Privacy requirements for IT systems and solutions arise from a variety of sources, including legislation, sector-specific regulation, organisational guidelines, social and user expectations. In this paper we present and discuss a holistic approach to the management of privacy - explored in the context of the EnCoRe project - which takes into account the need to deal with these different types of policies, at different levels of abstraction as well as risk assessment methods to assess them based on specific threats, needs and constraints. We discuss examples of privacy requirements and related policies coming from different sources. We then present how a 'privacy- aware risk assessment' approach (which leverages and extends traditional security-driven risk assessment approaches) can be used to analyse these policies, assess their compliance to requirements, identify gaps and mandate the adoption of specific controls. We explain its relevance and implications in an employee data case study, involving the management of privacy consent and revocation. This is work in progress, carried out in the context of the EnCoRe collaborative project [1].
PDF
download
878987797
028-85220240
