Download - Workshop DPIA Test phase
Energy
Energy
Workshop
DPIA Test phase
Directorate General for Energy
European Commission
Brussels, 22/05/2015
Energy
Content
Welcome and objectives of the workshop
Background: Commission Recommendation & testphase
Experience sharing: Alliander and EDP Distribuição initiative
Alliander and EDP Distribuição initiative
Experience sharing of test users and the DPA
Examples of test findings
DPIA template test tool demonstration
Discussion
Follow-up steps
Energy
COMMISSION RECOMMENDATION
2014/724/EU
3
Energy
"Commission Recommendation
of 10 October 2014
on Data Protection Impact Assessment
Template for Smart Grid and Smart
Metering Systems"
2014/724/EU
Commission Recommendation DPIA Template
adopted on 10 October 2014
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:JOL_2014_300_R_0013&qid=1413790118102&from=EN
Energy
Smart Grids Task Force
European Commission
Technology
Supply
Consumer DSOs TSOs Regulators
•Ad-hoc expert working groups
Florence
Forum London
Forum
High Level Steering Committee
What is SGTF?
Energy
Scope of the Recommendation
Guarantee protection of personal data throughout the Union
Provide guidance to MS
Interaction of MS, industry, civil society stakeholders, national data protection authorities and national energy regulatory authorities
Help ensure fundamental rights
2-year test-phase of the DPIA template
6
Energy
DPIA TEMPLATE FOR SMART GRID AND SMART METERING SYSTEMS
Smart Grid Task Force 2012-2014
7
Energy
What is the DPIA-template?
• The DPIA Template is an evaluation and
decision-making tool which helps entities planning or executing investments in smart grids to identify and anticipate risks to data protection, privacy and security.
• The DPIA provides guidance to help ensure the fundamental rights to protection of personal data and to privacy.
8
Energy
Who should carry out a DPIA?
Organisations that initiate or already manage smart grid deployments
Organisations introducing changes to existing smart grid architecture platforms in identifying and assessing the privacy risks of these initiatives
9
Energy
Benefits of conducting the DPIA
Preventing costly adjustments in processes or system redesign by mitigating privacy and data protection risks
Prevention of discontinuation of a project by early understanding of the major risks
Reducing the impact of law enforcement and oversight involvement
Improving the quality of personal data (minimisation, accuracy)
Improving service and operation processes
Improving decision-making regarding data protection
Raising privacy awareness within the organisation
Improving the feasibility of a project
Strengthening confidence of consumers, employees or citizens in the way which personal data are processed and privacy is respected
10
Energy
Steps of carrying out a DPIA
Step 1: Pre-assessment and criteria determining the need to conduct a DPIA
Step 2: Initiation
Step 3: Identification, characterisation and description of smart grid systems / applications processing personal data
Step 4: Identification of relevant risks
Step 5: Data protection risk assessment
Step 6: Identification and recommendation of controls and residual risks
Step 7: Documentation and drafting of the DPIA Report
Step 8: Review and maintenance
11
Energy
Carrying out a DPIA
DPIA should help stakeholders to identify in a structured way and to categorize privacy risks attached to smart grids systems and applications when processing personal data
Parallel use of templates of
chapter 2: Guidance for execution of the DPIA
chapter 3: Questionnaires
12
Energy
TEST PHASE
DPIA Template
13
Energy
Opinion 07/2013 of the Working Party 29…
….recommends the organisation of a test phase for the implementation of the Template, with the support of Data Protection Authorities.
This test phase should contribute to ensure that the Template provides improved data protection to individuals in the context of the deployment of smart grids.
14
Energy
Test Phase
Within two years of publication of this Recommendation in the Official Journal of the European Union, Member States should provide the Commission with an assessment report highlighting the relevant conclusions stemming from the Test Phase.
The EC intends to assess the need for revision of the DPIA Template based on the Test Phase reports provided by Member States
Stakeholder event to exchange views on this assessment prior to undertaking a revision 15
Energy
Why a Test Phase?
In light of the upcoming General Data Protection Regulation
Based on the feedback gathered in the test phase, the Template could be further fine-tuned to enhance its
Efficiency of the template in assessing the impact of individual smart grid applications on data protection.
