It appears that all parties involved in the current negotiations of the proposed data protection regulation are happy with the risk-based approach adopted in the proposal. If the Council’s amendments make it in the final draft of the regulation, then data controllers under certain circumstances will have one more thing to worry about. They will be obligated to proactively carry out a data protection impact assessment (DPIA) before processing certain types of data that may present high risk to the data subjects. This precautionary approach is meant to strengthen the accountability requirements in the regulation, and to instill a risk management culture among data controllers.
However, one challenge that may be faced in the implementation of this requirement is that at present there is no specific standard risk assessment or evaluation methodology for data protection. Although various risk assessment standards exist such as the ISO 31000:2009 for generic risk management and the ISO 22307:2008 for Privacy Impact Assessment in financial services, the ISO/IEC WD 29134 Privacy Impact Assessment – Methodology is expected by 2016.
In the EU, some Member States have developed some privacy risk assessment methodology such as the CNIL methodology for privacy risk management and the ICO’s conducting privacy impact assessments code of practice. Two DPIA templates have also been developed under the auspices the European Commission for the Privacy and Data Protection Impact Assessment Framework for RFID Applications and the Data Protection Impact Assessment Template for Smart Grid and Smart Metering systems. However, these documents are not harmonized and in fact, are extrapolation from other risk assessment techniques used in other areas.
This gap has been pointed out by the Centre for Information Policy Leadership at Hunton & Williams in a white paper recently published, and the centre is continuing discussions in this direction and had in fact developed a draft matrix. The Article 29 WP has also decried the methodological flaws in its initial opinion on the Smart Meter template. Although the amended version was later accepted by the WP, it is indeed difficult to see the approved template as applying beyond the specific purpose for which it was developed.
Be that as it may, it is hoped that privacy practitioners will utilize existing knowledge in the field of risk assessment to develop a standard for data protection that will clearly define what data protection risks are, what data protection threats and harms are, as well as what criteria to be used in evaluating the consequences or impact of these risks. Having a common taxonomy for data protection impact assessment will indeed be a first step towards standardization.
There are a number of advantages in having a standard risk assessment methodology for data protection. Firstly, it will afford a ready-made template for organizations to carry out DPIA, thereby reducing the uncertainty in such exercises. Secondly, there are prospects that a standardized risk assessment methodology will reduce cost – both in conducting a DPIA and forestalling future loss that could arise in case a new processing operation turns out to be of high risk.