We propose a data protection impact assessment (DPIA) method based on successive questionnaires for an initial screening and for a full screening for a given project. These were tailored to satisfy the needs of Small and Medium Enterprises (SMEs) that intend to process personal data in the cloud. The approach is based on legal and socio-economic analysis of privacy issues for cloud deployments and takes into consideration the new requirements for DPIAs within the European Union (EU) as put forward by the proposed General Data Protection Regulation (GDPR). The resultant features have been implemented within a tool.
- Data protection impact assessment
- EU GDPR
This is a preview of subscription content, access via your institution.
Cloud Accountability Project (A4Cloud) http://www.a4cloud.eu.
Note that even if the full-scale DPIA is not required, taking it nevertheless is beneficial because the questionnaire, guiding responses and assessment may help in raising the privacy bar of any project or service.
A secondary user group consists of concerned individuals who consider taking their data to the cloud. The tool will help them make considered choices regarding requirements for cloud service providers. A sister tool in the A4Cloud project, the Cloud Offerings Assistance Tool (COAT) can take these requirements to filter relevant cloud offerings for the user to choose from.
Both the European Parliament and the Council have agreed on their texts amending Commission's initial proposal on a GDPR. Although, there is broad agreement between the institutions on core issues, the exact wording is to be decided –probably by the end of 2015- following a series of Trilogue Meetings.
For more on the concept of “future-proof” see under Sect. 3.5: Discussion.
Which will arguably embody the current state of the art in data protection legislation, as well as the result of the doctrinal elaboration the concept had in the last two decades.
For instance, Question 10 in Table 2 (“Are all the information and its subsets you handle necessary to fulfill the purposes of your project?”) or Question 17 (“Does your project involve the use of existing personal information for new purposes?”) were drafted by taking into consideration the already existing legal requirements.
For instance, Question 11 in Table 2 (“Is it possible for the individual to restrict the purposes for which you process the information?”).
The table we developed is composed by the following categories: question, explanation of the question, question type (which frames the possible answers to be given by the users, e.g. in the form of radio buttons, checkboxes, or yes/no binary answers), responses to be given to the users in order to educate them while they go through the questionnaire, actions to be performed by the tool as a consequence of the users’ answers (e.g. go to the next question). A weighing of the users’ activities’ impact on data subjects’ privacy and data protection was originally embedded in the table as well.
See supra note 4.
Based on the intuition that the longer data is stored, the higher the likelihood that something happens to the data. Of course this is not necessarily, or always, the case, but as a heuristic it may suffice to make the user think about data retention.
A gross negligence in an anonymization process giving ability to unduly infer a data subject’s identity, for instance, which is usually a data protection violation per se, can lead to a diverse array of consequences (such as identity theft, physical harm – e.g. domestic violence victims tracked down by their assailants) depending on the concrete circumstances of the case.
Our consideration of the impact deriving from privacy and data protection violations, however, was largely shaped according to Solove’s classification (Ibid.), which taxonomizes privacy violations according to four macro-categories (Information collection, information processing, information dissemination, intrusion), each of which can be subdivided into more specific subcategories.
The user may notice while going through the tool that their situation is not satisfactory covered by the questions. This may be a clear indicator to seek professional help to supplement the tool’s assessment.
Questions 48-50 in Table 2 refer to the service models in a cloud environment.
Note that deletion assumes particular importance in the cloud: the remoteness of the physical machines and the lack of control cloud users have over them, considered in relation to the fact that several different layers of deletion exist (from a mere drag-and-drop in the OS' virtual rubbish bin to the physical destruction of the hardware in which the virtual machine of the user lies), make deletion a focal point when assessing the risks a data subject is prone to.
E.g. Question 47 in Table 2.
See question 28 in Table 2.
See question 29 in Table 2.
See Questions 48-50 in Table 2.
Drools Business Rules Management System Solution: http://www.drools.org/.
RESTful is a standard for web APIs and transport protocol.
JSON Data Interchange Format: http://www.json.org/.
