"Privacy"

2020-10-25

Categories: Club EBIOSGuidancePrivacy

For all those who wish to use EBIOS Risk Manager to conduct a PIA (Privacy Impact Assessment, commonly, or Data Protection Impact Assessment – DPIA, in the specific context of the Article 35 of GDPR), here is an infographic which summarizes the approach:

Broadly speaking, information security / cybersecurity and privacy are both about data protection.
The goal is different: in the information security field, the goal is to protect the organization, while in privacy, the goal is to protect individuals / data subjects.
But the way to manage risk is perfectly compatible!

To conduct a PIA with EBIOS Risk Manager, all you have to do is:

  1. take the processing of personal data considered as the subject of the EBIOS Risk Manager study;
  2. assess compliance with the fundamental principles (determined purpose, minimized data, informing people, enabling them to exercise their rights, etc.), and this can be done as part of the Security basline of workshop 1 of EBIOS Risk Manager ;
  3. identify the potential impacts on the data subjects and estimate their severity, and this can be done in the context of the feared events of the same EBIOS Risk Manager workshop 1.

All the information required in a PIA is all found in the study:

  1. the description of the treatment is taken from Workshop 1;
  2. the assessment of the necessity and proportionality with regard to fundamental principles and rights also came from Workshop 1;
  3. the study of data security risks and their potential impacts on privacy is the result of workshops 1, 2, 3 and 4;
  4. the controls envisaged to deal with the risks emerge from workshop 5.
Tags:

2020-04-06

Categories: Other originPrivacyTool

The open source PIA software helps to carry out data protection impact assesment.

The PIA software aims to help data controllers build and demonstrate compliance to the GDPR. The tools is available in French and in English (and many other languages). It facilitates carrying out a data protection impact assessment. This tool also intends to ease the use of the PIA guides published by the CNIL.

Download

PIA

2020-04-05

The following document can be used for determining the baseline of the Workshop 1 of EBIOS Risk Manager, when the scope of the study is a processing of personal data:
> Download

It constitutes a declaration of applicability relating to the fundamental principles related to the protection of privacy.

The other Workshops of the study makes it possible to satisfy the obligations of the GDPR in terms of security (cf. art. 32) if you assess the impacts on the data subjects in addition to those on the organization.
You can thus use EBIOS Risk Manager to carry out a PIA (cf. art. 35).

2020-04-04

Categories: Other originPrivacyStandard

This international standard defines the vocabulary and principles that must be respected by any specific approach to privacy.

>See the standard (for free)

Tags:

Categories: Other originPrivacyStandard

This international standard defines the principles that must be respected by any risk management approach specific to privacy.

>See the standard (paying)

2018-02-26

Categories: MethodOther originPrivacy

The CNIL’s PIA Guides have been updated to provide a tool for the General Data Protection Regulation (GDPR).
The methodological approach is a privacy specific instantiation of the EBIOS toolbox.
It allows to build and demonstrate compliance with the GDPR of a processing of personal data.
The guides (the methodology, the templates and the knowledge bases) are provided with a free software, case studies, guidelines, etc.

On the CNIL’s website: Privacy Impact Assessment (PIA)
PIA

*PIA – Privacy Impact Assessment, or Data Protection Impact Assessment in the GDPR context.