Smart Grid Task Force 2012-14

Expert Group 2: Regulatory Recommendations

for Privacy, Data Protection and Cyber-Security
in the Smart Grid Environment

Data Protection Impact Assessment

Template for Smart Grid and Smart
Metering systems

18.03.2014
Table of Contents

1. Introduction ....................................................................................................................................................... 5
1.1. Background and Motivation ...................................................................................................................... 5
1.2. Purpose of the DPIA................................................................................................................................... 6
1.3. Scope of the DPIA ...................................................................................................................................... 6
1.4. Stakeholders .............................................................................................................................................. 7
1.4.1. The role of Data Protection Authority ................................................................................................... 7
1.4.2. Smart grid operator ............................................................................................................................... 8
Transmission System Operators ........................................................................................................................ 8
Distribution System Operators .......................................................................................................................... 8
Energy Generators (Producers) ......................................................................................................................... 9
Energy Market Suppliers.................................................................................................................................. 10
Metering Operators ......................................................................................................................................... 10
Energy Service Company ................................................................................................................................. 10
1.4.3. Consumer............................................................................................................................................. 11
1.5. Benefits of performing an DPIA ............................................................................................................... 12
1.6. Carrying out the DPIA .............................................................................................................................. 12
1.7. The result ................................................................................................................................................. 13
1.8. Success factors......................................................................................................................................... 13
2. Guidance for execution of the DPIA ................................................................................................................ 14
2.1. Step 1 - Pre-assessment and criteria determining the need to conduct a DPIA ..................................... 14
2.1.1. Criterion 1 – Personal data involved ............................................................................................... 14
2.1.2. Criterion 2 – data controller/data processor................................................................................... 16
2.1.3. Criterion 3 – Impact on rights and freedom .................................................................................... 17
2.1.4. Criterion 4 - When to perform a DPIA (right timing and motivation) ............................................. 18
2.1.5. Criterion 5 – The nature of the system/application exercise .......................................................... 19
2.1.6. Criterion 6 - Legal base and public concern..................................................................................... 19
2.1.7. Other Criterion................................................................................................................................. 20
2.1.8. Documented conclusion .................................................................................................................. 20
2.2. Step 2 - Initiation ..................................................................................................................................... 21
2.2.1. Organisational requirements for conducting a DPIA ........................................................................... 21
2.2.1.1. Purposes to execute the DPIA ..................................................................................................... 21
2.2.1.2. The DPIA team ............................................................................................................................. 21

2
 2.2.1.3. The resources............................................................................................................................... 22
2.3. Step 3 - Identification, characterisation and description of Smart Grid systems/applications processing
personal data, including data flows..................................................................................................................... 23
2.3.1. The use case......................................................................................................................................... 23
2.3.2. System Information ............................................................................................................................. 23
2.3.3. Description of primary and supporting assets of the system .............................................................. 23
2.4. Step 4 - Identification of relevant risks .................................................................................................... 25
2.4.1. Introduction ......................................................................................................................................... 25
2.4.2. Threats Identification for each feared event ....................................................................................... 25
2.5. Step 5 - Data protection risk assessment ................................................................................................ 27
2.5.1.1. Impact of feared events............................................................................................................... 27
2.5.1.2. Likelihood of threats .................................................................................................................... 28
2.5.1.3. Final risk level / value and priority............................................................................................... 30
2.6. Step 6 - Identification and Recommendation of controls and residual risks .......................................... 31
2.6.1. Assessment of implemented and planned controls ............................................................................ 31
2.6.2. Risk Treatment..................................................................................................................................... 32
2.6.3. Residual risks and risk acceptance....................................................................................................... 33
2.6.4. Resolution ............................................................................................................................................ 34
2.7. Step 7 - Documentation and drafting of the DPIA Report ....................................................................... 35
2.8. Step 8 - Reviewing and maintenance ...................................................................................................... 35
3. Questionnaires................................................................................................................................................. 36
3.1. Step 1 - Pre-assessment and criteria determining the need to conduct a DPIA ......................................... 36
3.1.1. Criterion 1 – Personal data involved ................................................................................................... 36
3.1.2. Criterion 2 – Data controller/data processor ...................................................................................... 36
3.1.3. Criterion 3 - Impact on rights and freedom ......................................................................................... 36
3.1.4. Criterion 4 – When to perform a DPIA (right timing and motivation)................................................. 36
3.1.5. Criterion 5 – The nature of the system/application exercise .............................................................. 37
3.1.6. Criterion 6 – Legal basis and public concern ....................................................................................... 37
3.1.7. Other criterion ..................................................................................................................................... 37
3.2. Step 2 - Initiation. ........................................................................................................................................ 37
3.3. Step 3 - Identification, characterization and description of Smart Grid systems/applications processing
personal data. .......................................................................................................................................................... 38
3.3.1. What is the detailed description of Smart Grid program/change according to M/490 Smart Grid
Coordination Group use case template? ............................................................................................................. 38
3.3.2. What are the main scenarios of the Smart Grid use case? ................................................................. 38