Article 29 Data Protection Working Party: Statement on the role of a risk-based approach in data protection legal frameworks (WP218), May (2014). http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf
Australian Government, Office of the Australian Information Commissioner: Privacy Impact Assessment Guide (OAIC) (2010)
Avepoint: Avepoint Privacy Impact Assessment (APIA) System (2015). https://privacyassociation.org/resources/apia
Bennett, C.J., Raab, C.D.: The Governance of Privacy: Policy Instruments in Global Perspective. MIT Press, Cambridge (2006)
CambridgeSoft: ChemBioOffice Cloud–An Integrated Decision Support System for CHDI (2010). http://chembionews.cambridgesoft.com/WhitePapers/Default.aspx?whitePaperID=43
Cayirci, E., Garaga, A., Santana de Oliveira, A., Roudier, Y.: A cloud adoption risk assessment model. utility and cloud computing (UCC). In: 2014 IEEE/ACM 7th International Conference, pp. 908–913 (2014)
Centre for Information Policy Leadership (CIPL): A Risk-based Approach to Privacy: Improving Effectiveness in Practice (2014). http://www.hunton.com/files/upload/Post-Paris_Risk_Paper_June_2014.pdf
Clarke, R.: Privacy impact assessment: its origins and development. Comput. Law Secur. Rev. 25(2), 123–135 (2009)
Cloud Security Alliance (CSA): Security guidance for critical areas of focus in cloud computing, v3.0 (2011). http://www.cloudsecurityalliance.org/guidance/
Cloud Security Alliance (CSA): The notorious nine: Cloud computing top threats in 2013, v.1.0 (2013). http://cloudsecurityalliance.org/research/top-threats/
Commission Nationale de L’informatique et des Libertés (CNIL): Recommendations for Companies Planning to Use Cloud Computing Services (2012). http://www.cnil.fr/fileadmin/documents/en/Recommendations_for_companies_planning_to_use_Cloud_computing_services.pdf
Commission Nationale de L’informatique et des Libertés (CNIL): Methodology for Privacy Risk Management (2012)
COM 11 final 2012/0011 (COD) European Commission: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Brussels, 25.1.2012 p. 1. (2012)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L281/31 (DPD) (1995)
De Hert, P.: A human rights perspective on privacy and data protection impact assessment. In: Wright, D., De Hert, P. (eds.) Privacy Impact Assessment. Law, Governance and Technology Series, vol. 6, pp. 33–76. Springer, Netherlands (2012)
European Union Agency for Network and Information Security - European Network and Information Security Agency. Cloud Computing - Benefits, risks and recommendations for information security (2009)
European Network and Information Security Agency: Cloud Security Incident Reporting: Framework for reporting about major cloud security incidents, ENISA (2013)
Felici, M., Pearson, S.: Accountability, risk, and trust in cloud services: towards an accountability-based approach to risk and trust governance. In: IEEE Proceedings of SERVICES, pp. 105–112 (2014)
Garaga, A., Santana de Oliveira, A., Cayirci, E., Dalla Corte, L., Leenes, R., Mhungu, R., Stefanatou, D., Tetrimida, K., Alnemr, R., Felici, M., Pearson, S., Vranaki, A.: D:C-6.2 Prototype for the data protection impact assessment tool. A4Cloud Deliverable D36.2 (2014). http://www.a4cloud.eu/sites/default/files/D36.2%20Prototype%20for%20the%20data%20protection%20impact%20assessment%20tool.pdf
Harbird, R., Ahmed, M., Finkelstein, A., McKinney, E., Burroughs, A.: Privacy Impact Assessment with PRAIS (2007). http://www.cs.ucl.ac.uk/staff/A.Finkelstein/papers/hotpets.pdf
Hall, M. et al.: The WEKA Data Mining Software: An Update; SIGKDD Explorations, vol. 11, no. (2009)
Information Commissioner’s Office: Privacy Impact Assessment Handbook (2011). http://ico.org.uk/pia_handbook_html_v2/files/PIAhandbookV2.pdf
Information Commissioner’s Office: Conducting privacy impact assessments code of practice (2014). https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
Information Commissioner’s Office: Guidance for Companies on the Use of Cloud Computing, v1.1 (2012). http://ico.org.uk/for_organisations/data_protection/topic_guides/online/cloud_computing
