A Data Protection Impact Assessment Methodology for Cloud

  • Rehab Alnemr
  • Erdal Cayirci
  • Lorenzo Dalla Corte
  • Alexandr Garaga
  • Ronald Leenes
  • Rodney Mhungu
  • Siani Pearson
  • Chris Reed
  • Anderson Santana de Oliveira
  • Dimitra Stefanatou
  • Katerina Tetrimida
  • Asma Vranaki
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9484)

Abstract

We propose a data protection impact assessment (DPIA) method based on successive questionnaires for an initial screening and for a full screening for a given project. These were tailored to satisfy the needs of Small and Medium Enterprises (SMEs) that intend to process personal data in the cloud. The approach is based on legal and socio-economic analysis of privacy issues for cloud deployments and takes into consideration the new requirements for DPIAs within the European Union (EU) as put forward by the proposed General Data Protection Regulation (GDPR). The resultant features have been implemented within a tool.

Keywords

Data protection impact assessment EU GDPR Cloud Privacy 

Notes

Acknowledgement

This work is part of the EU-funded FP7 project grant number 317550 titled as “Accountability for Cloud and Other Future Internet Services” (A4Cloud - http://www.a4cloud.eu/).

References

  1. 1.
    Article 29 Data Protection Working Party: Statement on the role of a risk-based approach in data protection legal frameworks (WP218), May (2014). http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf
  2. 2.
    Australian Government, Office of the Australian Information Commissioner: Privacy Impact Assessment Guide (OAIC) (2010)Google Scholar
  3. 3.
    Avepoint: Avepoint Privacy Impact Assessment (APIA) System (2015). https://privacyassociation.org/resources/apia
  4. 4.
    Bennett, C.J., Raab, C.D.: The Governance of Privacy: Policy Instruments in Global Perspective. MIT Press, Cambridge (2006)Google Scholar
  5. 5.
    CambridgeSoft: ChemBioOffice Cloud–An Integrated Decision Support System for CHDI (2010). http://chembionews.cambridgesoft.com/WhitePapers/Default.aspx?whitePaperID=43
  6. 6.
    Cayirci, E., Garaga, A., Santana de Oliveira, A., Roudier, Y.: A cloud adoption risk assessment model. utility and cloud computing (UCC). In: 2014 IEEE/ACM 7th International Conference, pp. 908–913 (2014)Google Scholar
  7. 7.
    Centre for Information Policy Leadership (CIPL): A Risk-based Approach to Privacy: Improving Effectiveness in Practice (2014). http://www.hunton.com/files/upload/Post-Paris_Risk_Paper_June_2014.pdf
  8. 8.
    Clarke, R.: Privacy impact assessment: its origins and development. Comput. Law Secur. Rev. 25(2), 123–135 (2009)CrossRefGoogle Scholar
  9. 9.
    Cloud Security Alliance (CSA): Security guidance for critical areas of focus in cloud computing, v3.0 (2011). http://www.cloudsecurityalliance.org/guidance/
  10. 10.
    Cloud Security Alliance (CSA): The notorious nine: Cloud computing top threats in 2013, v.1.0 (2013). http://cloudsecurityalliance.org/research/top-threats/
  11. 11.
    Commission Nationale de L’informatique et des Libertés (CNIL): Recommendations for Companies Planning to Use Cloud Computing Services (2012). http://www.cnil.fr/fileadmin/documents/en/Recommendations_for_companies_planning_to_use_Cloud_computing_services.pdf
  12. 12.
    Commission Nationale de L’informatique et des Libertés (CNIL): Methodology for Privacy Risk Management (2012)Google Scholar
  13. 13.
    COM 11 final 2012/0011 (COD) European Commission: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Brussels, 25.1.2012 p. 1. (2012)Google Scholar
  14. 14.
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L281/31 (DPD) (1995)Google Scholar
  15. 15.
    De Hert, P.: A human rights perspective on privacy and data protection impact assessment. In: Wright, D., De Hert, P. (eds.) Privacy Impact Assessment. Law, Governance and Technology Series, vol. 6, pp. 33–76. Springer, Netherlands (2012)CrossRefGoogle Scholar
  16. 16.
    European Union Agency for Network and Information Security - European Network and Information Security Agency. Cloud Computing - Benefits, risks and recommendations for information security (2009)Google Scholar
  17. 17.
    European Network and Information Security Agency: Cloud Security Incident Reporting: Framework for reporting about major cloud security incidents, ENISA (2013)Google Scholar
  18. 18.
    Felici, M., Pearson, S.: Accountability, risk, and trust in cloud services: towards an accountability-based approach to risk and trust governance. In: IEEE Proceedings of SERVICES, pp. 105–112 (2014)Google Scholar
  19. 19.
    Garaga, A., Santana de Oliveira, A., Cayirci, E., Dalla Corte, L., Leenes, R., Mhungu, R., Stefanatou, D., Tetrimida, K., Alnemr, R., Felici, M., Pearson, S., Vranaki, A.: D:C-6.2 Prototype for the data protection impact assessment tool. A4Cloud Deliverable D36.2 (2014). http://www.a4cloud.eu/sites/default/files/D36.2%20Prototype%20for%20the%20data%20protection%20impact%20assessment%20tool.pdf
  20. 20.
    Harbird, R., Ahmed, M., Finkelstein, A., McKinney, E., Burroughs, A.: Privacy Impact Assessment with PRAIS (2007). http://www.cs.ucl.ac.uk/staff/A.Finkelstein/papers/hotpets.pdf
