Abstract
With the recent introduction of the EU’s General Data Protection Regulation (GDPR), privacy impact assessments (PIA) have become mandatory in many cases. To support organisations in correctly implementing those, researchers and practitioners have provided reference processes and tooling. Integrating automation features into PIA tools can streamline the implementation of compliant privacy impact assessments in organizations. Based on a general reference architecture and reference process based on guidance by authorities, this contribution offers a systematic analysis of which process steps show the most promise with regard to this, and discusses impediments to this approach and directions for future research.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
we use the terms privacy impact assessment and data protection impact assessment interchangeably.
References
Ahmadian, A.S., Strüber, D., Riediger, V., Jürjens, J.: Supporting privacy impact assessment by model-based privacy analysis. In: Proceedings of the 33rd Annual ACM Symposium on Applied Computing, pp. 1467–1474. ACM Press (2018)
Baskerville, R.: Information systems security design methods: implications for information systems development. ACM Comput. Surv. 25(4), 375–414 (1993)
Bieker, F., Bremert, B., Hansen, M.: Die Risikobeurteilung nach der DSGVO. Datenschutz Datensicherheit DuD 42(8), 492–496 (2018)
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M.: A process for data protection impact assessment under the European general data protection regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 21–37. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44760-5_2
CNIL: PIA Software (2019). https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment/. Accessed 26 June 2019
Dewitte, P., et al.: A comparison of system description models for data protection by design. In: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pp. 1512–1515. ACM Press (2019)
Gosain, S.: Enterprise information systems as objects and carriers of institutional forces: the new iron cage? J. AIS 5(4), 6 (2004)
Kokolakis, S., Demopoulos, A., Kiountouzis, E.: The use of business process modelling in information systems security analysis and design. Inf. Manag. Comput. Secur. 8(3), 107–116 (2000)
Montesino, R., Fenz, S.: Information security automation: how far can we go? In: Sixth International Conference on Availability, Reliability and Security, pp. 280–285. IEEE (2011)
Pagallo, U., Durante, M.: The pros and cons of legal automation and its governance. Eur. J. Risk Regul. 7(2), 323–334 (2016)
Radmacher, M., Zibuschka, J., Scherner, T., Fritsch, L., Rannenberg, K.: Privatsphärenfreundliche topozentrische Dienste unter Berücksichtigung rechtlicher, technischer und wirtschaftlicher Restriktionen. In: 8 Internationale Tagung Wirtschaftsinformatik 2007 - Band 1, pp. 237–254 (2007)
Sion, L., Van Landuyt, D., Yskout, K., Joosen, W.: SPARTA: security & privacy architecture through risk-driven threat assessment. In: 2018 International Conference on Software Architecture Companion, pp. 89–92. IEEE (2018)
Streitferdt, D., Wendt, G., Nenninger, P., Nyßen, A., Lichter, H.: Model driven development challenges in the automation domain. In: 32nd Annual Computer Software and Applications Conference, pp. 1372–1375. IEEE (2008)
Sundaramurthy, S.C., McHugh, J., Ou, X., Wesch, M., Bardas, A.G., Rajagopalan, S.R.: Turning contradictions into innovations or: how we learned to stop whining and improve security operations. In: SOUPS 2016, pp. 237–251. USENIX Association, Denver (2016)
Tikkinen-Piri, C., Rohunen, A., Markkula, J.: EU general data protection regulation: changes and implications for personal data collecting companies. Comput. Law Secur. Rev. 34(1), 134–153 (2018)
Tsohou, A., et al.: Privacy, security, legal and technology acceptance requirements for a GDPR compliance platform. In: SECPRE Workshop at ESORICS 2019. Springer, Luxembourg (2019)
Vermeulen, C., Von Solms, R.: The information security management toolbox - taking the pain out of security management. Inf. Manag. Comput. Secur. 10(3), 119–125 (2002)
Wright, D.: Should privacy impact assessments be mandatory? Commun. ACM 54(8), 121 (2011)
Wright, D.: The state of the art in privacy impact assessment. Comput. Law Secur. Rev. 28(1), 54–61 (2012)
Wuyts, K., Scandariato, R., Joosen, W.: Empirical evaluation of a privacy-focused threat modeling methodology. J. Syst. Softw. 96, 122–138 (2014)
Xu, L.D.: Enterprise systems: state-of-the-art and future trends. IEEE Trans. Ind. Inform. 7(4), 630–640 (2011)
Zibuschka, J., Nofer, M., Zimmermann, C., Hinz, O.: Users’ preferences concerning privacy properties of assistant systems on the Internet of Things. In: Proceedings of the Twenty-fifth Americas Conference on Information Systems, AIS (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Zibuschka, J. (2020). Analysis of Automation Potentials in Privacy Impact Assessment Processes. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE SPOSE ADIoT 2019 2019 2019 2019. Lecture Notes in Computer Science(), vol 11980. Springer, Cham. https://doi.org/10.1007/978-3-030-42048-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-42048-2_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42047-5
Online ISBN: 978-3-030-42048-2
eBook Packages: Computer ScienceComputer Science (R0)