![Page 1: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/1.jpg)
Simone CASIRAGHI, Dariusz KLOZA, Alessandra CALVI
Vrije Universiteit Brussel (VUB)
Research Group on Law, Science, Technology & Society (LSTS)
Brussels Laboratory for Data Protection & Privacy Impact Assessments (d.pia.lab)
20 May 2020
online
PERSONA impact assessment training (II):introduction to impact assessment
![Page 2: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/2.jpg)
Agenda
▪ the concept of impact assessment▪ context
▪ rationale
▪ history
▪ structure
▪ the framework (conditions and principles)
▪ the method
▪ integration of impact assessment
▪ Q&A
![Page 3: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/3.jpg)
The concept of impact assessment
(1)
![Page 4: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/4.jpg)
Impact assessment
(Kloza et al. 2017: 1)
![Page 5: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/5.jpg)
Evaluation techniques
impact assessment
▪ technology
▪ environment
▪ regulation
▪ health
▪ privacy
▪ personal data protection
▪ surveillance
▪ social
▪ …
▪ risk appraisal
▪ value sensitive design
▪ cost-benefit analysis
▪ SWOT analysis
▪ …
![Page 6: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/6.jpg)
Context
▪ Why did these methods proliferate?
▪ Growing invasiveness of techs
▪ Increasing importance of processing of personal data
▪ Less trust in emerging techs by the public
▪ …
▪ Contributions to:
▪ Informed decision-making
▪ Enhance participation
▪ Balancing of competing interests
▪ Iterative process
▪ …
![Page 7: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/7.jpg)
Critiques
▪ Unnecessary burden
▪ Lack of guidance
▪ Compliance exercise
▪ They happen too late
▪ insufficient participation
▪ Limited transparency
▪ …
![Page 8: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/8.jpg)
Supporting the conduct of D/PIA
▪ frameworks, handbooks, guidelines, manuals, …
▪ templates, questionnaires
▪ awareness-raising, education, training, …
▪ academic & professional literature, policy documents, …
▪ bilaterals, word-of-mouth
▪ advice & feedback from DPAs (‘reference centres’)
▪ software for the automation of D/PIA process
▪ …
![Page 9: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/9.jpg)
Legal requirements in the EU for D/PIA
▪ 1995 Art 20 Directive 95/46 (prior checking)
▪ 2009 RFID
▪ 2012 smart grids
▪ 2016 Arts 35-36 GDPR
▪ 2016 Art 27 Directive 2016/680
▪ 2018 Arts 39-40 & Art 42 Regulation 2018/1725
▪ 2019 Recital 53 re-use PSI Directive 2019/1024
▪ 2020 Art 6 ePrivacy Regulation (proposal)
▪ …
![Page 10: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/10.jpg)
The framework for impact assessment
(2)
![Page 11: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/11.jpg)
‘Architecture’
▪ framework: conditions and principles
▪ method: procedure for accomplishing the assessment process
▪ model/template: a document to fill-in to prepare a report from the assessment process
▪ benchmark: societal concern(s) against which an initiative is assessed▪ e.g. human rights, privacy, personal data, ethics, societal concerns, …
▪ guidelines (handbooks, manuals): practical support material
▪ …
![Page 12: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/12.jpg)
The framework
1. systematic process
2. considers the relevant societal concerns
3. not everything needs it
4. uses the appropriate method
5. includes recommendations
6. a best efforts obligation
7. relies on sufficient knowledge and know-how
8. documented & transparent
9. deliberative
10. accountable
11. assessor is independent
12. simple
13. adaptive
14. inclusive
15. receptive
16. grows in supportive environment
![Page 13: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/13.jpg)
1. Systematic process
▪ appropriate method
▪ prior (ex ante) & continuous → ‘living instrument’
![Page 14: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/14.jpg)
2. Societal concerns
▪ relevant societal concerns (individual and collective, commensurate with its type)▪ natural & human environment
▪ technology development
▪ regulation
▪ privacy
▪ personal data
▪ …
▪ multiple types/processes vs. single, integrated one
![Page 15: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/15.jpg)
3. Not everything requires it
▪ criteria▪ nature of the envisaged initiative
▪ scope
▪ context
▪ purpose
▪ number/types of affected individuals
▪ …
▪ rational compulsion▪ e.g. possible severe negative consequences
![Page 16: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/16.jpg)
4. Appropriate method
▪ no ‘silver bullet’ method
▪ possible methods:▪ risk management
▪ qualitative
▪ quantitative
▪ scenario planning
▪ scientific foresight
▪ (legal/regulatory) compliance check
▪ SWOT analysis
▪ CBA
▪ …
![Page 17: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/17.jpg)
5. Consequences & recommendations
▪ consequences (‘impacts’)
▪ in the future
▪ positive vs. negative (typically, risks)
▪ intended/unintended
▪ individual/collective
▪ …
▪ final goal: to recommend possible solutions to address possible consequences
![Page 18: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/18.jpg)
6. ‘Best effort’ obligation
▪ absolute mitigation of negative impacts is impossible
▪ absolute maximization of positive impacts is impossible
▪ obligation of means vs. obligation of result
▪ limitations▪ state-of-the-art
▪ information
▪ available resources
▪ …
![Page 19: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/19.jpg)
7. Competences & qualifications
▪ assessor(s) possess:▪ sufficient knowledge → multiple experts needed
▪ sufficient know-how
▪ appropriate qualifications
▪ …
![Page 20: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/20.jpg)
