Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA)

First version: 2021-05-13
Last updated: 2024-03-07
Last change: Added link to NEN-7510 article.

Introduction

anDREa is committed to the GDPR. The purpose of this document is to describe anDREa’s Data Protection Impact Assessment (DPIA). 
The template used for the DPIA: Sample DPIA template from ico.

This document will be updated at least annually and when significant change happens to the relevant areas covered.

Data Protection Impact Assessment

Identify the need for a DPIA

Explain broadly what the project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarize why you identified the need for a DPIA.
The myDRE Shared Tenant provides organizations, after entering an agreement with anDREa these organizations are called Tenant, the opportunity to associate one or more of their Microsoft Azure Subscriptions with the AAD of anDREa.

This makes it possible to deploy Workspaces on instructions of the Tenant with minimally one person mandated by the Tenant and having an account of the Tenant in the role of Accountable.

A Workspace allows to ingress, process, analyze, and egress data in a safe way with one or more people, not necessarily having an account of that Tenant.

Describing the process

Describing the nature of the process

How will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or another way of describing data flows. What types of processing identified as likely high risk are involved?
When a person is invited to become a new user to Azure DRE, that user has to agree with Terms of Service and Privacy Policy before an account is created for that user.

User data will be stored in the AAD of anDREa (name, email, phone number), this information is provided by other users or the Tenant.

anDREa will not share user data with third parties. See Data Handling Policy

All data (user data and data in Workspaces), be it of the Shared Tenant or in the Workspaces, is encrypted at-rest and in-transit and is only role-based accessible.

Describing the scope of the processing

What is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
Data processed by anDREa:
  1. As part of the proposition of anDREa it is important that all relevant user activities are logged. anDREa uses Assessment Framework for Services as to what data must be logged.
  2. Data processed is:
    1. name, email and phone number
    2. No special category or criminal offence data is processed
  3. anDREa does not collect more data than it needs or is mandated to The number of users enrolled on Azure DRE is how many individuals are affected
  4. myDRE users can reside in any part of the world 
Data processed by Accountable of a Workspace:
anDREa’s proposition is to provide users the ability to ingress, process, analyze, and egress privacy sensitive data in a Workspace. anDREa does not know what kind of data is residing in Workspaces and therefore it is assumed that one or more Workspaces will contain highly privacy sensitive information at any given time. As such Accountables are responsible for conducting the DPIA for their Workspaces and involve the necessary parties including but not limited to DPO of their Tenant.

Describe the context of the processing

What is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
Data processed by anDREa:
  1. Is that of users of myDRE
    1. All users are 16+ and are considered not vulnerable
  2. The rights of users are stipulated in the Data Protection Policy
  3. anDREa works in accordance of:
    1. ISO 27001
    2. GDPR
  4. anDREa intends to get certified anDREa is in the process of expanding to work in accordance of:
    1. ISO 9001
    2. NIS2
  5. anDREa has assessed that NEN-7510 is not applicable: NEN-7510
Data processed by Accountable on myDRE:
  1. anDREa ensures that the default Workspace is secure and no data can be ingressed in or egressed out of the Workspace without explicit membership of that Workspace. Egress requires approval of at least the role Privileged Member; who is allowed to have the role Privileged Member is determined by the Accountable. Any requested or self service functionality that will make the Workspace workable for the specific situation but might decrement the auditability and security requires explicit opt-in from at least the role Privileged Member.
  2. As such, Accountables are responsible for conducting the DPIA for their Workspaces and involve the necessary parties including but not limited to DPO of their Tenant.

Describe the purposes of the processing

What do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing for you, and more broadly?
myDRE user data is processed for:
  1. myDRE usage
  2. Demonstrable compliant for anDREa
  3. Demonstrable compliant & risk assessments for Tenants
  4. Demonstrable compliant for Accountable
Accountables and the members in their Workspace process data for:
  1. The purpose as is approved in the organization of the Accountable
  2. The benefits are that of the Accountable and Tenant, anDREa has no benefit of the processed data

Consultation process

Consider how to consult with relevant stakeholders

Describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?
The consultation process involves:
  1. CISO’s of Tenants
  2. Community representatives
  3. Core Support Team - employees of Tenants
  4. Direct interaction with people having the role of Accountable and Privileged Member
  5. anDREa developers

Assess necessity and proportionality

Describe compliance and proportionality measures

In particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimization? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
Data processed by anDREa:

For a correct functioning of the myDRE and providing the demonstrable evidence of compliance it is necessary that user interactions with the Azure DRE are being logged. Name, email and phone number are necessary for safe and demonstrable evidence of compliance.

Function creep is assured that storing data costs money and requires maintenance. Cost reduction of operations is a key metric for anDREa.


