Olga Gkotsopoulou, Research Group on Law, Science, Technology and Society, Vrije Universiteit Brussel
The H2020 Cyber-Trust project (agreement No 786698) aims to foster a holistic and novel cyber-threat intelligence gathering, prevention, detection and mitigation platform, to secure the complex and ever-growing smart infrastructure, used by millions of people daily. The project consortium follows the latest technical innovations as well as best practice in the field, observing developments in the applicable legal and regulatory framework and investigating other ethical and societal considerations. In this regard, from its conception, the Cyber-Trust project has established an impact assessment mechanism, with particular focus on data protection and privacy, as a cross-disciplinary exercise among its partners consisting of seven consecutive and strongly connected procedural steps. The mechanism corresponds to a data protection impact assessment as enshrined in Article 35 of the EU General Data Protection Regulation (GDPR) but given the complexity of the goal to be achieved, the consortium enhanced the procedure with elements of wider impact assessments including broader ethical and societal considerations.
The procedural steps intertwin with each other creating a net of information flows inside the consortium, useful for decision and policy making, and a knowledge hub for potential stakeholders who in the future may wish to deploy the system. The article will not present the actual analysis steps that are expected to take place during an impact assessment. As a context dependent process, this can only be defined in case-by-case settings. Moreover, there is a lot of guidance concerning the substance of an impact assessment. The Article 29 Working Party has published guidelines on Data Protection Impact Assessment to enable the common interpretation of Article 35 GDPR. Νational Supervisory Authorities of EU Member States have also published guidelines and templates to assist the data controllers, data processors as well as researchers and manufacturers to document and assess the on-going, planned or envisaged data processing operations. For instance, the French authority (CNIL) has a repository with guidance on its website and even a dedicated software. The Brussels Laboratory for Data Protection & Privacy Impact Assessments at the Vrije Universiteit Brussel has additionally published a series of briefs on the data protection impact assessment process in different languages, providing interactive templates. In principle, a specific methodology is not suggested in GDPR. This allows organisations to use any framework or methodology, as long as it “describes the nature, scope, context and purposes of the processing; assesses the necessity, proportionality and compliance measures; identifies and assesses risks to individuals; and identifies any additional measures to mitigate those risks.”
Instead, this article explores the meta-elements of an impact assessment, what we call the procedural aspects, before, during and after. In other words, how the procedure of the impact assessment is organised and takes place inside the Cyber-Trust project. This article concentrates all the experience gained and lessons learnt so far. The structural scheme used in the Cyber-Trust project can serve as a basis for other research project consortia which develop innovative solutions in the field, or as a starting point for discussion as to how to improve and eventually standardise such procedure.
Step 1: Establishing the legal and regulatory framework at the start of the project
The Cyber-Trust consortium is rather inter-disciplinary. Its partners come from academia, business, public administration and carry with them different backgrounds and experiences in: tech, cybersecurity, policy, law, ethics, industry, trade, telecommunications, law enforcement. Therefore, the first step is to bring all these partners to reflect upon the context in which a) the Cyber-Trust research will take place and b) the future Cyber-Trust system will be deployed. In the first few months of the project (first semester) and during the system conceptualisation, the partners explored thoroughly the impact of the legal and regulatory framework based on the initial project concept. They did so by studying the EU regulation framework and the national laws applicable in the countries where the partners are based and are of utmost importance in case of future release of the system. In the Cyber-Trust context, i.e., in the cybersecurity context, what was particularly reviewed were the data protection and privacy laws, laws governing telecommunications, laws in relation to evidence with particular focus on electronic evidence, regulation in relation to cybercrime, and ad-hoc regulation or policy guidelines with respect to specific technologies deployed during the projects (DLT systems, machine learning, etc.). This study led to two written reports establishing basic concepts and building up to really complex and niche discussions. In this stage, other legal and ethics requirements were also settled by the consortium, for instance the involvement or appointment of data protection officers per participating entity, as well as the preparation of templates, such as informed consent forms and information sheets for the participation in research and the processing of personal data, whenever necessary. Those requirements would differ from project to project.
Step 2: First wide consultation among partners to define together the way forward
In the beginning of the second semester, and after the partners had thoroughly studied the legal and regulatory framework, the first consultation among all technical partners took place. The key partners were identified with the help of the Project Coordinator and the Technical Manager. Those partners were invited to complete a brief questionnaire about the concept of the component they were developing. The main aim was to have a first impression of the desired design and gather concerns or questions thereof, that have emerged based on the study of the legal and regulatory framework. The result of this consultation was the drafting of a first set of general and more concrete recommendations to assist key partners further with their concepts and designs. During this period, a number of ad-hoc bilateral meetings took place. This process coincided with the discussions about the initial architecture and the partners explicitly assessed and confirmed the need for an impact assessment. At this stage, the partners also proposed the impact assessment methodology and established its reporting procedure.