3
 3.3.3. Who are the main actors of the system? ............................................................................................ 39
3.3.4. How can the use case be mapped to a Smart Grid Business and ICT architecture (e.g. M/490 SGAM)?
39
3.3.5. To which Smart Grid objective does the use case refer? .................................................................... 39
3.3.6. What are the primary and supporting assets of the smart grid? ........................................................ 40
3.4. Step 4 - Identification of relevant risks ........................................................................................................ 40
3.4.1 Data Protection Threat identification......................................................................................................... 41
3.4.1.1 Threats that may jeopardize confidentiality ....................................................................................... 41
3.4.1.2 Threats that may jeopardize integrity ................................................................................................. 45
3.4.1.3 Threats that may jeopardize availability ............................................................................................. 54
3.4.1.4 Threats that may jeopardize personal data......................................................................................... 56
3.4.1. Data Protection Threat identification - Outcome of the questionnaire .............................................. 62
3.5. Step 5 - Data Protection Risk Assessment ................................................................................................... 63
3.6. Step 6 – Identification and Recommendation of controls and residual risks .............................................. 65
Glossary of terms and abbreviations ..................................................................................................................... 66
ANNEXES ................................................................................................................................................................. 68
Annex I – Privacy and data protection targets....................................................................................................... 68
Annex II – List of possible controls ......................................................................................................................... 70
Bibliography ............................................................................................................................................................. 74

4
1. Introduction

1.1. Background and Motivation

“A smart grid is an electricity network that can cost efficiently integrate the behaviour and actions of all
users connected to it – generators, consumers and those that do both – in order to ensure an
economically efficient, sustainable power system with low losses and high levels of quality and security
of supply and safety”1.

A smart grid is supported by a communications network that collects and processes an increasingly high
quantity of sensing data and makes it available to entitled stakeholders and systems. This data is
collected from everywhere in a Smart Grid infrastructure, which includes consumers’ homes and
possibly, electric vehicles. Smart metering systems are therefore included in this smart grid definition.

The use of smart grids and smart metering systems thus creates new risks for data subjects with
potential impact in different areas (e.g. price discrimination, profiling for behavioural advertisement,
taxation, law enforcement access, household security) that were previously not present in the energy
sector and were more typical of, and present in other environments (telecoms, e-commerce and Web
2.0).

Smart metering is also among the first widespread applications that foreshadow the future of ‘the
Internet of Things’. The risks posed by the collection and availability of detailed energy consumption data
are likely to increase in the future considering the increasing availability of data from other sources, such
as geo-location data, data available through tracking and profiling on the internet, video surveillance
systems, and radio frequency identification (RFID) systems, with which smart metering data can be
combined.

In February 2012, the mandate of the Smart Grid Task Force (SGTF) has been renewed for two years. EG2
is one of the four Expert Groups of the SGTF and is responsible for regulatory recommendations for
privacy, data protection and cyber-security in the smart grid Environment.

Regarding privacy and data protection, the mandate of EG2 defined by the SGTF is to provide a Smart
Grid Data Protection Impact Assessment (DPIA) template. A first template has been submitted on 8th of
January 2013 to the Article 29 Working Party (WP29) for consultation2 according to the point 5 of the
Recommendation adopted by the Commission on the roll out of smart metering systems3. The WP29
issued its opinion on 22nd of April 2013 recommending a series of changes and improvements in order for
the template to be satisfactory.

1
Smart Grid Task Force Mandate. Brussels : European Commission, 2011.
2
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-
recommendation/files/2013/wp205_en.pdf
3
Commission Recommendation of 9 March 2012 on preparations for the roll out of smart metering systems
(2012/148/EU). European Commission. 2012, Official Journal of the European Union.

