Introduction
One of the novelties of the European General Data Protection Regulation (GDPR) for regulating data controllers is the requirement of taking a risk-based approach in the processing of personal data; which means data controllers should consider the risks of their projects or processing activity proactively to prevent, as much as possible, causing any harm to individuals. The envisaged tool in the GDPR for this goal is Data Protection Impact Assessment (DPIA). DPIA is required to assess and manage the risks of any project or processing activity likely to result in a high risk to the rights and freedoms of natural persons. It is not only valuable for building compliance in the organizations but also to demonstrate it. In this sense, it can be considered a vital tool for following the Regulation's accountability principle.
The main objective of this ontology is to support the representation of the concepts and entities in the DPIA process to, first, provide a common set of vocabulary which helps the involved stakeholders to interoperate in the DPIA process, and second, to establish a basis for applications supporting DPIA and risk assessment.
The main steps of the DPIA are represented below:
As represented in the flowchar, DPIA consists of two main steps:
1. DPIA Necessity Assessment
2. Conducting a full DPIA
In the following sections we provide the competency questions related to each of these two steps.DPIA Necessity Assessment
The first step is to decide whether a full DPIA is needed for a specific project or processing activity according to GDPR or not. Art. 35(1) ties in the necessity of DPIA with the risk level of the processing activity: if the activity is likely to pose high risk to the rights and freedoms of individuals, then a DPIA is required. Hence, it can be inferred that the main objective here is to decide whether the processing activity is of type high risk or not. This decision is critical and should be performed accurately as the fault decision of skipping the risk assessment when it is essential may lead to adverse consequences.GDPR, Art. 35(3) lists three cases in which a DPIA is particularly mandatory:
1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
2. Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.
3. A systematic monitoring of a publicly accessible area on a large scale.
Furthermore, based on GDPR Art.35(1), (3) and Recitals 71, 75, 76, 91, 92 and 116, Article 29 Working Party’s guideline on DPIA provides a more detailed list of the processing operations that need a DPIA. This list contains nine criteria: 1) Evaluation or Scoring, 2) Automated decision making with legal or similar significant effect, 3) Systematic monitoring, 4) Sensitive data or data of a highly personal nature, 5) Data processed on a large scale, 6) Matching or combining datasets, 7) Data concerning vulnerable data subjects, 8) Innovative use or applying new technological or organizational solutions, and 9) Processing preventing data subjects from exercising a right or using a service or contract.
Understanding if any of these nine criteria applies to the processing operation is not always straightforward for data controllers as it is needed to interpret and further explain each of them. As an example, consider the condition which indicates if the data is processed on a large scale, then a DPIA may be needed. Here, the first and main question of a data controller would be when a processing operation is considered as large scale? GDPR gives no complete information of what constitutes large-scale. The WP29 Guidelines on Data Protection Officer, however, defines four conditions for this criterion: when a large number of data subjects are involved, when large volume/ range of data is processed, when processing continues for large duration, and finally, when large geographical extent is affected.
Deciding about the applicability of some of the other criteria in this list, however, is not that straightforward. For instance, determining whether a new technology or organizational measure is used in the processing activity, or whether a data controller uses a technology in an innovative way is challenging and depends on the interpretation of these terms. This vocabulary aims to assist data controllers in better understanding the riskiness of their processing operations by investigating the elements of information that need to be considered for this purpose and modelling them using Semantic Web technologies. More specifically, the ontology represents the aspects and characteristics of the processing operations which should be considered to assess the risk level of operations.