Usefulness of the template in guiding data controllers in the conduct of the impact assessment according to the concrete circumstances of the application or system
User-friendliness of the template from the data controller's perspective
16
Energy
INTERACTION OF THE STAKEHOLDERS
17
Energy
CONCEPT OF THE TEST PHASE
18
Energy
ALLIANDER AND EDP DISTRIBUIÇÃO INITIATIVE
Experiences sharing
19
DPIA template test phase workshops report
22 May 2015, Brussels
21
DPIA Test Phase
DPIA test phase introduction 1
DPIA Test phase workshops 2
DPIA template test user experience sharing
3
Result of the test findings 4
DPIA template test tool demonstration 5
Agenda
Main conclusions and next steps 6
22
DPIA Test Phase
DPIA test phase introduction 1
DPIA Test phase workshops 2
DPIA template test user experience sharing
3
Result of the test findings 4
DPIA template test tool demonstration 5
Agenda
Main conclusions and next steps 6
23
DPIA Test Phase Alliander and EDP Distribuição initiative
o Joint effort for the 1st assessment:
• Gather a specialized team of DPIA Beta Testers (DPIAβT) to facilitate the DPIA template application at Alliander and EDP;
• The DPIAβT is a selected group of DPIA knowledgeable people, preferably from different relevant stakeholders (DSOs, Data Protection Authority, Consumer organisations, European Commission, …)
o Organization of a 2 day working sessions per company (Amsterdam and Lisbon) in April and May
where:
• Each company gathered experienced personnel from the business units involved in the selected business case, able to provide all their knowledge and understanding to the DPIA template application.
• The DPIAβT have a neutral role in the process, participating just as a facilitator in the DPIA template application.
Additionally, it should collect feedback about the DPIA, its applicability and usability. • The DPIA was applied to 2 business cases selected from the “set of common functional requirements of the
Smart Meter”: • BC1: Provides readings from the meter to the customer and to equipment that the customer have installed
(Alliander); • BC3: Allows remote reading of meter registers by the Meter Operator (EDP).
o Output: Report of experiences and findings
• The DPIAβT report will provide a coherent assessment about the PROCESS of application of the actual DPIA Template both at Alliander and EDP Distribuição.
24
1st half of April DPIA Template
Application at Alliander
2nd half of April DPIA Template
Application at EDP
22th May Deliver Input report
October 31st Additional input
namely from other Utilities
2015 2016
Mid-term Assessment Meeting
June Final input and report about the applicability
of the DPIA
December Final Output meeting
Working process for the EC and other entities
DPIA Test Phase
July/September EDSO workshop and new test of the DPIA template (also with other DSO’s)
Planning of the DPIA template test phase
Main conclusions and next steps
25
DPIA Test Phase
DPIA test phase introduction 1
DPIA Test phase workshops 2
DPIA template test user experience sharing
3
Result of the test findings 4
DPIA template test tool demonstration 5
Agenda
6
26
DPIA Test Phase
• Johan Rambi - Alliander
• Theo van der Vleut – Alliander
• Anneke Luiten – Alliander
• Thijs Baars – Alliander
• Aurelio Blanquet – EDP
• Nuno Medeiros – EDP
• Pedro Ricardo Daniel – EDP
• Ricardo Matos – EDP
• Paulo Líbano Monteiro – EDP
• Michaela Kollau – European Commission DG ENER
• Igor Nai Fovino – European Commission DG JRC
• David Johnson – SMCG AHWG P&S
• Koen Dupon – DPA NL
• Joao Ribeiro – DPA PT
14 persons participated in the Workshops in Amsterdam and Lisbon
27
DPIA Test Phase
• Step 1 - Pre-assessment and criteria determining
−the need to conduct a DPIA
• Step 2 - Initiation
• Step 3 - Identification, characterisation and description of Smart Grid systems/applications processing personal data, including data flows
• Step 4 - Identification of relevant risks
• Step 5 - Data protection risk assessment
• Step 6 - Identification and Recommendation of controls and residual risks
• Step 7 - Documentation and drafting of the DPIA Report
• Step 8 - Reviewing and maintenance
Steps from DPIA template
28
DPIA Test Phase
DPIA test phase introduction 1
DPIA Test phase workshops 2
DPIA template test user experience sharing
3
Result of the test findings 4
DPIA template test tool demonstration 5
Agenda
Main conclusions and next steps 6
29
DPIA Test Phase DPIA template test user experience sharing
• The workshops provided a good first introduction with the DPIA
template
• It was important to involve people with different roles in the workshop
• The document includes important guidance for filling the DPIA template
• The assessment process itself increases awareness regarding data
protection
• Gathered a lot of findings which will help us to increase the usability
Strong points
30
DPIA Test Phase DPIA template test user experience sharing
• Text in some sections can be made more clear; much explanation was
needed
• It must be well defined the object under DPIA (e.g., business process)
• The pre-assessment (decision to go on with DPIA) should be simpler
• The relevant risks may be better characterized
• The document may be made more homogeneous across sections
Improvement points
31
DPIA Test Phase DPIA template test user experience sharing
• Include the general comments and findings in the document
• It is very helpful that other utilities move to a similar test phase:
• Gain experience and get acquainted with the DPIA template
• Opportunity to increase usability and fine tune the DPIA document
• Good way to prepare for the upcoming legislation
Move further on
Main conclusions and next steps
32
DPIA Test Phase
DPIA test phase introduction 1
DPIA Test phase workshops 2
DPIA template test user experience sharing
3
Result of the test findings 4
DPIA template test tool demonstration 5
Agenda
6
33
DPIA Test Phase Result of the test findings
34
DPIA Test Phase Few examples of test findings
• “Criterion 1, first question – what is organizational measurement data? Clarify. And we propose changing to “collect and process”.”
