Embedding privacy into the SOTER tools: our approach to Privacy-by-Design

A Privacy Impact Assessment (PIA) is an instrument for understanding privacy and data protection concerns, impacts, and potential risks of any developing (or developed) system, tool, policy, or technology.

Since its emergence, the PIA methodology has been developed into an international standard by the International Standards Organisation (ISO) and has become a recommended method for supporting the enactment of privacy and data protection related design methodologies such as Privacy-by-Design and Data-Protection-by-Design-and-Default.

The SOTER project adopts a ‘PIA+’ approach, as it moves beyond the distinct realm of privacy and data protection, to consider the overarching ethical and social impacts of the SOTER technology as well. This is required to provide a more holistic impact assessment of the technology and to understand broader themes that relate to rights, freedoms, and relationships between individuals, corporations, and Member States.

The PIA+ process forms part of the technical development of the project. The overarching goal is to implement Privacy-by-Design throughout the design and development process, following an agreed-on and accepted methodology.

Integrating Privacy-by-Design

In a previous blog post, SOTER’s integrated approach to cybersecurity was introduced. The project’s dualistic research strategy and the importance of the research outcomes to the European financial services sector were outlined, demonstrating how the project was at the leading edge of current research, at the crux of the ongoing technologically led evolution found within the sector.

Since that initial blog post, work has continued by the consortium as it moves towards a user-centric, privacy-respecting solution designed for the financial services sector and its digital identification and authentication onboarding needs.

In the first phase of the process, Trilateral Research led the risk identification process, working with the consortium to outline some of the high-level privacy risks with the technological platform. In total four high-level legal risks, four ethical and societal risks, and 27 privacy and data processing risks were identified.

Reaching consensus on complex, nuanced, and sometimes delicate aspects of data processing, data control, as well as privacy and business mandates has required concentration and effort. The identification of risks was the crucial first step – requiring clear communication between partners of the expectations and design goals of the platform. Aligning motives with the overall goals of the European Commission and the focus of the initial research programme call was crucial.

Following this process, the consortium will continue to work towards mitigating the identified risks or to provide a transparent explanation for why certain mitigation steps were not possible to take, whether the reasons stem from existing technological, social, or legal frames. This is relevant as certain high-level ethical and legal issues require support, such as the proposed Digital ID Act and amendments to the eIDAS regulation, the continued development of the European Blockchain Services Infrastructure and Self-sovereign Identity initiatives, or forthcoming guidelines and recommendations regarding blockchain from the European Data Protection Board.

Working with stakeholders

The privacy impact assessment process also includes the contribution of external stakeholders. This external sounding board allows the consortium to gather feedback, opinion, and perspective on how to better improve the platform, identify issues that have not been noticed or provide guidance on potential solutions, whilst working as a communication tool for wider financial services sector participants.

SOTER’s approach involves cybersecurity and financial service sector experts who provide input into the PIA+ process. This bi-directional PIA+ validation exercise will also include input from the SOTER Ethics Advisory Board, a group of ethics experts whose responsibility is to provide specific guidance and support from data protection, legal, and ethical perspectives. These open avenues help the project move towards a solution that caters for the needs of the sector, whilst respecting the rights and freedoms of the European citizen.


Authors: Robin Renwick and Alan Mac Kenna, Trilateral Research

For more information about SOTER visit the project website and follow us on Twitter and LinkedIn.