Phase 1: Preparation and Concept
Work Package 1: Update Status DPIA in Europa
This first work package aims to provide an overview of the current developments regarding the definition of DPIAs in Europe since the adoption of the General Data Protection Regulation (GDPR). To this end, the work of national data protection supervisors, industry associations and other stakeholders will be systematically checked and evaluated to identify developments that should be taken into account in the project. This concerns firstly the interpretation of the legal requirements of the GDPR, secondly the procedures for conducting a DPIA and thirdly the approaches to technically support DPIAs.
Work Package 2: Operationalisation and assessment criteria
The second work package will further detail the DSFA concept and prepare the practical tests.
- Detailed definition of the application cases to be considered: This will allow a better focusing of the further steps with regard to the validation tests. On this basis, a targeted selection of institutions (companies and authorities) for the tests can be made.
- Operationalisation of the evaluation step: Development of detailed criteria for assessing the risks for six central protection objectives. On the one hand, the standard data protection model recommended by the data protection conference in 2016 has to be integrated as far as possible. In addition, the requirements of the data protection supervisory authorities for the instrument have to be identified and taken into account.
- Concretisation of the participation methodology: Selection of a small number of suitable procedures for citizen participation and participatory technology assessment (e. g. citizen conferences, focus groups, CIVISTI method) to be used in the practical tests and tested for their suitability.
- Legal analysis to determine whether the requirements of the GDPR are fully met.
Phase 2: Validation
Work Package 3: Tests with companies and public authorities
The third work package comprises the project’s central empirical validation work, which is carried out in two iterative waves.
- Selection and approach of the test candidates: Building on the work in WP 2, a list of institutions will be compiled that are considered for the joint execution of the tests. These should come from the selected application areas of and sufficiently representative (they should include small/large institutions, as well as institutions from the private and public sector).
- First test wave: The methodology, which is documented in the draft DPIA manual, will be validated with 8 institutions during a first test wave. The tests will be carried out under realistic conditions on site at the institution. In this first wave, the main focus is on the question of which elements “function” in practice and which elements need to be improved (effectiveness).
- Analysis of the results and revision of the methodology: The test results will be analysed in the third step. The focus here is, to what extent the operationalisation carried out in WP 2 has successfully identified the relevant data protection risks.
- Second test wave: The revised methodology will be further validated with another 4 institutions as part of the second wave. This time the efficiency of the methodology is in the focus of interest. It is therefore examined which of procedures can be implemented most easily. The aim is to find a balance between an adequate assessment quality on the one hand and the effort needed on the other.
- Finalisation of the methodology: As with the first wave, the results of the second test wave will be evaluated, they are taken into account in the final version of the DPIA manual.
Phase 3: Dissemination and support
Work Package 4: Exchange with data protection authorities, industry associations and committees
In parallel to the practical tests, the team will already seek an exchange with experts from data protection authorities and industry associations. Initially, the focus is on the feedback on process to be validated. When the empirical validation has been completed and the rules of GDPR are effective in May 2018, there will be a considerable need for orientation knowledge: “How can a company carry out a DPIA that meets the legal requirements?”,”Which methodology is accepted by the competent data protection authorities?”,”Are there service providers or tools that Support carrying out a DPIA” and similar questions are to be expected. The project partners will propagate the method they have developed and validated as far as possible.