Ontology Requirement Specification Document
| Data Protection Impact Assessment Ontology | |
|---|---|
| 1. Purpose | |
|
The purpose of the ontology is to support determining whether a processing activity/ project
is of type |
|
| 2. Scope | |
| The scope of this ontology is limited to the identification of concepts mentioned in the European GDPR for reaching the abovementioned purpose. Other guidelines which give further explanations of GDPR Articles, such as WP29 guideline on DPIA [], as well as variouse case laws and DPAs decisions, have been considered in this work. | |
| 3. Implementation Language | |
| OWL | |
| 4. Intended End-Users | |
|
1. Developers of applications supporting DPIA 2. Data controllers collecting personal data, or in particular, Data Protection Officers (DPO). |
|
| 5. Intended Uses | |
|
1. Identification of high-risk processing avtivities/projects. 2. Understanding whether a DPIA is necessary for a processing avtivity/project. 3. Development of wizard tools/ applications assisting data controllers to detect processing operations with high risk. |
|
| 6. Ontology Requirements | |
| a. Non-Functional Requirements | |
| NFR 1. The ontology should be published online, following the FAIR principle[]. | |
| b. Functional Requirements: Competency Questions | |
| CQG1. Large-scale Data Processing | |
|
CQ1. What is the scale of the processing activity? CQ1.1. What is the scale of data subject affected by the processing activity? CQ1.2. What is the scale of personal data assoiciated with the processing activity? CQ1.3. How many ranges of personal data items are going to be processed? CQ1.4. What is the geographical extent of the processing activity? CQ1.5. What is the frequency of the processing activity? CQ1.6. For how long the processing activity last? |
|
| CQG2. Processing of Sensitive Data | |
|
CQ2. What is the category of personal data used in the processing operation? CQ2.1. Does processing operation contain special categories of data listed in GDPR Art. 9? CQ2.2. Does processing operation contain processing of personal data relating to criminal convictions and offences (Art. 10)? CQ2.3. Does processing contain other types of personal data which have highly personal nature (such as electronic, communications, locations, etc.)? |
|
| CQG3. Data Concerning Vulnerable Data subjects | |
|
CQ3. Who are the data subjects affected by the processing activity? CQ3.1. Does the processing activity target any vulnerable data subject? CQ3.2.What is the relationship between data controller and data subject? CQ3.3. Considering the purpose of the processing, is there any increased power imbalance between the data controller and data subjects? CQ3.4. Are data subjects unable of easily give consent to, or oppose the processing of their data, or exercise their right (children, etc.)? CQ3.5. Do data subjects need special protection (mentally ill persons, asylum seekers, the elderly, patients)? |
|
| CQG4. Use of New and Innovative Technology and Organizational Solution | |
|
CQ4. What type of technology or organizational solutions do you use in your processing operation? CQ4.1. Do you use CQ4.2. Do you use new technological or organizational solutions in your processing operation? |
|
| CQG5. Automated decision making with legal or similar significant effect | |
|
CQ5. Does the processing include any automated decision making with legal or similar significant effect on
individuals? CQ5.1. Is personal data processed for making a decision? CQ5.2. Does the processing operation involve some form of automation? CQ5.3. Does any human involve in the processing activity? CQ5.3.1. If the answer to CQ8.3 is yes, what is the influence of the human ont the result? (does the person have the authority or competence to change the generated result/ have an actual influence on the result?) CQ5.3.2. If the answer to CQ8.3 is yes, at what stage of the decison making process the human involves? CQ5.4 What is the impact of processing on the individuals? CQ5.4.1. What is the legal impact of processing on the individuals? CQ5.4.1.1. What is the effect of processing on the individuals' legal rights? CQ5.4.1.2. What is the effect of processing on the individuals legal status? CQ5.4.1.3. What is the effect of peocessing on the individuals right under a contract? CQ5.4.2. What are the similarly significant effects of the processing on individuals? |
|
| CQG6. Systematic Monitoring | |
|
CQ6. Does the processing activity include any systematic monitoring of data subjects? CQ6.1. the processing activity include any monitoring of data subjects? CQ6.1.2. Does processing activity include observing, monitoring, controlling, or tracking data subjects on the inernet? CQ6.1.3. Does the processing operation include tracking or monitoring individuals in publicly accessible area? CQ6.1.4. What is the effect of peocessing on the individuals right under a contract? CQ6.2. If the answer to CQ.1. is yes, is the monitoring conducted in a |