5
A second DPIA template was submitted on 20 of August 2013 to the WP29 for consultation. On 4 of
December 2013 the WP29 issued a second opinion4 recognising the work carried out by the Expert
Group 2 and realising that the second version of the template constitutes considerable improvement
with respect to the previous version, especially with regard to the methodology used. The WP29 also
provided complementary recommendations which will contribute to the successful deployment and use
of the template.

This third version of the DPIA template has been prepared by an editorial team which has constructively
addressed WP29 latest recommendations and was finalised by the EG2 members on 10 of March 2014.

1.2. Purpose of the DPIA

The purpose of the DPIA is to provide guidance on how to perform a Data Protection Impact Assessment
(DPIA) to Smart Grid and Smart Metering systems.

The DPIA will contribute to organisations that initiate or already manage smart grid deployments as well
as those introducing changes to existing smart grid architecture platforms in identifying and assessing
the privacy risks of these initiatives. In this way, organisations can take adequate measures in order to
reduce these risks and, as such, reduce the potential impact of the risks on the data subject, the risk of
non-compliance, legal actions and operational risk, or to take a competitive advantage by providing
trust.

As such the DPIA shall be considered as complementary to, or part of, a wider risk management process
an organisation has to implement and perform. Indeed, although it is called an “assessment”, the DPIA
goes beyond the simple analysis of data protection risks, by describing adopted or envisaged safeguards
and control measures in proportion to the risks identified, thereby being based on a risk management
procedure rather than a mere risk assessment.

1.3. Scope of the DPIA

Privacy is a term that has received many interpretations over time, and often means different things in
different contexts. A variety of definitions can be found and each culture and even each person has
different expectations as to what constitutes an invasion of privacy. In the context of this document, the
DPIA definition includes the fundamental rights defined in Articles 7 and 8 of the European Union
Charter of Fundamental Rights (the 'Charter') 5; respectively the right to privacy and the right to the
protection of personal data. It should be noted that the template is related to the protection of personal
data as defined in Directive 95/46/EC.
It should also be noted that data security (including cyber security) needs to be implemented in order to
holistically ensure data protection.

4
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-
recommendation/files/2013/wp209_en.pdf
5
http://www.europarl.europa.eu/charter/pdf/text_en.pdf

6
Cyber security aims at safeguarding the confidentiality, integrity and availability of information assets
that support vital physical assets (such as the electricity grid) against attacks, malware etc., which will
disrupt the delivery of electricity.

By conducting a DPIA the following goals will be achieved:

 A DPIA should describe the envisaged processing operations, an assessment of the risks to the
rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards,
security measures and mechanisms to ensure the protection of personal data and to
demonstrate compliance with Directive 95/46/EC.
 A DPIA should also help national Data Protection Authorities assess the compliance of the
processing and, in particular, the risks for the protection of personal data of the data subject and
the related safeguards, when data controllers consult them prior to data processing, as provided
for by the Commission Recommendation6. DPIAs, thus, should also assist the data controller in
demonstrating compliance with Directive 95/46/EC7.

1.4. Stakeholders
This part describes all the possible stakeholders involved or affected by a DPIA. The list of possible smart
grid operators (see section 1.4.2) has been established based on an updated version of the list
established during the first mandate of the EG28. Considering the very dynamic environment of the
energy sector, this list should be considered as indicative and non-exhaustive. It will be updated on a
regular basis by the European Commission.

1.4.1. The role of the Data Protection Authority

The Data Protection Authority is an important stakeholder when performing a DPIA. The DPIA report
shall be prepared so that a Data Protection Authority (DPA) is able to monitor and oversee the
processing of personal data, with strict respect for human rights and fundamental freedoms and
guarantees as enshrined in the EU regulatory framework.
The DPIA report is provided without prejudice to the obligations set forth in Directive 95/46/EC for data
controllers, most notably the independent obligation to notify the competent authority as described in
section IX of Directive 95/46/EC.

The DPIA should have a clear description of all the smart grid actors, components and interactions so
that the DPA is able to clearly identify the sensitivity of information being exchanged as well as all
privacy-related concerns. When analysing a DPIA, the Data Protection Authority should be able to verify
all identified risks and evaluate if correspondent controls are adequate for mitigation or minimization of
the identified risks.

