It appears that all parties involved in the current negotiations of the proposed data protection regulation are happy with the risk-based approach adopted in the proposal. If the Council’s amendments make it in the final draft of the regulation, then data controllers under certain circumstances will have one more thing to worry about. They will be obligated to proactively carry out a data protection impact assessment (DPIA) before processing certain types of data that may present high risk to the data subjects. This precautionary approach is meant to strengthen the accountability requirements in the regulation, and to instill a risk management culture among data controllers.
However, one problem that may be envisaged in the implementation of this requirement is that at present there is no specific standard risk assessment or evaluation methodology for data protection. Although various risk assessment standards exist such as the ISO 31000:2009 for generic risk management and the ISO 22307:2008 for Privacy Impact Assessment in financial services, the ISO/IEC WD 29134 Privacy Impact Assessment – Methodology is expected by 2016.
In the EU, some Member States have developed some privacy risk assessment methodology such as the CNIL methodology for privacy risk management and the ICO’s conducting privacy impact assessments code of practice ...Zum vollständigen Artikel