Workshop DPIA Test phase

Energy

Energy

Workshop

DPIA Test phase

Directorate General for Energy

European Commission

Brussels, 22/05/2015

Energy

Content

Welcome and objectives of the workshop

Background: Commission Recommendation & testphase

Experience sharing: Alliander and EDP Distribuição initiative

Alliander and EDP Distribuição initiative

Experience sharing of test users and the DPA

Examples of test findings

DPIA template test tool demonstration

Discussion

Follow-up steps

Energy

COMMISSION RECOMMENDATION

2014/724/EU

3

Energy

"Commission Recommendation

of 10 October 2014

on Data Protection Impact Assessment

Template for Smart Grid and Smart

Metering Systems"

2014/724/EU

Commission Recommendation DPIA Template

adopted on 10 October 2014

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:JOL_2014_300_R_0013&qid=1413790118102&from=EN






Energy

Smart Grids Task Force

European Commission

Technology

Supply

Consumer DSOs TSOs Regulators

•Ad-hoc expert working groups

Florence

Forum London

Forum

High Level Steering Committee

What is SGTF?

Energy

Scope of the Recommendation

Guarantee protection of personal data throughout the Union

Provide guidance to MS

Interaction of MS, industry, civil society stakeholders, national data protection authorities and national energy regulatory authorities

Help ensure fundamental rights

2-year test-phase of the DPIA template

6

Energy

DPIA TEMPLATE FOR SMART GRID AND SMART METERING SYSTEMS

Smart Grid Task Force 2012-2014

7

Energy

What is the DPIA-template?

• The DPIA Template is an evaluation and

decision-making tool which helps entities planning or executing investments in smart grids to identify and anticipate risks to data protection, privacy and security.

• The DPIA provides guidance to help ensure the fundamental rights to protection of personal data and to privacy.

8

Energy

Who should carry out a DPIA?

Organisations that initiate or already manage smart grid deployments

Organisations introducing changes to existing smart grid architecture platforms in identifying and assessing the privacy risks of these initiatives

9

Energy

Benefits of conducting the DPIA

Preventing costly adjustments in processes or system redesign by mitigating privacy and data protection risks

Prevention of discontinuation of a project by early understanding of the major risks

Reducing the impact of law enforcement and oversight involvement

Improving the quality of personal data (minimisation, accuracy)

Improving service and operation processes

Improving decision-making regarding data protection

Raising privacy awareness within the organisation

Improving the feasibility of a project

Strengthening confidence of consumers, employees or citizens in the way which personal data are processed and privacy is respected

10

Energy

Steps of carrying out a DPIA

Step 1: Pre-assessment and criteria determining the need to conduct a DPIA

Step 2: Initiation

Step 3: Identification, characterisation and description of smart grid systems / applications processing personal data

Step 4: Identification of relevant risks

Step 5: Data protection risk assessment

Step 6: Identification and recommendation of controls and residual risks

Step 7: Documentation and drafting of the DPIA Report

Step 8: Review and maintenance

11

Energy

Carrying out a DPIA

DPIA should help stakeholders to identify in a structured way and to categorize privacy risks attached to smart grids systems and applications when processing personal data

Parallel use of templates of

chapter 2: Guidance for execution of the DPIA

chapter 3: Questionnaires

12

Energy

TEST PHASE

DPIA Template

13

Energy

Opinion 07/2013 of the Working Party 29…

….recommends the organisation of a test phase for the implementation of the Template, with the support of Data Protection Authorities.

This test phase should contribute to ensure that the Template provides improved data protection to individuals in the context of the deployment of smart grids.

14

Energy

Test Phase

Within two years of publication of this Recommendation in the Official Journal of the European Union, Member States should provide the Commission with an assessment report highlighting the relevant conclusions stemming from the Test Phase.

The EC intends to assess the need for revision of the DPIA Template based on the Test Phase reports provided by Member States

Stakeholder event to exchange views on this assessment prior to undertaking a revision 15

Energy

Why a Test Phase?

