Abstract
The assessment of the potential impact for an organization from a privacy violation incident is important for three main reasons: the organization will have a justified estimate of the cost (financial, reputation or other) that may be raised, will facilitate the selection of the appropriate technical, procedural and organizational protection mechanisms and also will be compliant with the new General Data Protection Regulation that will be in effect from May 2018. Today, there are several methods to do a Privacy Impact Assessment but none of these quantifies the results according to specific metrics and thus can be significantly affected by various subjective parameters. Furthermore, the specific organizational characteristics (size, activities, number of clients, type of offered services etc.) are very rarely accounted, a fact that also affects the accuracy of the results. In this paper, a privacy impact assessment method that explicitly takes into account the organizational characteristics and employs a list of well-defined metrics as input, is presented.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hong, W., Thong, J.Y.L.: Internet privacy concerns an integrated conceptualization and four empirical studies. MIS Q. 37(1), 275–298 (2013). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2229627
Regulation (EU) 2016/679 of the European Parliament and of the Council: The European Parliament and the Council of the European Union, 27 April 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1485368166820&from=en
OECD Privacy Principles: OECDprivacy.org, 1980. http://oecdprivacy.org/
Makri, E.L., Lambrinoudakis, C.: Towards a common security and privacy requirements elicitation methodology. In: Jahankhani, H., Carlile, A., Akhgar, B., Taal, A., Hessami, A., Hosseinian-Far, A. (eds.) ICGS3 2015. CCIS, vol. 534, pp. 151–159. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23276-8_13
Makri, E.L., Lambrinoudakis, C.: Privacy principles: towards a common privacy audit methodology. In: Fischer-Hübner, S., Lambrinoudakis, C., López, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 219–234. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22906-5_17
Bélanger, F., Crossler, R.E.: Privacy in the digital age: a review of information privacy research in information systems. J. MIS Q. 35(4), 1017–1042 (2011). http://dl.acm.org/citation.cfm?id=2208951
Wright, D., De Hert, P.: Introduction to privacy impact assessment. In: Wright, D., De Hert, P. (eds.) Privacy Impact Assessment. Law, Governance and Technology Series, vol. 6, pp. 3–32. Springer, Dordrecht (2012). https://doi.org/10.1007/978-94-007-2543-0_1
ISO/IEC FDIS 29134: Information technology—Security techniques—Privacy impact assessment—Guidelines, Target publication, 30 May 2017. http://www.iso.org/iso/catalogue_detail.htm?csnumber=62289, https://www.iso.org/obp/ui/#iso:std:iso-iec:29134:dis:ed-1:v1:en
Information Commissioner’s Office (ICO): Privacy Impact Assessment Handbook, Wilmslow, Cheshire, December 2007, Version 2.0, June 2009
European Commission: Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification, C (2009) 3200 final, Brussels, 12 May 2009. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009H0387&from=EN
Information Commissioner’s Office (ICO): Data Protection Act, Conducting privacy impact assessments code of practice, February 2014. https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
Wang, Y., Kobsa, A.: Privacy-Enhancing Technologies (2008). http://www.cs.cmu.edu/afs/cs/Web/People/yangwan1/papers/2008-Handbook-LiabSec-AuthorCopy.pdf
Cavoukian, A.: Creation of a Global Privacy Standard, November 2006. http://www.ipc.on.ca/images/Resources/gps.pdf
Cavoukian, A., Taylor, S., Abrams, M.E.: Privacy by design: essential for organizational accountability and strong business practices. In: Identity in the Information Society, Springer (2010). http://link.springer.com/article/10.1007/s12394-010-0053-z
Cavoukian, A.: Privacy by design – the 7 foundational principles, Technical report, In-formation and Privacy Commissioner of Ontario, January 2011. (revised version)
Oetzel, M.C., Spiekermann, S.: Privacy-by-design through systematic privacy impact assessment - a design science approach. In: ECIS 2012 Proceedings, Paper 160 (2012). http://aisel.aisnet.org/ecis2012/160
Oetzel, M.C., Spiekermann, S.: A systematic method for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23(2), 1–25 (2013)
