Data Protection and Cybersecurity Certification Activities and Schemes in the Energy Sector

Cybersecurity concerns have been at the forefront of regulatory reform in the European Union (EU) recently. One of the outcomes of these reforms is the introduction of certification schemes for information and communication technology (ICT) products, services and processes, as well as for data processing operations concerning personal data. These schemes aim to provide an avenue for consumers to assess the compliance posture of organisations concerning the privacy and security of ICT products, services and processes. They also present manufacturers, providers and data controllers with the opportunity to demonstrate compliance with regulatory requirements through a verifiable third-party assessment. As these certification schemes are being developed, various sectors, including the electrical power and energy sector, will need to access the impact on their operations and plan towards successful implementation. Relying on a doctrinal method, this paper identifies relevant EU legal instruments on data protection and cybersecurity certification and their interpretation in order to examine their potential impact when applying certification schemes within the Electrical Power and Energy System (EPES) domain. The result suggests that the EPES domain employs different technologies and services from diverse areas, which can result in the application of several certification schemes within its environment, including horizontal, technological and sector-specific schemes. This has the potential for creating a complex constellation of implementation models and would require careful design to avoid proliferation and disincentivising of stakeholders. © 2022 by the authors. Licensee MDPI, Basel, Switzerland

p-BioSPRE-an information and communication technology framework for transnational biomaterial sharing and access

Biobanks represent key resources for clinico-genomic research and are needed to pave the way to personalised medicine. To achieve this goal, it is crucial that scientists can securely access and share high-quality biomaterial and related data. Therefore, there is a growing interest in integrating biobanks into larger biomedical information and communication technology (ICT) infrastructures. The European project p-medicine is currently building an innovative ICT infrastructure to meet this need. This platform provides tools and services for conducting research and clinical trials in personalised medicine. In this paper, we describe one of its main components, the biobank access framework p-BioSPRE (p-medicine Biospecimen Search and Project Request Engine). This generic framework enables and simplifies access to existing biobanks, but also to offer own biomaterial collections to research communities, and to manage biobank specimens and related clinical data over the ObTiMA Trial Biomaterial Manager. p-BioSPRE takes into consideration all relevant ethical and legal standards, e.g., safeguarding donors’ personal rights and enabling biobanks to keep control over the donated material and related data. The framework thus enables secure sharing of biomaterial within open and closed research communities, while flexibly integrating related clinical and omics data. Although the development of the framework is mainly driven by user scenarios from the cancer domain, in this case, acute lymphoblastic leukaemia and Wilms tumour, it can be extended to further disease entities.FP7/2007-2013/27008

Missing Links in the Proposed EU Data Protection Regulation and Cloud Computing Scenarios: A Brief Overview

Applying location-focused data protection law within the context of a location-agnostic cloud computing framework is fraught with difficulties. While the Proposed EU Data Protection Regulation has introduced a lot of changes to the current data protection framework, the complexities of data processing in the cloud involve various layers and intermediaries of actors that have not been properly addressed. This leaves some gaps in the regulation when analyzed in cloud scenarios. This paper gives a brief overview of the relevant provisions of the regulation that will have an impact on cloud transactions and addresses the missing links. It is hoped that these loopholes will be reconsidered before the final version of the law is passed in order to avoid unintended consequences

Towards a transparent and systematic approach to conducting risk assessment under Article 35 of the GDPR

This dissertation focuses on the risk assessment carried out as part of a data protection impact assessment (DPIA) under Article 35 of the General Data Protection Regulation (GDPR), particularly, Article 35 (7)(c). Conventionally, risk assessment is a process of risk management that aims to identify the potential threats against an asset or object of value, analyse the likelihood and severity of the threats and potential harms if they materialise, and evaluate the risk level with the ultimate objective of implementing measures to mitigate the identified risks. The current data protection framework in the EU has integrated a risk-based approach, requiring that risk assessment be conducted in several situations, including in the course of a DPIA. When this risk management feature is transposed to the context of data protection, the question then is how this process should be appropriately carried out to meet the requirements of the data protection law and retain its risk management characteristics? There is no mandatory methodology under the GDPR for this exercise. Published guidelines on DPIA by the supervisory authorities have not clarified the scope of this core process. In most of these guidelines, for example, there are no clear and systematic criteria for identifying data protection threats, analysing and evaluating the likelihood and severity of the risk, as well as how to measure the risk level. This uncertainty undoubtedly affects the use and practical relevance of these guidance documents, as well as the resultant DPIAs that are based on them. Bearing in mind that the GDPR does promote consistency and requires an objective assessment of risk, would the mostly subjective and unsystematic approach to risk assessment be sustainable henceforth? How could more procedural transparency be devised in this exercise, and what impact will it have? This dissertation argues in favour of a more uniform and systematic approach to data protection risk assessment and posits that it is feasible to achieve given that the GDPR contains provisions that can be used to design this risk assessment architecture systematically. Existing risk management tools can be leveraged to accomplish this objective. What is missing, however, is a careful adaptation of these tools to suit the data protection environment. The study further argues that good practices in DPIA should be incentivised as a way of encouraging well-designed and implemented risk assessment. This study, therefore, proposes a method of mapping the ISO 31000:2018 processes with the relevant GDPR requirements for a DPIA and further suggests a methodology for operationalising risk assessment in a systematic way. This approach not only exposes the steps of conducting risk assessment during a DPIA, but also makes it easy to identify and focus on relevant criteria for completing each step. Theoretically, this translates a DPIA into a procedural ‘tool of transparency’ as advanced by De Hert and Gutwirth’s theory of data protection. In the end, several recommendations are made to relevant stakeholders on how to further achieve consistency in the application of risk assessment during a DPIA. The output of this study targets not only the data controllers and processors, who are eager to find the best method of complying with the DPIA obligation, but also the supervisory authorities, as it will be valuable in their review and audit functions. It also exposes parameters upon which these stakeholders can measure whether a risk assessment has been appropriately conducted. The broader privacy community will find the content of this study interesting in advancing their knowledge

Data Protection and Cybersecurity Certification Activities and Schemes in the Energy Sector

Cybersecurity concerns have been at the forefront of regulatory reform in the European Union (EU) recently. One of the outcomes of these reforms is the introduction of certification schemes for information and communication technology (ICT) products, services and processes, as well as for data processing operations concerning personal data. These schemes aim to provide an avenue for consumers to assess the compliance posture of organisations concerning the privacy and security of ICT products, services and processes. They also present manufacturers, providers and data controllers with the opportunity to demonstrate compliance with regulatory requirements through a verifiable third-party assessment. As these certification schemes are being developed, various sectors, including the electrical power and energy sector, will need to access the impact on their operations and plan towards successful implementation. Relying on a doctrinal method, this paper identifies relevant EU legal instruments on data protection and cybersecurity certification and their interpretation in order to examine their potential impact when applying certification schemes within the Electrical Power and Energy System (EPES) domain. The result suggests that the EPES domain employs different technologies and services from diverse areas, which can result in the application of several certification schemes within its environment, including horizontal, technological and sector-specific schemes. This has the potential for creating a complex constellation of implementation models and would require careful design to avoid proliferation and disincentivising of stakeholders