In light of the upcoming General Data Protection Regulation

Based on the feedback gathered in the test phase, the Template could be further fine-tuned to enhance its

Efficiency of the template in assessing the impact of individual smart grid applications on data protection.

Usefulness of the template in guiding data controllers in the conduct of the impact assessment according to the concrete circumstances of the application or system

User-friendliness of the template from the data controller's perspective

16

Energy

INTERACTION OF THE STAKEHOLDERS

17

Energy

CONCEPT OF THE TEST PHASE

18

Energy

ALLIANDER AND EDP DISTRIBUIÇÃO INITIATIVE

Experiences sharing

19

DPIA template test phase workshops report

22 May 2015, Brussels

21

DPIA Test Phase

DPIA test phase introduction 1

DPIA Test phase workshops 2

DPIA template test user experience sharing

3

Result of the test findings 4

DPIA template test tool demonstration 5

Agenda

Main conclusions and next steps 6

22

DPIA Test Phase




3



Agenda


23

DPIA Test Phase Alliander and EDP Distribuição initiative

o Joint effort for the 1st assessment:

• Gather a specialized team of DPIA Beta Testers (DPIAβT) to facilitate the DPIA template application at Alliander and EDP;

• The DPIAβT is a selected group of DPIA knowledgeable people, preferably from different relevant stakeholders (DSOs, Data Protection Authority, Consumer organisations, European Commission, …)

o Organization of a 2 day working sessions per company (Amsterdam and Lisbon) in April and May

where:

• Each company gathered experienced personnel from the business units involved in the selected business case, able to provide all their knowledge and understanding to the DPIA template application.

• The DPIAβT have a neutral role in the process, participating just as a facilitator in the DPIA template application.

Additionally, it should collect feedback about the DPIA, its applicability and usability. • The DPIA was applied to 2 business cases selected from the “set of common functional requirements of the

Smart Meter”: • BC1: Provides readings from the meter to the customer and to equipment that the customer have installed

(Alliander); • BC3: Allows remote reading of meter registers by the Meter Operator (EDP).

o Output: Report of experiences and findings

• The DPIAβT report will provide a coherent assessment about the PROCESS of application of the actual DPIA Template both at Alliander and EDP Distribuição.

24

1st half of April DPIA Template

Application at Alliander

2nd half of April DPIA Template

Application at EDP

22th May Deliver Input report

October 31st Additional input

namely from other Utilities

2015 2016

Mid-term Assessment Meeting

June Final input and report about the applicability

of the DPIA

December Final Output meeting

Working process for the EC and other entities

DPIA Test Phase

July/September EDSO workshop and new test of the DPIA template (also with other DSO’s)

Planning of the DPIA template test phase

Main conclusions and next steps

25

DPIA Test Phase




3



Agenda

6

26

DPIA Test Phase

• Johan Rambi - Alliander

• Theo van der Vleut – Alliander

• Anneke Luiten – Alliander

• Thijs Baars – Alliander

• Aurelio Blanquet – EDP

• Nuno Medeiros – EDP

• Pedro Ricardo Daniel – EDP

• Ricardo Matos – EDP

• Paulo Líbano Monteiro – EDP

• Michaela Kollau – European Commission DG ENER

• Igor Nai Fovino – European Commission DG JRC

• David Johnson – SMCG AHWG P&S

• Koen Dupon – DPA NL

• Joao Ribeiro – DPA PT

14 persons participated in the Workshops in Amsterdam and Lisbon

27

DPIA Test Phase

• Step 1 - Pre-assessment and criteria determining

−the need to conduct a DPIA

• Step 2 - Initiation

• Step 3 - Identification, characterisation and description of Smart Grid systems/applications processing personal data, including data flows