Why an impact assessment at all?
With the entry into force of the General Data Protection Regulation in 2018, Data Protection Impact Assessments (or in short, DPIAs) became a legal requirement for data controllers regarding specific data processing operations in some contexts. Impact assessments are not new. Organisations have been performing for years privacy impact assessments, impact assessments from a societal or ethical point of view or even assessments with a particular focus. A DPIA refers to the development or deployment of a new system, product or process and the respective processing of personal data, for instance in a large-scale or novel manner. They allow data controllers or manufacturers to identify risks well in advance and explore risk mitigation strategies.
A DPIA was considered necessary in the Cyber-Trust context, apart from the fact that it was part of the project’s contractual obligations, briefly for two reasons:
- with regards to the intended processing after the research, in case the system is marketed: as is the case with many cybersecurity systems, when fully operational and deployed, personal data processing may take place on a large scale. This processing quite often will occur with the use of innovative technological solutions. In the Cyber-Trust project, novel technologies include the use of machine learning, Artificial Intelligence and Distributed Ledger Technologies and aim to create a system beyond the current state of the art. Such technologies can involve novel forms of data collection and usage, which may entail a high risk to individuals’ rights and freedoms. In addition to that, the system has a complex constellation of engaged actors (users and end-users), ranging from multiple data subjects to telecommunication providers and Law Enforcement Agencies.
- intended processing during the research: regarding a particular system component which consists of an AI-powered web crawling tool, with little human impact on the choice of websites and links to be accessed, the partners assessed that the possibility to crawl even instantly personal data from publicly available sources is not remote. Even though in the Cyber-Trust context, the purpose of crawling is neither the identification and the profiling of individuals nor the collection of personal data as such, in the Guidelines of the European Commission concerning ethics and data protection in the Horizon 2020 projects, the use of web crawling is considered as raising ethical concerns and thus, a DPIA is listed as an appropriate tool for the identification of risks and of potential mitigation measures.
Step 3: Carrying out, completing and reporting about the impact assessment
In parallel with the intense negotiations for the finalization of the system architecture, the partners engaged in an extensive dialogue about how to better incorporate the recommendations provided at Step 2 into their envisaged work. The partners were again invited to complete in written individual, tailor-made questionnaires for their components, assessing each of them separately but also in the context of the overall system. In practice, the partners were encouraged to elaborate further on their initial concerns and questions, as well as to explicitly state the benefits of the proposed solutions.
Those questionnaires included open questions, common for all the components as well as specific questions, tailor-made for particular components. This exercise consisted of two steps: first, the partners visualised the component they develop, their research needs, the data processing operations they plan and explain how they aim to remain compliant during the project, taking a look at the requirements of each data protection principle; second, the partners demonstrate how they envisage their component to correspond in general to data protection principles, in case of possible future commercialisation. In other words, the assessment referred: a) the intended data processing which would take place during the project; and b) to the intended data processing of a novel technological system which is likely to be used by different data controllers to carry out different processing operations.
Due to the disciplinary variance, the partners also created a vocabulary of often-used terms (for instance, what is a data subject, what is the difference between the right to privacy and the right to data protection, etc). The consortium was invited to ponder upon which information to collect and why, whether that information include any personal data and why those data are necessary for the purpose they have in mind, under which legal basis and for how long they plan or envisage to store those data.
Timing, precision and flexibility are key here: Although partners were provided with initial questionnaires, through continuous interaction some questions were refined and new questions were added or dropped. All questionnaires made clear from the start, in contact with the Technical Manager and the Project Coordinator, who is in charge of providing a response; in other words, the technical partners having a leading role in the design of a particular data processing operation and the non-technical partners who should be consulted due to the weight of their expertise in the project. In some occasions, partners were encouraged to consult external experts, users, end-users and the Data Protection Officers of their organisations.
Depending on the system in question – as often will be the case for cybersecurity systems, the procedure of mapping all the data processing operations from the user interface until all the backend sources and databases, may be dynamic, lengthy, highly collaborative, rather interactive, intense and resource-demanding. This is why it is advised to initiate it as soon as possible and in any case before the intended processing. It is to be noted that this procedure is not a one-time exercise but a living instrument, which will take place continuously and in parallel with the planning, development, validation and actual implementation phases.
The outcome of this process in the Cyber-Trust case was a written report, which consisted of summaries of all partners’ responses, and additionally a list of expected benefits of the system, a set of guidelines per component, a data processing matrix per component, and a risk assessment matrix per component and for the overall project. The full questionnaires as filled in by the partners were also added as Annex at the end of the written report, in case partners wish to search for a clarification or for details not included in the main analysis, in line with transparency requirements.