8. Documentation
▪ reasonable transparency
▪ (free and unrestricted) public access▪ the mere fact of the assessment process in place
▪ terms of reference
▪ progress
▪ …
▪ yet: legitimate secrecy▪ state secrets
▪ trade secrets
▪ personal data
▪ otherwise privileged information
![Page 21: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/21.jpg)
9. Deliberative process
▪ public (stakeholder) participation▪ internal/external
▪ individuals/organizations
▪ levels of involvement ▪ information
▪ consultation
▪ co-decision
▪ information given and sought is robust, accurate and inclusive
▪ effective means of challenge (contestability)
![Page 22: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/22.jpg)
10. Accountability
▪ (formal) responsibility of decision-makers for:▪ choice of the method▪ choice of the assessors▪ …
▪ (substantive) responsibility of decision-makers for:▪ approval of the results▪ monitor implementation▪ nb. typically beyond the impact assessment process
▪ quality control▪ internal▪ external
▪ non-compliance and malpractice are sanctioned
![Page 23: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/23.jpg)
11. Independence of the assessor
▪ assessor(s) do(es) not receive nor seek(s) any instruction
▪ sufficient resources at their disposal▪ time
▪ money
▪ workforce
▪ knowledge
▪ know-how
▪ premises
▪ infrastructure
![Page 24: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/24.jpg)
12. Simplicity
▪ structured process
▪ coherent
▪ understandable
▪ avoidance of prescriptiveness
▪ avoidance of over-complication
▪ avoidance of the abuse of resources
▪ …
![Page 25: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/25.jpg)
13. Adaptiveness
▪ no „one size fits all”
▪ criteria:▪ initiative under assessment
▪ sponsoring organization
▪ geographical differences
▪ cultural differences
▪ …
![Page 26: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/26.jpg)
14. Inclusiveness
▪ stakeholders
▪ expert and layman knowledge
▪ relevant societal concerns
▪ relevant development phases▪ design
▪ development
▪ deployment
▪ …
![Page 27: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/27.jpg)
15. Receptiveness
▪ previous experience
▪ parallel evaluation techniques
▪ knowledge from related disciplines
▪ …
![Page 28: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/28.jpg)
16. Supportive environment
▪ support from policy-makers▪ e.g. guidance
▪ willingness of decision-makers
▪ cooperation of stakeholders
▪ …
![Page 29: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/29.jpg)
The method for impact assessment
(3)
![Page 30: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/30.jpg)
Generic method
❑ 10 steps grouped in 5 phases → Process
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 31: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/31.jpg)
Step 1. Screening – Threshold analysis
Initial description of an initiative
to determine if IA is warranted or necessary
❑ warranted (e.g. public pressure)
❑ necessary (e.g. required by law)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 32: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/32.jpg)
Step 2. Scoping
Initial description of an initiative
to identify:
❑ societal concerns touched by an initiative (e.g. data protection, ethics, privacy)
❑ stakeholders and their level of involvement (Step 7)
❑ appraisal techniques (i.e. methods) to be used in the process (Step 5) (e.g. risk analysis, n&p, CBA, scenario analysis)
❑ other evaluation techniques (e.g. eIA, PIA, DPIA, integrated impact assessments)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 33: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/33.jpg)
Step 3. Planning and Preparation
To identify:
❑ IA goals
❑ acceptability of negative impacts
❑ resources (time, money, workforce, knowledge, know-how, premises, infrastructure)
❑ procedures and time-frames
❑ assessors (in-house or outsourced), roles and responsibilities
❑ (business) continuity
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 34: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/34.jpg)
Step 4. Description
On the basis of the preliminary
❑ contextual (e.g. overview of initiative and organisation, need of initiative, context of deployment, interferences with societal concerns (see Step 2 Scoping))
❑ technical
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 35: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/35.jpg)
Step 5. Appraisal of impacts
To be performed according to the preselected techniques (Step 3):
❑ identification
❑ analysis
❑ evaluation
of impacts
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 36: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/36.jpg)
Step 6. Recommendations
To define:
❑ concrete measures to minimise negative impacts (and maximise positive ones), their addressees, priority and time-frames
❑ whether to proceed or not
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 37: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/37.jpg)
Step 7. Stakeholders involvement
❑ who is a stakeholder? someone who is/might be affecting/affected by an initiative, positively or negatively
❑ why involve stakeholder? (robustness and completeness of decision making process)
❑ which level of involvement? (e.g. information, consultation, co-decision)
❑ which techniques? (e.g. questionnaires, workshops, roundtables)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 38: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/38.jpg)
Step 8. Documentation
To demonstrate accountability and/or legal compliance
