For all those who wish to use EBIOS Risk Manager to conduct a PIA (Privacy Impact Assessment, commonly, or Data Protection Impact Assessment – DPIA, in the specific context of the Article 35 of GDPR), here is an infographic which summarizes the approach:

Broadly speaking, information security / cybersecurity and privacy are both about data protection.
The goal is different: in the information security field, the goal is to protect the organization, while in privacy, the goal is to protect individuals / data subjects.
But the way to manage risk is perfectly compatible!

To conduct a PIA with EBIOS Risk Manager, all you have to do is:

  1. take the processing of personal data considered as the subject of the EBIOS Risk Manager study;
  2. assess compliance with the fundamental principles (determined purpose, minimized data, informing people, enabling them to exercise their rights, etc.), and this can be done as part of the Security basline of workshop 1 of EBIOS Risk Manager ;
  3. identify the potential impacts on the data subjects and estimate their severity, and this can be done in the context of the feared events of the same EBIOS Risk Manager workshop 1.

All the information required in a PIA is all found in the study:

  1. the description of the treatment is taken from Workshop 1;
  2. the assessment of the necessity and proportionality with regard to fundamental principles and rights also came from Workshop 1;
  3. the study of data security risks and their potential impacts on privacy is the result of workshops 1, 2, 3 and 4;
  4. the controls envisaged to deal with the risks emerge from workshop 5.