Privacy and data protection have become more and more important in recent years since an increasing number of enterprises and startups are harvesting personal data as a part of their business model. One central requirement of the GDPR is the implementation of a data protection impact assessment for privacy critical systems. However, the law does not dictate or recommend the use of any particular framework. In this paper we compare different data protection impact assessment frameworks. We have developed a comparison and evaluation methodology and applied this to three popular impact assessment frameworks. The result of this comparison shows the weaknesses and strengths, but also clearly indicates that none of the tested frameworks fulfill all desired properties. Thus, the development of a new or improved data protection impact assessment framework is an important open issue for future work, especially for sector specific applications.
翻译:近年来,越来越多的企业和初创企业正在收集个人数据,作为其商业模式的一部分,隐私和数据保护近年来变得越来越重要,因为越来越多的企业和初创企业正在收集个人数据。GDPR的一项核心要求是,对隐私关键系统进行数据保护影响评估;然而,法律并未规定或建议使用任何特定框架。在本文件中,我们比较了不同的数据保护影响评估框架。我们开发了比较和评价方法,并将其应用于三个广受欢迎的影响评估框架。这一比较结果表明了弱点和长处,但也清楚地表明,测试的框架没有一个能满足所有期望的特性。因此,制定新的或改进的数据保护影响评估框架是未来工作的一个重要未决问题,特别是具体部门应用。