6
This recommendation is without prejudice to a legal obligation for prior checking in Member States, according to
the characteristics f the processing operations.
7
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281,
23.11.1995, p. 31
8
Chapter 5, page 11 on EXPERT GROUP 2: REGULATORY RECOMMENDATIONS FOR DATA SAFETY,DATA
HANDLING AND DATA PROTECTION (See http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/expert_group2.pdf)

7
Data Controllers are encouraged to establish their duty to notify DPAs under their national law. DPIA
Reports are likely to be beneficial to Data Controllers in preparing their notifications.

1.4.2. Smart grid operator

By executing the DPIA, the Smart Grid operator will be able to accomplish and prevent the following:

 Failure to comply with the relevant privacy and data protection legislation, resulting in a breach
of the law and/or negative publicity;
 Stimulating public awareness or loss of credibility as a result of a perceived loss of privacy of a
failure to meet expectations with regard to the protection of personal information;
 A need for systems to be redesigned;
 Contribute positively to a dialogue with the Data Protection Authority.

Under the term “smart grid operator” the following actors can be found:

Transmission System Operators

Transmission System Operators (TSOs) manage the very-high-voltage grid such as 400 kilovolt (kV) or 225
kV.

The term TSO is defined in the Electricity Directive (2009/72/EC) as a “natural or legal person responsible
for operating, ensuring the maintenance of, and, if necessary, developing the transmission system in a
given area and, where applicable, its interconnections with other systems, and for ensuring the long-
term ability of the system to meet reasonable demands for the transmission of electricity.”

Transmission ownership is decoupled from retail and generation of energy to ensure non-discriminatory
access. High-voltage grids connect all regional electricity grids with each other and with the European
power grid. Besides managing the high voltage grid, TSOs also monitor the reliability and continuity of
the national electricity retail. Therefore, the TSO is responsible for correcting the imbalance in demand
and supply in the electric power system. The TSO shall retail the balancing energy from the balancing
service provider in case of shortage or surplus of electricity in the system.

In current and envisioned models9 it is not expected that a TSO will be involved in the processing of
personal data originated from smart grids or smart metering.

Distribution System Operators

Distribution System Operators (DSOs) are responsible for energy distribution in high voltage (usually
below 60 kV), medium voltage (usually between 1 kV and 30 kV) and low voltage grids.

The term DSO is defined in the Electricity Directive (2009/72/EC) as “a natural or legal person responsible
for operating, ensuring the maintenance of and, if necessary, developing the distribution system in a

9
The Expert Group 3 of the Smart Grid Task Force defined three possible models which can be found here:
http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/xpert_group3_first_year_report.pdf.

8
given area and, where applicable, its interconnections with other systems and for ensuring the long-term
ability of the system to meet reasonable demands for the distribution of electricity”.

In most European markets the role of a DSO includes being the data hub for metering data; this role will
be extended by the task to manage an active power grid network that interacts with Renewable Energy
Source (RES) and Distributed Generation (DG).

DSOs will be, or are already involved in the processing of personal data originated from smart grids or
smart metering for the following reasons:

 DSOs will have detailed information on the status of network components, generators
connected to the network and energy flows throughout the network. This includes secure
remote reading of resident consumers’ metrological register(s) for all information needed for
network management and quality of supply management. This information should be shared as
needed to fulfil regulated duties with service providers like DG operators and aggregators.

 To avoid network congestions, local load management can reduce impacts on higher voltage
levels. Local load management can also be used to enhance (local) demand response in case of
relatively large uncontrollable DG. Based on their ICT systems for active network management
and automatic meter reading, DSOs should develop these capabilities.

 In distribution, with massive deployment of ‘conventional’ DG and future ‘in house’ micro
generation, the DSO role will gradually shift from distributing power on a top-down basis, to a
role in which maintaining voltage quality and balance is central while electricity flows in both
directions.

The actual implementation of this hub is dependent on the national market model which in most
member states will foresee a central role for the DSO.

Energy Generators (Producers)

Today, bulk power generators are responsible for supplying the major share of the load, for supplying
ancillary services: frequency control, voltage control, black start and reserve capacity. This role will not
change in general, but with an increasing share of distributed generation, the responsibility of
distributed generation in contributing to power grid stability and operational security will progressively
increase.

The move towards decentralised energy production has many benefits, including the utilisation of local
energy sources, increased local security of energy supply, shorter transport distances and reduced
energy transmission losses. Such decentralisation may ideally foster community development and
cohesion by providing income sources and creating jobs locally.