Mell, P., Grance, T.: The NIST Definition of Cloud Computing. NIST Special Publication 800, Washington (2011)
Millard, C.J. (ed.): Cloud Computing Law. Oxford University Press, Oxford (2013)
National Institute of Standards and Technology NIST: Guidelines on Security and Privacy in Public Cloud Computing, SP 800-144 (2011). http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
NOREA: Privacy Impact Assessment: Introductie, handreiking en vragenlijst. beroepsorganisatie van IT-auditors (2013). http://www.norea.nl/readfile.aspx?ContentID=36650&ObjectID=343968&Type=1&File=0000040117_NOREA%20A4%20Privacy%20Impact%20Assessment%2003%20WEB.pdf
Organisation for Economic Co-operation and Development OECD: Guidelines Concerning the Protection of Privacy and Transborder Flows of Personal Data (2013). http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf
Office of the Privacy Commissioner of Canada: Securing Personal Information: A Self-Assessment Tool for Organisations (2011). http://www.priv.gc.ca/resource/tool-outil/security-securite/english/AssessRisks.asp?x=1
Pearson, S: Simple Mode: Addressing Knowledge Engineering Complexity in a Privacy Expert System, HP Labs External Technical Report, HPL-2010-75, June (2010). http://www.hpl.hp.com/techreports/2010/HPL-2010-75.html
Pearson, S., Sander, T.: A decision support system for privacy compliance. In: Data Mining: Concepts, Methodologies, Tools, and Applications, pp. 1496–1518. Information Science Reference, Hershey (2013). doi:10.4018/978-1-4666-2455-9.ch078
Pearson, S., Rao, P., Sander, T., Parry, A., Paull, A., Patruni, S., Dandamudi-Ratnakar, V., Sharma, P.: Scalable, accountable privacy management for large organizations. In: Enterprise Distributed Object Computing Conference Workshops, EDOCW 2009, vol. 13, pp. 168–175 (2009)
Sander, T., Pearson, S.: Decision support for selection of cloud service providers. Int. J. Comput. (JoC) GTSF 1(1), 106–113 (2010)
SEC 72 final, Commission Staff Working Paper: Impact Assessment Accompanying the document Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. Brussels, 25.1.2012, p. 81 (2012). http://ec.europa.eu/justice/data-protection/document/review2012/sec_2012_72_en.pdf
Svantesson, D., Clarke, R.: Privacy and consumer risks in cloud computing. Comput. Law Secur. Rev. 26(4), 392 (2010)
Solove, D.J.: A taxonomy of privacy. Univ. PA Law Rev. 154, 477 (2006)
Tancock, D., Pearson S., Charlesworth. A.: The emergence of privacy impact assessments (2010). http://www.hpl.hp.com/techreports/2010/HPL-2010-63.pdf
Tancock, D., Pearson, S., Charlesworth, A.: Analysis of privacy impact assessments within major jurisdictions. In: Proceedings of PST 2010, pp. 118–125. IEEE, Ottawa (2010)
Tancock, D., Pearson, S., Charlesworth, A.: A privacy impact assessment tool for cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing. Computer Communications and Networks, pp. 73–123. Springer, London (2013)
Truste: TRUSTe Assessment Manager. https://www.truste.com/resources?doc=516
United States Department of Homeland Security: Privacy Threshold Analysis (PTA) (2007). http://www.dhs.gov/xlibrary/assets/privacy/DHS_PTA_Template.pdf
Wright, D.: The state of the art in privacy impact assessment. Comput. Law Secur. Rev. 28(1), 54–61 (2012)
Wright, D., De Hert, P.: Introduction to Privacy Impact Assessment. Springer, Netherlands (2012)
Wright D.: Should privacy impact assessments be mandatory? Commun. ACM, 54(8), pp. 121–131 (2012)
This work is part of the EU-funded FP7 project grant number 317550 titled as “Accountability for Cloud and Other Future Internet Services” (A4Cloud - http://www.a4cloud.eu/).
Editors and Affiliations
Rights and permissions
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Alnemr, R. et al. (2016). A Data Protection Impact Assessment Methodology for Cloud. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds) Privacy Technologies and Policy. APF 2015. Lecture Notes in Computer Science(), vol 9484. Springer, Cham. https://doi.org/10.1007/978-3-319-31456-3_4
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31455-6
Online ISBN: 978-3-319-31456-3
eBook Packages: Computer ScienceComputer Science (R0)