Step 4: Workshop to discuss and validate the impact assessment outcomes
After the completion of the first impact assessment and the publication of the outcomes, an ad-hoc workshop was organised in plenary to discuss the impact assessment outcomes and draw attention to the key decision makers inside the consortium. The primary aim of the workshop was to reflect upon and clarify common misconceptions that were observed during the impact assessment procedure, to recall the legal and ethical requirements and ultimately to examine the substantial scope and outcomes of the first impact assessment and evaluate its procedural aspects. The workshop was also the starting point for the preparation of the consequent review of the impact assessment to be completed at the end of the project and coincided with the preliminary deliberation of the system workflows.
Step 5: Continuous communication during the development
Communication is invigorated in Cyber-Trust, and both technical and non-technical partners, thanks to the Project Coordinator’s diligence, have established multiple channels for the discussion of questions or concerns. From the beginning of the project and throughout its whole duration, the partners have been participating in regular managerial and technical meetings. The technical partners observe sectorial developments and keep track of best practice and recommendations by the European Union Agency for Cybersecurity (ENISA). The legal partners further follow the legal and regulatory developments both at EU and national level and provide updates when a change in a law with a potential impact for the Cyber-Trust system occurs, or new case law emerges. Multiple discussions among individual partners, the Technical Manager and the Project Coordinator, have further led to the drafting of collective papers and books, investigating inter-disciplinary topics of global interest. Such topics include but are not limited to: data protection by design for cybersecurity systems in smart homes, privacy preserving mechanisms in Distributed Ledger Technology systems, privacy and data protection issues in the Internet of Things ecosystem and so forth. Those initiatives do not only improve the understanding of the consortium towards complex issues, but additionally further advance debates in the field, mobilising the attention of researchers, stakeholders and citizens with the organisation of public seminars and events, as well as forming synergies with other research projects. Moreover, an important element in the Cyber-Trust project is that, in order to ensure that the impact with respect to the legal and regulatory framework will be effectively taken into consideration, the consortium has additionally established a number of so-called ‘legal and ethics’ Key Performance Indicators (KPIs). For example, the partners have to work towards the realisation of a specific KPI which requires a minimum number of privacy-preserving measures the system should include by default.
Step 6: Check before the pilot phase
Before the pilots (and each pilot phase), key partners were invited to perform a final check that all conditions in relation to compliance were met. This includes having readily available important documentation, such as research participants information sheets and consent forms, resuming and completing communication with their Data Protection Officers or Ethics committees and receiving any kind of necessary permissions or authorisations. Another important element is for the partners to review and update, if necessary, the anticipated data flows.
Step 7: Review and second assessment report
Near the end of the project life cycle, a review of the impact assessment report is planned. The aim of the review is to assess the efforts of the partners to incorporate the outcomes of the first impact assessment during the design and actual implementation in pilot-testing, conduct a comparative risk assessment based on the initial risk assessment matrix and reflect upon any new issues which potentially emerged due to technical or regulatory updates in the time between the first and the second report. During the review, given the maturity of the pilot results, the consortium will first examine whether more components (compared to the first report) should be assessed or whether components which were excluded from the first report should be now assessed. During the review, the consortium will also aim to address issues reported during Step 4, for instance further improving the understanding between the technical and non-technical partners with the expansion of the established glossary and optimising the assessment methodology. Targeted, shorter in length, tailor-made questionnaires will be used again at this stage and bilateral discussions with the partners will take place. The results will be compiled in a written report, which along with the technical documentation, will accompany the final Cyber-Trust platform in case of potential marketing. This documentation will permit interested stakeholders and future data controllers to understand the benefits and risks of the platform and perform their own assessment, having a solid basis as a starting point.
To sum up, even though structures for an impact assessment may show similarities, for most part they remain tailor-made for each project or system and their particular needs, as well as for the decision making they correspond to. The same goes for the procedural aspects. As we saw, the procedural aspects of an impact assessment are equally important to the substance of it, with regards to its effective and efficient completion and regular review. Here we presented the procedural approach adopted by the Cyber-Trust project, which constitutes a complex cross-disciplinary system with diverse beneficiaries, breaking down into seven steps. Of paramount importance is planning ahead, starting early enough, including a first outline even in the research proposal. Then, as this is a horizontal procedure, the proper tools and mechanisms (e.g., questionnaires, repositories, software, glossaries, reports) should be identified and used to keep the consortium informed and engaged throughout the project life cycle. In long-term, impact assessments can have further benefits, including broader compliance and assistance with demonstrating accountability and enhancing trust towards individuals and users.