Energy generators will be involved in the processing of personal data originated from smart grids or
smart metering for the following reasons:

9
In a smart grid environment, it is expected that decentralised energy producers may need to have access
to data consumption of neighbour consumer(s) to be able to supply the area islanded from the grid or to
have better voltage quality by adjusting the production to the neighbouring consumptions.

Energy Market Suppliers

Energy market suppliers are responsible for supplying consumers with their energy, for procuring that
energy from their own sources and/or the wholesale market, for billing and serving consumers. In many
Member States, such as the UK, energy suppliers are also responsible for the management of debt, for
preventing and detecting theft or fraud and for providing energy efficiency advice measures and services
to consumers, as well as other forms of assistance to consumers, such as in paying their bills.

Energy Market Suppliers will be involved in the processing of personal data originating from smart grids
or smart metering for the following reasons:

 Handling of billing data.

 Management of debt, preventing and detecting theft or fraud.

 Providing energy efficiency advice services.

Metering Operators
The Metering Operator (MO) is the entity which offers services to install, maintain and operate metering
equipment related to supply. This role might be split up further into two entities; one responsible to
manage the meter and another for managing the metering data. In most EU Member States, the DSO is
also the MO. In case of a specific contractual basis, the contract is mostly with the DSO, or may be with
the consumer or the energy market supplier. The meter may be rented to, or owned by, the consumer.

Metering operators will be involved in the processing of personal data originating from smart grids or
smart metering for the following reasons:

 Energy suppliers or independent companies can be responsible for reading meters and managing
the metering infrastructure used by their consumers.

 Metering operators and energy suppliers may need to obtain consumption information about
their consumers via the metering infrastructure with consumer consent to deliver these data to
other market participants.

 DG may acquire data on energy produced and delivered to the power grid via the smart
metering Infrastructure.

Energy Service Company

Energy Service Company (ESCo) or energy service providers are providing energy related services, e.g.
energy savings advice, energy conservation, energy infrastructure outsourcing, power generation and
energy supply and risk management.

10
ESCos initially introduced in Directive 2006/32/EC are defined in the Directive on Energy Efficiency
(2012/27/EU) as “a natural or legal person who delivers energy services or other energy efficiency
improvement measures in a final consumer’s facility or premises”.

Energy Service Companies will be involved in the processing of personal data originating from smart
grids. The access and processing of the consumers’ data will be based on consent in principle, e.g. given
when entering a contractual agreement with the ESCo.

1.4.3. Consumer
Consumers are potential beneficiaries of the execution of a DPIA as consumer data protection rights may
be better served. They will of course not benefit from the assessment itself but in the actions which may
be implemented after the DPIA should its report be negative.
The role of the consumer is rather passive during the execution of the DPIA, unless his/her views are
actively requested throughout the process. When a consumer is actively involved during this process, he
may be better informed and this dialogue could positively contribute to the acceptance and deployment
of the smart grid.

Depending on their characteristics, consumers could be classified into one or more of the following
categories:

 Industrial consumers: a large consumer of electricity in an industrial or manufacturing industry.

These consumers may be involved in contract based Demand/Response.

 Building owners: owners of a private or business building may also be involved in contract-based
Demand/Response.

 Residential consumers: residential consumers of electricity (including agricultural users), which

may be involved in contract-based Demand/Response. Within this general group, there will be
vulnerable consumers or consumers who are in vulnerable circumstances that may be at greater
risk of being adversely impacted by a loss of privacy.

The transition towards a decentralised energy concept reflects at least two ‘new’ types of home
consumer:

 Consumers without the option of producing energy but with a potential to save energy. This will
be achieved by optimisation of the home infrastructure or by means of smart living concepts.

 ‘Prosumers’ with decentralised generation (DG). The producing consumer acts as an

entrepreneur and may use his DG resources by means of contracting his energy generation to
service providers that pool their DG. Alternatively, he can act as a micro or individual power
producer (MPP or IPP) on the basis of a contract with the local DSO.

Whether responsible parties other than the DSO (or in some countries, such as the UK, their energy
supplier) should have access to consumers' specific energy usage data with a granularity of more than
monthly / yearly (e.g. interval data, such as hourly) should be validated by consumer consent. In this

11
context it may also be necessary for both the kind and amount of data shared with those other parties to
be controlled by the consumer.

