheit in der Informationstechnik): Risk analysis on the basis of IT-Grundschutz, BSI Standard 100-3 (2008). https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html
BSI (Bundesamt für Sicherheit in der Informationstechnik): IT-Grundschutz-Kataloge (2011). https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/itgrundschutzkataloge_node.html
Calo, R.: The boundaries of privacy harm. Indiana Law J. 86, 1131–1162 (2011)
Cavoukian, A.: Privacy by design (2009). https://www.privacybydesign.ca/content/uploads/2009/01/privacybydesign.pdf
Cavoukian, A., Shapiro, S., Cronk, R.J.: Privacy engineering: proactively embedding privacy, by design (2014). https://www.privacybydesign.ca/content/uploads/2014/01/pbd-priv-engineering.pdf
Clarke, R.: Privacy impact assessment: its origins and development. Comput. Law Secur. Rev. Int. J. Technol. Pract. 25(2), 123–135 (2009)
Commission Nationale de l’Informatique et des Libertés (CNIL): Methodology for privacy risk management (2016). https://www.cnil.fr/sites/default/files/typo/document/CNIL-ManagingPrivacyRisks-Methodology.pdf
Fineberg, A., Jeselon, P.: A foundational framework for a privacy by design – privacy impact assessment (2011). http://privacybydesign.ca/content/uploads/2011/11/PbD-PIA-Foundational-Framework.pdf
De, S.J., Le Métayer, D.: PRIAM: a privacy risk analysis methodology. In: Livraga, G., Torra, V., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2016. LNCS, vol. 9963, pp. 221–229. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47072-6_15
Nissenbaum, H.F.: Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford University Press, Stanford (2009)
Object Management Group: OMG Unified Modeling Language (OMG UML) (2015). http://www.omg.org/spec/UML/
Oetzel, M.C., Spiekermann, S.: A systematic methodology for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23(2), 126–150 (2014)
Solove, D.J.: A taxonomy of privacy. Univ. Pennsylvania Law Rev. 154(3), 477–564 (2006)
The European Commission: The European Electronic Toll Service (EETS): 2011 Guide for the Application of the Directive on the Interoperability of Electronic Road Toll Systems (2011). http://ec.europa.eu/transport/themes/its/road/application_areas/electronic_pricing_and_payment_en
The European Union: Official Journal of the European Communities: Commission Decision 2009/750/EC of 6 October 2009 on the definition of the European Electronic Toll Service and its technical elements (2009). http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32009D0750&from=EN
Wright, D.: The state of the art in privacy impact assessment. Comput. Law Secur. Rev. 28(1), 54–61 (2012)
Wright, D., Wadhwa, K., De Hert, P., Kloza, D.: A Privacy Impact Assessment Framework for data protection and privacy rights (2011). http://www.piafproject.eu/Deliverables.html
Acknowledgments
The authors would like to thank the reviewers for their constructive comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Alshammari, M., Simpson, A. (2018). Towards an Effective Privacy Impact and Risk Assessment Methodology: Risk Analysis. In: Garcia-Alfaro, J., Herrera-JoancomartÃ, J., Livraga, G., Rios, R. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2018 2018. Lecture Notes in Computer Science(), vol 11025. Springer, Cham. https://doi.org/10.1007/978-3-030-00305-0_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-00305-0_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00304-3
Online ISBN: 978-3-030-00305-0
eBook Packages: Computer ScienceComputer Science (R0)