  21. 21.
    Hall, M. et al.: The WEKA Data Mining Software: An Update; SIGKDD Explorations, vol. 11, no. (2009)Google Scholar
  22. 22.
    Information Commissioner’s Office: Privacy Impact Assessment Handbook (2011). http://ico.org.uk/pia_handbook_html_v2/files/PIAhandbookV2.pdf
  23. 23.
    Information Commissioner’s Office: Conducting privacy impact assessments code of practice (2014). https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
  24. 24.
    Information Commissioner’s Office: Guidance for Companies on the Use of Cloud Computing, v1.1 (2012). http://ico.org.uk/for_organisations/data_protection/topic_guides/online/cloud_computing
  25. 25.
    Mell, P., Grance, T.: The NIST Definition of Cloud Computing. NIST Special Publication 800, Washington (2011)CrossRefGoogle Scholar
  26. 26.
    Millard, C.J. (ed.): Cloud Computing Law. Oxford University Press, Oxford (2013)Google Scholar
  27. 27.
    National Institute of Standards and Technology NIST: Guidelines on Security and Privacy in Public Cloud Computing, SP 800-144 (2011). http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
  28. 28.
    NOREA: Privacy Impact Assessment: Introductie, handreiking en vragenlijst. beroepsorganisatie van IT-auditors (2013). http://www.norea.nl/readfile.aspx?ContentID=36650&ObjectID=343968&Type=1&File=0000040117_NOREA%20A4%20Privacy%20Impact%20Assessment%2003%20WEB.pdf
  29. 29.
    Organisation for Economic Co-operation and Development OECD: Guidelines Concerning the Protection of Privacy and Transborder Flows of Personal Data (2013). http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf
  30. 30.
    Office of the Privacy Commissioner of Canada: Securing Personal Information: A Self-Assessment Tool for Organisations (2011). http://www.priv.gc.ca/resource/tool-outil/security-securite/english/AssessRisks.asp?x=1
  31. 31.
    Pearson, S: Simple Mode: Addressing Knowledge Engineering Complexity in a Privacy Expert System, HP Labs External Technical Report, HPL-2010-75, June (2010). http://www.hpl.hp.com/techreports/2010/HPL-2010-75.html
  32. 32.
    Pearson, S., Sander, T.: A decision support system for privacy compliance. In: Data Mining: Concepts, Methodologies, Tools, and Applications, pp. 1496–1518. Information Science Reference, Hershey (2013). doi:10.4018/978-1-4666-2455-9.ch078
  33. 33.
    Pearson, S., Rao, P., Sander, T., Parry, A., Paull, A., Patruni, S., Dandamudi-Ratnakar, V., Sharma, P.: Scalable, accountable privacy management for large organizations. In: Enterprise Distributed Object Computing Conference Workshops, EDOCW 2009, vol. 13, pp. 168–175 (2009)Google Scholar
  34. 34.
    Sander, T., Pearson, S.: Decision support for selection of cloud service providers. Int. J. Comput. (JoC) GTSF 1(1), 106–113 (2010)Google Scholar
  35. 35.
    SEC 72 final, Commission Staff Working Paper: Impact Assessment Accompanying the document Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. Brussels, 25.1.2012, p. 81 (2012). http://ec.europa.eu/justice/data-protection/document/review2012/sec_2012_72_en.pdf
  36. 36.
    Svantesson, D., Clarke, R.: Privacy and consumer risks in cloud computing. Comput. Law Secur. Rev. 26(4), 392 (2010)Google Scholar
  37. 37.
    Solove, D.J.: A taxonomy of privacy. Univ. PA Law Rev. 154, 477 (2006)CrossRefGoogle Scholar
  38. 38.
    Tancock, D., Pearson S., Charlesworth. A.: The emergence of privacy impact assessments (2010). http://www.hpl.hp.com/techreports/2010/HPL-2010-63.pdf
  39. 39.
    Tancock, D., Pearson, S., Charlesworth, A.: Analysis of privacy impact assessments within major jurisdictions. In: Proceedings of PST 2010, pp. 118–125. IEEE, Ottawa (2010)Google Scholar
  40. 40.
    Tancock, D., Pearson, S., Charlesworth, A.: A privacy impact assessment tool for cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing. Computer Communications and Networks, pp. 73–123. Springer, London (2013)CrossRefGoogle Scholar
  41. 41.
    Truste: TRUSTe Assessment Manager. https://www.truste.com/resources?doc=516
  42. 42.
    United States Department of Homeland Security: Privacy Threshold Analysis (PTA) (2007). http://www.dhs.gov/xlibrary/assets/privacy/DHS_PTA_Template.pdf
  43. 43.
    Wright, D.: The state of the art in privacy impact assessment. Comput. Law Secur. Rev. 28(1), 54–61 (2012)CrossRefGoogle Scholar
  44. 44.
    Wright, D., De Hert, P.: Introduction to Privacy Impact Assessment. Springer, Netherlands (2012)CrossRefGoogle Scholar
  45. 45.
    Wright D.: Should privacy impact assessments be mandatory? Commun. ACM, 54(8), pp. 121–131 (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Rehab Alnemr
    • 1
  • Erdal Cayirci
    • 2
  • Lorenzo Dalla Corte
    • 3
  • Alexandr Garaga
    • 4
  • Ronald Leenes
    • 3
  • Rodney Mhungu
    • 3
  • Siani Pearson
    • 1
  • Chris Reed
    • 5
  • Anderson Santana de Oliveira
    • 4
  • Dimitra Stefanatou
    • 3
  • Katerina Tetrimida
    • 3
  • Asma Vranaki
    • 5
  1. 1.HP LabsBristolUK
  2. 2.Stavanger UniversityStavangerNorway
  3. 3.Tilburg UniversityTilburgThe Netherlands
  4. 4.SAP LabsMouginsFrance
  5. 5.Queen Mary University of LondonLondonUK

Personalised recommendations