(e.g. registry of impacts, statement of non significant impact, final report)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 39: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/39.jpg)
Step 9. Quality control
to ensure adherence to standards of performance (internal or external, during the process or aftewards)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 40: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/40.jpg)
Step 10. Revisiting
To decide whether to conduct the process again or in part
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
![Page 41: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/41.jpg)
From generic method to IAM PERSONA
❑ tailoring down
❑ integrating impact assessments
![Page 42: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/42.jpg)
Tailoring down - method for DPIA (GDPR)
1. threshold▪ criterion 1: high risk YES▪ criterion 2: specific cases (3) YES▪ criterion 3: (national) exclusion list NO▪ criterion 4: (national) inclusion list YES▪ criterion 5: already carried out NO▪ criterion 6: professionals NO▪ *criterion 7: codes of conduct YES/NO
2. description▪ technical▪ contextual
3. appraisal▪ necessity & proportionality▪ risks to the rights & freedoms
of individuals (all relevant human rights)
4. stakeholder involvement
▪ when appropriate, data subjects or their representatives
▪ due respect for legitimate secrecy
▪ if appointed, consultation with a DPO
5. recommendations: measures envisaged to:
▪ address the risks
▪ ensure personal data protection
▪ ensure compliance with the GDPR
6. prior consultation
▪ high residual risk
▪ possible ban of processing
7. re-visiting
▪ when necessary
![Page 43: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/43.jpg)
Tailoring down - method for DPIA (LED)
1. threshold
▪ criterion: high risk YES
2. description
▪ general
3. appraisal
▪ risks to the rights & freedoms of individuals (all relevant human rights)
4. stakeholder involvement
▪ if appointed, consultation with a DPO
5. recommendations: measures envisaged to:
▪ address the risks
▪ ensure personal data protection
▪ ensure compliance with the LED
6. prior consultation
▪ high residual risk
▪ national list
![Page 44: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/44.jpg)
Tailoring down - IAM PERSONA
genericmethod
DPIA in GDPR
DPIA in LED
PIA
eIA
Social acceptance
![Page 45: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/45.jpg)
Integration of impact assessment
(4)
![Page 46: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/46.jpg)
benchmark
Integrated impact assessment
▪ “everything is inherently interconnected” -> comprehensive & integrated assessment
▪ cost-efficiency
▪ inclusion of benchmark(s) not required by law
yet:
▪ not merely the sum of societal concerns
▪ internal consistency
▪ internal coherence (not contradictory)
▪ possible subordination of assessment domains
![Page 47: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/47.jpg)
Phase II
4) Description Systematic description of envisaged processing operations [Art 35(7)(a) GDPR & Art. 39(7)(a) EUDPR]
Or Generic description of envisaged processing operations (LED & Art. 89 EUDPR)
And Technical description of processing operation
Broader ‘big picture’ description of the initiative (relevant ethical, privacy and societal issues not covered by data protection)
5) Appraisal of impacts Necessity & Proportionality + Risk assessment (GDPR & Art. 39 EUDPR) Risk assessment (LED and Art. 89 EUDPR)
-Applied Ethics -Ethical Checklist approaches -Participatory methods -Stakeholders consultation -Scenario-based approaches
-Risk assessment -Cost-benefit analysis (CBA)
Phase III
6) Recommendations Measures envisaged to address the risks AND demonstrate compliance with data protection rules
Broader scope recommendations that do not fall under data protection recommendations
Phase IV (on going)
7) Stakeholder involvement Identify, define the level of involvement and Involve stakeholders at different phases of the process
8) Documentation Document the IA process
9) Quality control Check the quality of the IA process (internally or externally)
10) Revisiting Revise the IA process
Steps DPIA Ethical IA (including social acceptance)
PIA
Phase I
1) Screening -Legally binding -4 iterations: § GDPR: 6 criteria to
consider § LED: 1 criterion § EUDPR: 5 criteria to
consider § EUDPR: 1 criterion for
AFSJ
-Not legally binding -Threshold analysis questionnaire
-Not legally binding -Threshold analysis questionnaire
2) Scoping -Narrow down the benchmark to relevant legal statutes -Identify appraisal techniques for: § Risk to a right § Necessity and
proportionality test
-Narrow down the benchmark to relevant ethical principles -Identify appraisal techniques for ethical issues
-Narrow down the ethical benchmark to relevant privacy issues -Identify appraisal techniques for privacy issues
-Identify stakeholders -Identify stakeholders involvement techniques
3) Planning Determine scale, budget, composition of the team
Example
Integration
![Page 48: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/48.jpg)
To sum up: Impact Assessment Architecture
1) Framework
2) Method
3) Template/Model
These are the steps you need to follow to carry out the process at your premises
Next session: focus on appraisal techniques and stakeholders’ involvement (May 25 2020)
![Page 49: PERSONA impact assessment training (II): introduction to ... · ‘Architecture’ framework: conditions and principles method: procedure for accomplishing the assessment process](https://reader034.vdocuments.net/reader034/viewer/2022050207/5f5a29da99e9c129cd36f954/html5/thumbnails/49.jpg)
[email protected]@[email protected]@[email protected]
LSTS.research.vub.be dpialab.org @dpialab
Thank you!