1.5. Benefits of performing a DPIA

There exist a number of important benefits when performing a DPIA. The following benefits are
identified when using this DPIA:

 Preventing costly adjustments in processes or system redesign by mitigating privacy and data
protection risks.
 Prevention of discontinuation of a project by early understanding of the major risks.
 Reducing the impact of law enforcement and oversight involvement.
 Improving the quality of personal data (minimisation, accuracy).
 Improving service and operation processes.
 Improving decision-making regarding data protection.
 Raising privacy awareness within the organisation.
 Improving the feasibility of a project.
 Strengthening confidence of consumers, employees or citizens in the way which personal data
are processed and privacy is respected.
 Improving communication about privacy and the protection of personal data.

1.6. Carrying out the DPIA

When carrying out a DPIA it is recommended to use the templates that can be found in chapters 2 and 3
of this paper. The purpose of these templates is to provide guidance in the performance of a Data
Protection Impact Assessment (DPIA) for Smart Grid and Smart Metering systems. It describes a
documented process comprising the following important steps:

 Step 1 - Pre-assessment and criteria determining the need to conduct a DPIA;

 Step 2 - Initiation;
 Step 3 - Identification, characterisation and description of smart grid systems / applications
processing personal data;
 Step 4 - Identification of relevant risks;
 Step 5 - Data protection risk assessment;
 Step 6 - Identification and recommendation of controls and residual risks;
 Step 7 - Documentation and drafting of the DPIA Report;
 Step 8 - Review and maintenance.

In chapter 3, tables and templates are provided to support these steps (up to step 6). Explanation and
details for each step are provided in chapter 2.

12
1.7. The result
By following the above-mentioned steps, the DPIA should help stakeholders to identify in a structured
way and to categorize privacy risks attached to smart grids systems and applications when processing
personal data. Furthermore the template will help mitigate risks by defining the necessary process steps
to find appropriate controls attributed by examples of controls measures. The result of the DPIA is a
report that gives a valuable basis for decision making.

1.8. Success factors

The following factors can contribute to a successful DPIA:
 A DPIA is not an ad-hoc or random exercise. The DPIA is an integral part of risk management
and/or has a structural place in projects, programs or processes;
 A DPIA is performed at an early stage (preferably during the design of new applications or
systems);
 During the DPIA relevant internal and external stakeholders are actively involved;
 DPIA’s are future oriented to support the identification of privacy risks before the usage of new
applications or implementation of new programs;
 The DPIA is not used as a static document and is adjusted during a project (especially when
privacy risks are changing);
 The DPIA is preferably performed by a multidisciplinary team of experts;
 The DPIA is part of a system of motivating, sanctioning and controlling;
 The DPIA is part of the quality assurance process of a project methodology;
 The team performing the DPIA has both knowledge of the project/program and access to
relevant expertise concerning privacy;
 External stakeholders are involved during the DPIA;
 There is a (formal or informal) process to control the result of a DPIA by external/independent
persons.

13
2. Guidance for execution of the DPIA
This chapter describes the steps to be taken when carrying out a DPIA. Furthermore, this chapter can be
used as an exploratory chapter to the DPIA template of chapter 3. Having chapters 2 and 3 presented
side-by-side (with two screens or with two printed copies) might facilitate the understanding of the DPIA
process and streamline its accomplishment.

2.1. Step 1 - Pre-assessment and criteria determining the need to conduct a DPIA
The objective of this section is to provide guidance to the system owner of a smart grid system to
determine if a DPIA is necessary and who should conduct this DPIA. It is therefore proposed to the
system owner to perform an initial analysis of the application under consideration and to decide whether
to proceed with the next steps of the DPIA or to stop the process.

During this step the questions in section 3.1 should be answered. Positive replies endorse the need to
carry out a DPIA. This is not a quantitative exercise. This means that a single positive answer might make
it necessary to conduct a DPIA.

When answering the questions in section 3.1, the following criteria might be considered.

2.1.1. Criterion 1 – Personal data involved

The purpose of this section is to get an initial insight of the data collected and used and the potential
necessity to execute a DPIA. The concept of personal data is defined in article 2 of the Directive 95/4610.
Further guidance regarding this definition can be found in WP136 opinion of the Article 29 Working Party
on the concept of personal data11.

It should be underlined that when processing personal data, it should be considered whether it is
absolutely necessary for operational purposes. If not, personal data processing should be avoided
whenever possible.

