A Data Protection Impact Assessment Methodology for Cloud

We propose a data protection impact assessment (DPIA) method based on successive questionnaires for an initial screening and for a full screening for a given project. These were tailored to satisfy the needs of Small and Medium Enterprises (SMEs) that intend to process personal data in the cloud. The approach is based on legal and socio-economic analysis of privacy issues for cloud deployments and takes into consideration the new requirements for DPIAs within the European Union (EU) as put forward by the proposed General Data Protection Regulation (GDPR). The resultant features have been implemented within a tool.

[1]  Andrew Charlesworth,et al.  The Emergence of Privacy Impact Assessments , 2010 .

[2]  Kush Wadhwa,et al.  Integrating privacy impact assessment in risk management , 2014 .

[3]  David Wright,et al.  Should privacy impact assessments be mandatory? , 2011, Commun. ACM.

[4]  Paul De Hert,et al.  Introduction to Privacy Impact Assessment , 2012 .

[5]  Charles Oppenheim,et al.  Privacy Impact Assessments: International experience as a basis for UK Guidance , 2008, Comput. Law Secur. Rev..

[6]  Roger Clarke,et al.  Privacy impact assessment: Its origins and development , 2009, Comput. Law Secur. Rev..

[7]  Siani Pearson,et al.  Scalable, accountable privacy management for large organizations , 2009, 2009 13th Enterprise Distributed Object Computing Conference Workshops.

[8]  Colin J. Bennett,et al.  The Governance of Privacy: Policy Instruments in Global Perspective , 2006 .

[9]  P. Hert A Human Rights Perspective on Privacy and Data Protection Impact Assessments , 2012 .

[10]  Charles Oppenheim,et al.  Privacy Impact Assessments: The UK Experience , 2009 .

[11]  Siani Pearson,et al.  Accountability, Risk, and Trust in Cloud Services: Towards an Accountability-Based Approach to Risk and Trust Governance , 2014, 2014 IEEE World Congress on Services.

[12]  Roger Clarke,et al.  Privacy and consumer risks in cloud computing , 2010, Comput. Law Secur. Rev..

[13]  Anderson Santana de Oliveira,et al.  A Cloud Adoption Risk Assessment Model , 2014, 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing.

[14]  Siani Pearson,et al.  Privacy and Security for Cloud Computing , 2012, Computer Communications and Networks.

[15]  Siani Pearson,et al.  Decision Support for Selection of Cloud Service Providers , 2010 .

[16]  David Wright,et al.  The state of the art in privacy impact assessment , 2012, Comput. Law Secur. Rev..

[17]  Andrew Charlesworth,et al.  A Privacy Impact Assessment Tool for Cloud Computing , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[18]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[19]  William J. Kirsch,et al.  The protection of privacy and transborder flows of personal data: the work of the Council of Europe, the Organization for Economic Co-operation and Development and the European Economic Community , 1982, Legal Issues of Economic Integration.

[20]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[21]  Siani Pearson,et al.  A Decision Support System for Privacy Compliance , 2012 .

[22]  Anderson Santana de Oliveira,et al.  D:C-6.2 Prototype for the data protection impact assessment tool , 2014 .

[23]  Kush Wadhwa,et al.  Privacy Impact Assessment and Risk Management , 2013 .

[24]  Max Mühlhäuser,et al.  A Trust-Aware Framework for Evaluating Security Controls of Service Providers in Cloud Marketplaces , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[25]  Massimo Felici,et al.  D:C-6.1 : Risk and trust accountability in the cloud , 2014 .

[26]  Siani Pearson Simple Mode : Addressing Knowledge Engineering Complexity in a Privacy Expert System , 2010 .

[27]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[28]  Andrew Charlesworth,et al.  Analysis of Privacy Impact Assessments within Major jurisdictions , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[29]  Anthony Finkelstein,et al.  Privacy Impact Assessment with PRAIS , 2008 .