• Step 4 - Identification of relevant risks

• Step 5 - Data protection risk assessment

• Step 6 - Identification and Recommendation of controls and residual risks

• Step 7 - Documentation and drafting of the DPIA Report

• Step 8 - Reviewing and maintenance

Steps from DPIA template

28

DPIA Test Phase




3



Agenda


29

DPIA Test Phase DPIA template test user experience sharing

• The workshops provided a good first introduction with the DPIA

template

• It was important to involve people with different roles in the workshop

• The document includes important guidance for filling the DPIA template

• The assessment process itself increases awareness regarding data

protection

• Gathered a lot of findings which will help us to increase the usability

Strong points

30


• Text in some sections can be made more clear; much explanation was

needed

• It must be well defined the object under DPIA (e.g., business process)

• The pre-assessment (decision to go on with DPIA) should be simpler

• The relevant risks may be better characterized

• The document may be made more homogeneous across sections

Improvement points

31


• Include the general comments and findings in the document

• It is very helpful that other utilities move to a similar test phase:

• Gain experience and get acquainted with the DPIA template

• Opportunity to increase usability and fine tune the DPIA document

• Good way to prepare for the upcoming legislation

Move further on


32

DPIA Test Phase




3



Agenda

6

33

DPIA Test Phase Result of the test findings

34

DPIA Test Phase Few examples of test findings

• “Criterion 1, first question – what is organizational measurement data? Clarify. And we propose changing to “collect and process”.”

• “There should be a picture on section 1.6, with the workflow of the template, the results/deliverables, etc. It will help a lot for guidance. It must be well defined the object under DPIA (e.g., business process)”

• “At 2.3.3 and 3.3.3, we felt there is not a clear distinction between actors, assets and processes. We propose the following distinction: […]”

• “At 3.3.2 and 2.3, change the wording from “scenario(s)” to “process(es)””


35

DPIA Test Phase




3



Agenda

6

36

Thijs Baars

Born 8 Oct. 1987 in Arnhem, NL

Master in Business Informatics, Utrecht

University (Graduated in Sept. 2014)

Developing Information Security & Privacy

Management Systems (ISMS) as part of a spin-

off named Hivre

www.hivre.com

DPIA Test Tool: Who am I

http://www.hivre.com/

37

Step 1: Pre-assessment

Step 2: Initiation

Step 3: Identification & characterisation



Step 6: Identification and recommendation of

controls and residual risks

Step 7: Documentation and drafting of the DPIA

Report


DPIA Test Tool: Overview of the Steps

38


Step 2: Initiation

Step 3: Identification & characterisation






Report



Understanding Your Organization & Processes

Risk Assessment

Risk Management

39


Step 2: Initiation

Step 3: Identification & Characterisation






Report



40


Step 2: Initiation







Report


DPIA Test Tool: Pre-Assessment

41


Step 2: Initiation







Report


DPIA Test Tool: Initiation

42

Tooling needs to divert from the Template

sometimes to work correctly.

However,

Tooling can improve consistency and add

overview to the process as a whole

Dynamic forms are easier edited and kept up-

to-date

Ability for accountability of who made what

change when

Improved usability and accessibility over a Word

document.

DPIA Test Tool: Remarks

43

DPIA Test Phase




3



Agenda


44

DPIA Test Phase Main conclusions and next steps

Main Conclusions o The selection of the stakeholders in the DPIAβT has proven to be effective,

looking at the findings derived over 2 workshops o The atmosphere was excellent and the attitude very interactive and

cooperative, helping the discussion and the collection of the findings

Next steps o EDSO will prepare a workshop in July or in September to incentivize/test the

DPIA template with EDSO members. o Alliander will prepare a workshop in November to test the DPIA template

together with the Dutch DSO’s (under the Netbeheer Netherlands umbrella).

Energy

Summary and Follow up steps

Summary

Start your testing

Check the SGTF website

Reporting form for testing

Provide input to the EC

45

Energy

Contact: [email protected]

http://ec.europa.eu/energy/en/topics/

markets-and-consumers/smart-grids-and-meters

mailto:[email protected]

mailto:[email protected]

http://ec.europa.eu/energy/en/topics/

Documents

Workshop DPIA Test phase