van Blarkom, G.W., Borking, J.J., Olk, J.G.E.: PET, Handbook of Privacy and Privacy-Enhancing Technologies, The Case of Intelligent Software Agents (2003). ISBN 90-74087-33-7. http://www.andrewpatrick.ca/pisa/handbook/Handbook_Privacy_and_PET_final.pdf
Information Commissioner’s Office (ICO): Privacy Impact Assessment Handbook, Wilmslow, Cheshire, Version 1.0, December 2007
Information Commissioner’s Office (ICO): Privacy impact assessment and risk management, May 2013. https://ico.org.uk/media/1042196/trilateral-full-report.pdf
Information Commissioner’s Office (ICO): Conducting privacy impact assessments code of practice, February 2014. https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
Information Commissioner’s Office (ICO): The Guide to Data Protection, January 2017. https://ico.org.uk/media/for-organisations/guide-to-data-protection-2-7.pdf
European Commission PIAF: A Privacy Impact Assessment Framework for data protection and privacy rights, January 2011–October 2012. http://www.piafproject.eu/Index.html
Wright, D., Wadhwa, K.: A step-by-step guide to privacy impact assessment, Second PIAF workshop, Sopot, 24 April 2012. http://www.piafproject.eu/ref/A_step-by-step_guide_to_privacy_impact_assessment-19Apr2012.pdf
Wright, D.: Should privacy impact assessments be mandatory? Commun. ACM 54(8), 121–131 (2011). https://doi.org/10.1145/1978542.1978568. http://cacm.acm.org/magazines/2011/8
Wadhwa, K., Rodrigues, R.: Evaluating privacy impact assessments. Innov.: Eur. J. Soc. Sci. Res. 26(1–2), 161–180 (2013). http://www.tandfonline.com/doi/abs/10.1080/13511610.2013.761748, http://www.tandfonline.com/doi/pdf/10.1080/13511610.2013.761748?needAccess=true
Brooks, S., Nadeau, E.: Privacy Risk Management for Federal Information Systems, Information Technology Laboratory, NIST, Internal Report 8062, May 2015. http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf
Ferris, J.M.: The ISO PIA standard for financial services. In: Wright, D., De Hert, P. (eds.) Privacy Impact Assessment. Law, Governance and Technology Series, vol. 6, pp. 307–321. Springer, Dordrecht (2012). https://doi.org/10.1007/978-94-007-2543-0_14
Wright, D.: Should privacy impact assessments be mandatory? Trilateral Research & Consulting, 17 September 2009. http://www.ics.forth.gr/nis09/presentations/18-wright.pdf
Agarwal, S.: Developing a structured metric to measure privacy risk in privacy impact assessments. In: Aspinall, D., Camenisch, J., Hansen, M., Fischer-Hübner, S., Raab, C. (eds.) Privacy and Identity 2015. IAICT, vol. 476, pp. 141–155. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41763-9_10
NIST (National Institute of Standards and Technology): Risk management guide for information technology systems, NIST Special Publication 800-30 (2002)
Data Protection Act (1998). http://www.legislation.gov.uk/ukpga/1998/29/contents, http://www.legislation.gov.uk/ukpga/1998/29/pdfs/ukpga_19980029_en.pdf
European Union Agency for Network and Information Security (ENISA): CRAMM (CCTA Risk Analysis and Management Method). https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_cramm.html
Commission Nationale de l’Informatique et des Libertés (CNIL), Privacy Impact Assessment (PIA) Methodology (how to carry out a PIA), June 2015. https://www.cnil.fr/sites/default/files/typo/document/CNIL-PIA-1-Methodology.pdf
Commission Nationale de l’Informatique et des Libertés (CNIL): The open source PIA software helps to carry out data protection impact assessment, January 2018. https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment
De Capitani, S., di Vimercati, S., Foresti, G.L., Samarati, P., Privacy, D.: Definitions and techniques. Int. J. Uncertainty, Fuzziness Knowl.-Based Syst. 20(6), 793–818 (2012)
Tancock, D., Pearson, S., Charlesworth, A.: A privacy impact assessment tool for cloud computing. In: Second IEEE International Conference on Cloud Computing, pp. 667–676. Indiana University, USA (2010)
Acknowledgment
This work has been partially supported by the Research Center of the University of Piraeus.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Makri, EL., Georgiopoulou, Z., Lambrinoudakis, C. (2020). A Proposed Privacy Impact Assessment Method Using Metrics Based on Organizational Characteristics. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE SPOSE ADIoT 2019 2019 2019 2019. Lecture Notes in Computer Science(), vol 11980. Springer, Cham. https://doi.org/10.1007/978-3-030-42048-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-42048-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42047-5
Online ISBN: 978-3-030-42048-2
eBook Packages: Computer ScienceComputer Science (R0)