Specifically, for smart grid applications, non-exhaustive examples of personal data would be:

• Household and organisations consumption;

• Consumer registration data: names and addresses of data subjects, etc.;
• Usage data (energy consumption, demand information and time stamps), as these provide
insight in the daily life of the data subject;
• Amount of energy and power (e.g. kW) provided to the grid (energy production), as they
provide insight into the amount of available sustainable energy resources of the data subject;

10
"Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the protection of Individuals with regard to the processing of personal data
and on the free movement of such data," Official Journal of the European
Communities, 23 November 1995, L 281/31, available at
http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
11
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf

14
 • Locally produced weather forecast – consumption prediction / forecasts;
• Demand forecast of building, campus and organisation;
• Technical data (tamper alerts), as these might change how the data subject is approached;
• Profile of types of consumers, as they might influence how the consumer is approached;
• Data and function of individual consumers / loads;
• Facility operations profile data (e.g. hours of use, how many occupants at what time and type
of occupants);
• Frequency of transmission of data (if bound to certain thresholds), as these might provide
insight in the daily life of the data subject;
• Billing data and consumer’s payment method

Illustrative example 1:

The utility makes a website available that allows the consumers to access their consumption data online.
The consumers have to subscribe to this service and give their consent. The personal data – by definition
- has to be transmitted from the smart meter to the central systems in a secure way in order to mitigate
to a satisfactory level the risk of a possible breach.

Illustrative example 2:

Smart meters register consumption data every 15 minutes (configurable). The data concentrator collects
these 15 minutes readings once a day and sends them back to the backend systems. These readings
might be considered private information in such a way that they can be illegitimately used to assess
sensitive information regarding the behaviour of each client.

Illustrative example 3

Implementing smart charging of EVs calls for an interaction and corresponding information exchange
between DSOs, Charge Spots, EVs, EV drivers and new market participants. One could add a Charge
Service Provider (CSP) who deals with fulfilling the charge wish of the EV driver and a Charge Spot
Operator (CSO), who deals with the operation of the Charge Spots. Without measures, one could derive
the charge locations of an EV throughout time. If this could be coupled to an EV driver, it would then
become personal data as it reveals the whereabouts of the latter. Without taking into account the
privacy concerns, this might lead to a lower acceptance of EV and smart charging.

Non personal data:

 Household frequency, voltage etc. (no link to consumer behaviour);

 At feeder, transformer or network levels (no link to individual consumers and their behaviour.
Consumption, frequency, voltage etc.).

15
Illustrative example 4:

An energy supplier maintains a list of systems and versions provided (e.g. leased) to a micro grid
operator. This data will not be considered as personal data.

Illustrative example 5:

Technical data and commercial information are stored and processed in different systems. The common
key (also called primary key) that is used to link the two types of data is location (the address). This way,
client’s personal data is better protected as it is not directly available when accessing technical data only.

2.1.2. Criterion 2 – data controller/data processor

The system owner also needs to clarify if he can be considered as a data controller. Indeed, if a smart
grid application/system operator makes determinations related to the collection or use of personal data,
its role could be similar to that of the Data Controller as defined in Directive 95/46/EC and would be
described as the natural or legal person, public authority, agency, or any other body, which, alone or
jointly with others, determines the purposes, conditions and means of operating such smart grid
application/system which has impacts on personal data.

The application/system owner should determine and clarify already at this stage if he can also be
considered as a data processor who conducts the identified processing operations on behalf of the data
controller. He might then suggest to the Data Controller to conduct a DPIA and assist him in this task
within the limit of his responsibility.

These two roles are defined by article 2 d) and e) of Directive 95/46 and further guidance can be found in
tWP 169 opinion12 of the Article 29 Working Party on the concepts of controller and processor.

Illustrative example 1:

An energy supplier and an insurance company work together to provide insurance that covers stability of
energy supply for micro-grid operators. In order to assess applicability of coverage, monitoring in energy
supply is implemented. The respective role and responsibilities of all parties involved need to be made
clear.

As in most member states, the DSO is the metering operator and as such, the DSO is the data controller
in the first part of the metering data process (DSO´s process ends with creating a bill for network usage;
in a second step the metering data is being passed on to the supplier who will create a bill for the
electricity supplied). The DSO can outsource parts of his metering business to a data processor (e.g.
reading out meters, delivery of meter data to DSO). In this case, the outsourcing partner/data processor
could become part of the DPIA whereas the supplier has to conduct an individual DPIA himself (DSO´s
responsibilities end by passing on the metering data to the supplier).

eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf

16
When cloud computing infrastructures are used or envisaged, the determination of the
controller/processor might be more difficult to achieve and conducting a DPIA in this case will facilitate
this clarification.