|
| CQG7. Matching or Combining Datasets | |
|
CQ7. Does data originate from two or more data processing operations performed for different purposes
and/or
by
different data controllers in a way that would exceed the reasonable expectations of the data
subject?" CQ7.1. What is the origin/source of the dataset used for data processing? CQ7.2. If data is the result of a processing operation, what is the purpose for it? CQ7.3. Who is the data controller/processor generated/collected the data? |
|
| CQG8. Evaluation or Scoring | |
| CQ8.1. | |
Conducting a Full DPIA
Ontology Requirement Specification Document
| Data Protection Impact Assessment Ontology | |
|---|---|
| 1. Purpose | |
| The purpose of the ontology is to represent pieces of information necessary to exist in a DPIA document. | |
| 2. Scope | |
| The scope of this ontology is limited to the identification of concepts mentioned in the European GDPR for reaching the abovementioned purpose. Other guidelines which give further explanations of GDPR Articles, such as WP29 guideline on DPIA [], as well as variouse DPA guidelines such as CNIL [], ICO, and AEDP [], have been considered in this work. | |
| 3. Implementation Language | |
| OWL | |
| 4. Intended End-Users | |
|
1. Developers of applications supporting DPIA 2. Data controllers collecting personal data. |
|
| 5. Intended Uses | |
|
1. Representation of the necessary information in a DPIA in a machine-readable manner 2. Supporting development of applications that assist data controllers in conducting impact and risk assessment. |
|
| 6. Ontology Requirements | |
| a. Non-Functional Requirements | |
| NFR 1. The ontology should be published online, following the FAIR principle[]. | |
| b. Functional Requirements: Competency Questions | |
| CQG1. Specifications of Data Controller and other Stakeholders | |
|
CQ1. Who is/are the Data Controller(s) associated with the DPIA? CQ2. What is/are the data controller(s) contact information? CQ3.Who is the Data Protection Officer (DPO) associated with the DPIA? CQ4. What is the identification information of the team leader who do the DPIA? CQ5. What is the main dapartment in charge for the processing activity? CQ6. What are the other departments involved in some of the phases of the processing operation? CQ7. What is the identification information of the responsible units for managing the processing within the controller organisation? CQ8. Who are the data processors involved in the processing? CQ9. Who are the sub-processors involved in the processing? CQ10.What are the identification information of the Point of Contact (POC), or DPO, for the processors/sub-processors? CQ11.If there is any, who are the Joint-controllers? CQ12.What are the identification information of the Point of Contact (POC), or DPO, for the controller/joint-controller? CQ13.What are the identification information of the Point of Contact (POC) in each of the management units or functional units involved in processing? CQ14.What are the responsibilities of each stakeholder? CQ15.What is the Project or Processing Activity associated with the DPIA? CQ16.What are the Data Protection Authoritie's guideline the DPIA pertained to? CQ17.If there is any, what are the approved Code of Conducts this DPIA pertained to? CQ18.What is the Law of the Member State to which the controller is subject? CQ19.If there is any, what are the data protection certifications (GDPR, Art.42) issued by certification bodies to data controller/data processor? |
|
| CQG2. Describing the Processing | |
|
CQ1. What is the Processing Activitie(s) associated with the DPIA? CQ2. What are the Purposes of the processing? CQ3. What are the Personal Data associated with the processing? CQ4. If there is any, what are the Sensitive data, Special Category of data or Criminal Offence Data associated with the processing? CQ5. What is the data lifecycle? (from collection to destruction)? CQ6. How much data will be collected and processed? CQ7. What is the technology used to collect/use/store/destruct/transfer data? CQ8. What is the source of personal data? CQ9. Who has access to personal data? CQ10. What are the data supporting assets? (Asset on which personal data rely. Note: this may be hardware, software, networks, people, paper or paper transmission channels. e.g, operating systems, business applications, database management systems, office suites, protocols, configurations, etc.) CQ11. Who are the recepients of personal data? CQ12. What is the data storage duration? CQ13. What is the Legal Basis of the Processing? CQ14. Who are the Data Subjects associated with the DPIA? CQ15. If there is any, what are the Volnurable Data Subjects associated with the DPIA? CQ16. What is the nature of relation between Data Subjects and Data Controllers? CQ17. How many individuals will be affected by the processing activity? CQ18. What is the frequency of the processing? CQ19. What geographical area does the data collection/processing cover? |