• “There should be a picture on section 1.6, with the workflow of the template, the results/deliverables, etc. It will help a lot for guidance. It must be well defined the object under DPIA (e.g., business process)”
• “At 2.3.3 and 3.3.3, we felt there is not a clear distinction between actors, assets and processes. We propose the following distinction: […]”
• “At 3.3.2 and 2.3, change the wording from “scenario(s)” to “process(es)””
Main conclusions and next steps
35
DPIA Test Phase
DPIA test phase introduction 1
DPIA Test phase workshops 2
DPIA template test user experience sharing
3
Result of the test findings 4
DPIA template test tool demonstration 5
Agenda
6
36
Thijs Baars
Born 8 Oct. 1987 in Arnhem, NL
Master in Business Informatics, Utrecht
University (Graduated in Sept. 2014)
Developing Information Security & Privacy
Management Systems (ISMS) as part of a spin-
off named Hivre
www.hivre.com
DPIA Test Tool: Who am I
37
Step 1: Pre-assessment
Step 2: Initiation
Step 3: Identification & characterisation
Step 4: Identification of relevant risks
Step 5: Data protection risk assessment
Step 6: Identification and recommendation of
controls and residual risks
Step 7: Documentation and drafting of the DPIA
Report
Step 8: Review and maintenance
DPIA Test Tool: Overview of the Steps
38
Step 1: Pre-assessment
Step 2: Initiation
Step 3: Identification & characterisation
Step 4: Identification of relevant risks
Step 5: Data protection risk assessment
Step 6: Identification and recommendation of
controls and residual risks
Step 7: Documentation and drafting of the DPIA
Report
Step 8: Review and maintenance
DPIA Test Tool: Overview of the Steps
Understanding Your Organization & Processes
Risk Assessment
Risk Management
39
Step 1: Pre-assessment
Step 2: Initiation
Step 3: Identification & Characterisation
Step 4: Identification of relevant risks
Step 5: Data protection risk assessment
Step 6: Identification and recommendation of
controls and residual risks
Step 7: Documentation and drafting of the DPIA
Report
Step 8: Review and maintenance
DPIA Test Tool: Overview of the Steps
40
Step 1: Pre-assessment
Step 2: Initiation
Step 3: Identification & Characterisation
Step 4: Identification of relevant risks
Step 5: Data protection risk assessment
Step 6: Identification and recommendation of
controls and residual risks
Step 7: Documentation and drafting of the DPIA
Report
Step 8: Review and maintenance
DPIA Test Tool: Pre-Assessment
41
Step 1: Pre-assessment
Step 2: Initiation
Step 3: Identification & Characterisation
Step 4: Identification of relevant risks
Step 5: Data protection risk assessment
Step 6: Identification and recommendation of
controls and residual risks
Step 7: Documentation and drafting of the DPIA
Report
Step 8: Review and maintenance
DPIA Test Tool: Initiation
42
Tooling needs to divert from the Template
sometimes to work correctly.
However,
Tooling can improve consistency and add
overview to the process as a whole
Dynamic forms are easier edited and kept up-
to-date
Ability for accountability of who made what
change when
Improved usability and accessibility over a Word
document.
DPIA Test Tool: Remarks
43
DPIA Test Phase
DPIA test phase introduction 1
DPIA Test phase workshops 2
DPIA template test user experience sharing
3
Result of the test findings 4
DPIA template test tool demonstration 5
Agenda
Main conclusions and next steps 6
44
DPIA Test Phase Main conclusions and next steps
Main Conclusions o The selection of the stakeholders in the DPIAβT has proven to be effective,
looking at the findings derived over 2 workshops o The atmosphere was excellent and the attitude very interactive and
cooperative, helping the discussion and the collection of the findings
Next steps o EDSO will prepare a workshop in July or in September to incentivize/test the
DPIA template with EDSO members. o Alliander will prepare a workshop in November to test the DPIA template
together with the Dutch DSO’s (under the Netbeheer Netherlands umbrella).
Energy
Summary and Follow up steps
Summary
Start your testing
Check the SGTF website
Reporting form for testing
Provide input to the EC
45
Energy
Contact: [email protected]
http://ec.europa.eu/energy/en/topics/
markets-and-consumers/smart-grids-and-meters