Privacy Impact Assessment: Comparing methodologies with a focus on practicality

TL;DR

This paper compares various data protection impact assessment frameworks to evaluate their practicality, revealing that none fully meet all desired criteria and highlighting the need for improved, sector-specific frameworks.

Contribution

It introduces a systematic comparison methodology and applies it to three popular frameworks, identifying their strengths and weaknesses.

Findings

None of the frameworks fulfill all desired properties.

The comparison highlights specific weaknesses and strengths.

Development of improved, sector-specific frameworks is needed.

Abstract

Privacy and data protection have become more and more important in recent years since an increasing number of enterprises and startups are harvesting personal data as a part of their business model. One central requirement of the GDPR is the implementation of a data protection impact assessment for privacy critical systems. However, the law does not dictate or recommend the use of any particular framework. In this paper we compare different data protection impact assessment frameworks. We have developed a comparison and evaluation methodology and applied this to three popular impact assessment frameworks. The result of this comparison shows the weaknesses and strengths, but also clearly indicates that none of the tested frameworks fulfill all desired properties. Thus, the development of a new or improved data protection impact assessment framework is an important open issue for future work, especially for sector specific applications.