Data processed by Accountable on myDRE:
The organization of the Accountable is responsible to safeguard the lawful basis for processing of the Accountable and what follows. This includes but is not limited to ensure Data Transfer Agreements are in place when data is given to others including international transfers

Identify and assess risks

for anDREa

ID
Describe the source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. 
Likelihood of harm
Severity of harm
Overall risk
1
People no longer involved with anDREa can still access anDREa code, Sharepoint, email, Teams of anDREa.
L/M
H
H
2
Unauthorized access to compute, storage or other resources
M
H
H
3
Unauthorized physical access to data carriers
L
H
H
4
Using ‘skeleton’ keys on Azure
L
H
H
5
Denial of Service attacks
M
H
H

for Accountable

ID
Describe the source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary. 
Likelihood of harm
Severity of harm
Overall risk
6
People no longer involved with the Workspace have still access
M
H
H
7
RDP brute force attacks on VMs used
M
H
H
8
Unauthorized physical access to data carriers
M
H
H
9
Using ‘skeleton’ keys on Azure
L
H
H
10
Denial of Service attacks
M
H
H

Identify measures to reduce risk

Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step Identify and assess risks

for anDREa

ID
Options to reduce or eliminate risk
Effect on risk
Residual risk
Measure approved
1
anDREa has an active policy to revoke access based on least-privilege. Access of people no longer involved in anDREA will be revoked within 5 working days.
H
L
Yes
2
  1. Active monitoring on deviations
  2. Username, password, 2FA
  3. Access-on-demand for critical resources
    1. RDP, AAD
H
L
Yes
3
anDREa employees are required to undergo an Information Security and data protection training and work according to A.6.2 Mobile Devices and Teleworking policy.
H
L
Yes
4
MFA protection and monitoring
H
L
Yes
5
  1. 24/7/365 active monitoring
  2. Pentest
H
L
Yes

for Accountable

ID
Options to reduce or eliminate risk
Effect on risk
Residual risk
Measure approved
6
Accountable / Privileged Members revoke self-service access of members no longer involved in the work
H
LH
7
  1. VM access requires IP-address whitelisting; on-prem this is the default, off-prem this can only be done after using 2FA
  2. 24/7/365 monitoring
  3. Default a VM is deallocated around 19:00 CET, upon restart a new public IP is given
H
L
H
8
  1. Windows defender is standard up-to-date in the VMs
  2. 30 day rolling 24h snapshot
H
L
H
9
  1. Outbound only
  2. Easy to turn on/off rule
  3. Clear warning before the rule can be turned on
M/H
L
H
10
  1. Default workspace is through an authorization Workflow
  2. Alternatives (e.g. via outbound open port) are accompanied with clear formulation of risks and have to be accepted before they become active
M/H
L
H

Sign off and record outcomes

Item
Name
Date
Measures approved by:
Stefan van Aalst, CTO anDREa
2020-08-17
Residual risks approved by:
Stefan van Aalst, CTO anDREa
2020-08-17
DPO* advice provided by
Stefan van Aalst, CTO anDREa
*anDREa is not required to have a DPO
2020-08-17

Summary of DPO* advice:

User account data is well protected from a privacy point of view as intended by the GDPR.

As for myDRE users:
  1. As long as the users are keeping to the Terms of Service
  2. Does the Azure DRE Shared Tenant Workspaces provide an equal and usually the best alternative
  3. To ingress, process, analyze, and egress data that are privacy sensitive in nature
  4. With tooling of the user choosing
  5. In collaboration with externals if required
  6. With relevant logging as demonstrable evidence for compliance

    • Related Articles

    • GDPR Compliance Assessment

      First version: 2021-05-16 Last updated: 2024-03-12 Last change: Fixed links to GDPR articles to refer to the official EC website. Introduction The purpose of this document is to describe anDREa’s compliance with the GDPR. This document also describes ...

    • Data Protection policy

      First version: 2021-05-13 Last updated: 2023-10-25 Last change(s): Added links to GDPR compliance assessment, Data Handling policy, GDPR Article 5; Modified contact information; Substituted Azure DRE for myDRE; Formatting. Approval: 2023-10-26 ...

    • EU Data Protection Code of Conduct for Microsoft Azure

      Trust in cloud computing is essential (copied from euroc.cloud) It has never been more true than today to assert that without user trust, technology will not be able to advance to reach its full potential. At the core of building trust is robust data ...

    • Data Breach Procedure

      First version: 2021-04-15 Last updated: 2023-10-19 Last change: Link to Data Protection policy Introduction Every care is taken by anDREa to protect personal data from situations where a data protection breach could compromise security. This policy ...

    • Data Handling policy

      First version: 2021-05-13 Last updated: 2023-10-19 Last change: Removed a double negative sentence based on the feedback in our Support Team Agreement. Introduction anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of ...