|
| CQG3. Assessment of GDPR fundamental principle | |
|
CQ1. Is the processing activity necessary considering the purpose? CQ1.1. What is the lawful basis for the processing? CQ1.2. Why the proposed processing operations are necessary for your organisation to fulfil the mandate assigned to it? CQ1.3. What are the alternative processing operations to achive the purpose? CQ1.4. What are the alternative processing operations' level of risk (why the chosen one is the less intrusive?)? CQ2. Are the Processing Activities Proportional considering the Purpose? CQ3. What are the controls used to ensure fundamental principles of GDPR? (Lawfulness, data minimization, data quality, storage limitation)? CQ4. What are the controls to support data subjects' rights under the GDPR? CQ5. What are the justifications when processing benefits from an exemption from right of data subjects? CQ6. What are the safegaurds for international transfer (if any)? CQ7. What are the measures to ensure processors comply? |
|
| CQG4. Nessecity of DPIA | |
|
CQ1. Why a DPIA is necessary for the Processing activity(s)/project(s)? CQ1.1. Does Processing activity(s)/project(s) belong to the category of the high-risk processing activities for which a DPIA is required, mentioned in the GDPR or by the DPA?(see Necessity of DPIA-competency questions)" CQ1.1.1. If yes, which type of high-risk processing activities it is? CQ1.1.2. If no, what are the other reason for conducting a DPIA (e.g., further protection and assurance in case of doubt) CQ2. Why a DPIA is not necessary for the Processing activity(s)/project(s)? CQ2.1. Is the Processing activity necessary for compliance with a Legal Obligation to which the Controller is subject? CQ2.2. Is Processing activity necessary for the performance of a task carried out in the Public Interest or in the exercise of official authority vested in the controller? CQ2.3. Is the Processing operation/project of a type not resulting in a high risk to the rights and freedoms of individuals? CQ2.4. Has the Processing operation previously found not to be at risk by DPIA? CQ2.5. Has any other DPIA been conducted in the past which addressed the impacts of similar Processing Activities/projects? CQ2.6. Has the Processing operation already been authorised by supervisory authority? CQ2.7. Has the supervisory authority chosen to enumerate the processing operation in accordance with GDPR Article 35(5)? CQ2.8. Does the Processing operation pursuant to point (c) or (e) of Article 6(1) already has an existing clear and specific legal basis in EU or the Member State to which the controller is subject? (where a DPIA has already been carried out as part of the establishment of that legal basis as per Article 35(10)) |
|
| CQG5. Risk Assessment | |
|
CQ1. What are the Risks associated with the processing or project in general,
to the rights and freedoms of data subjects? CQ2. What is the Origin (Source) of the Risk? (processing, personal data, technology, data subject, etc.) CQ3. What are the Impacts of each risk on the data subjects, data protection, and personal data? CQ4. What are the likelihood, severity and overall score of the risk? CQ5. What are the compliance risks for your organization? CQ6. What are the possible Mitigation Measures for each Risk? CQ7. What are the effects of the Mitigation Measures on Risks? CQ8. What are the Residual Risks after applying the Measures? CQ9. What is the level of Residual Risk? (Low, Medium, High) CQ10. What is the status/state of the Risk?(Accepted, Rejected, Pending) CQ11. Who sets the status/state of the Risk? CQ12. What is the timestamp associated with the status/state of the Risk? CQ13. What is the status/state of the Mitigation Measures?(Accepted, Rejected, Pending) CQ14. Who sets the status/state of the Mitigation Measures? CQ15. What is the timestamp associated with the status/state of the Mitigation Measures? |
|
| CQG6. Advices and Consultation | |
|
CQ1. What is the Advice of Data Protection Officer about the DPIA? CQ2. If the level of Residual Risk is High, has a Prior Consultation with DPAs been performed? CQ2.1. If the prior consultation has been performed, with which Supervisory Authority? CQ2.2. If the prior consultation has been performed, when? CQ2.3. If the prior consultation with DPAs has been performed, what is the result? (Processing operation/project authorized, Processing operation/project not authorized, Recommendations provided) CQ2.4. If applicable, what are the Views of affected Data Subjects or their Representative on the intended Processing? CQ2.5. If it is not appropriate to consult with the affected Data Subject, what is the reason? CQ3. What other stakeholder have the data controller consulted with? |
|
