An Assisted Methodology to Conduct a Data Protection Impact Assessment

The uptake of digital technologies in our everyday activities today is unlike any time in history. Consequently, the amount of personal data produced and shared is staggering. Indeed, they have become the primary asset for many businesses. While users benefit from online engagement, an increasing number of critics have voiced their privacy concerns. To protect peoples’ fundamental rights concerning processing their personal data, General Data Protection Regulation (GDPR) has been introduced. GDPR requires to conduct a Data Protection Impact Assessment (DPIA) when data processing is likely to result in a high risk to the rights and freedoms of individuals. For example, where the processing may lead to discrimination, damage to the reputation, loss of confidentiality personal data. Therefore, it requires assessing security risks and privacy risks—we learned identifying the latter is not easy even for information security and data protection experts. GDPR is not clear about when and how to conduct a DPIA. Thus, academic works and legal bodies introduced guidelines and tools to help controllers conduct the DPIA. However, these works lack to either provide an assistance, include all steps of the DPIA or be applicable to all domains. These shortages motivated us to propose an assisted methodology to conduct a DPIA. The methodology provides assistance from identifying the required data type for a given data processing to identifying and evaluating privacy and security risks. We have adopted our methodology to conduct a DPIA-compliance risk analysis for OAuth/OIDC-based financial services. That is because of: (1) the growth of open banking, (2) the necessity of deploying appropriate identity management solutions—as stated in PSD2, which requires to respect the GDPR requirement—and (3) the wide usage of OAuth/OIDC identity management solutions that are secure but error-prone. The methodology can also be used for any OAuth/OIDC-based services.