2.1.3. Criterion 3 – Impact on rights and freedom

The organisation should determine whether the processing operations present specific risks to the rights
and freedoms of the data subject by virtue of their nature, their scope or their purposes. In this
preliminary step the aim is not to conduct a full risk assessment as foreseen in step 3 of the DPIA
process, but more to list the ones which could already be envisaged considering the nature of the
personal data processing.

Profiling of individuals, targeted advertisement and any other added-value services based on detailed
analysis of the energy use behaviour could constitute illustrative example for this part (listing them in
this part does not mean at all that they are not recommended or even forbidden but that they should
trigger a DPIA).

The following risks can be considered as specific ones which will trigger the need for a DPIA:

For the individual,

• Loss of independence (e.g. by preventing to provide own energy supply);

• Loss of equality (e.g. by difference in approaching individuals based on consumption or
production);
• Stigmatization (e.g. by judging if someone has a clean/green energy supplier or not);
• Loss of freedom to move (e.g. not able to load an electric car);
• Interference with private life (e.g. incidentally cut-off energy supply by wrong decision based
upon quality of data);
• Manipulation (e.g. by threat to cut off energy supply by individual or organisation);
• Loss of Autonomy (e.g. by not being able to live by their own standards).

Illustrative example 1: Individual reading information is processed in the data collector (should be either
aggregated or based on PET)

Illustrative example 2: Individual reading information circulates unencrypted through the SG

infrastructure

Illustrative example 3: Client smart meter readings are available through the supplier website.

17
2.1.4. Criterion 4 - When to perform a DPIA (right timing and motivation)

Right timing

In the case of the development of a new application or system, in compliance with the principle of
privacy by design, a DPIA should be executed from the start of the idea throughout the design and
implementation phases. This enables a Privacy by Design approach guaranteeing that potential risks are
identified and that appropriate controls can then be built into the systems.

With already existing applications the following criteria should also be considered when envisaging a
DPIA:

• Significant changes in the smart grid application, such as material changes that expand beyond
the original purposes (e.g., secondary purposes);
• Processing of new types of information;
• Unexpected personal data breach with significant impact and the occurrence of which had not
been identified in the residual risks of the application identified in part 5 of the first DPIA;
• The system owner in accordance with the risk management policy might define periods of
regular reviews of the DPIA report;
• Substantive or significant internal or external stakeholder feedback or inquiry;
• Use of cloud based services for processing personal data issued from the smart grid system;
• In the context of change management procedures such as material changes that expand beyond
the original purposes (e.g., secondary purposes): throughout the lifetime of the Smart Grid
application, a new or revised DPIA Report should be warranted if there are technological-related
changes in applications, etc. that may have data protection implications for the smart grid
application under consideration.

Indicators demonstrating that adequacy or compliance of existing systems are not in line with latest
standards or insights (e.g. systems that have not been built with data protection by design in mind)
constitute trigger elements for conducting a DPIA. On the other hand, material changes that would
narrow the scope or minimize the collection or use of personal data would not per se trigger the need
for a revised DPIA as they should decrease the risks already identified and approved.

Motivation

A DPIA process may be motivated by the following elements:

 A willingness to prevent costly re-design and control risks when designing and implementing
smart grid (components);
 The necessity to ensure compliance with data protection and security legislation as well as other
relevant legal obligations. It is already the case for specific organisations in some Member States.
It is also envisaged in the proposed Reform of the General Data Protection legislation (Article 33
of the Regulation)13 to be mandatory under certain conditions;

13
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF

18
  As part of a wider risk management process (e.g. ISO 27005). Using a DPIA, data protection
issues might be considered in the risk identification and assessment;
 Corporate rules and culture;
 Accountability and communication policy sometimes related to the previous point with the aim
of obtaining certification/seal.

This initial analysis and the decision (not) to conduct a DPIA has to be documented and may assist a
company in case it is subject to an investigation by data protection authorities.

In case of doubt regarding the results of this analysis and the decision to be adopted, the organisation
should consult the Data Protection Authorities according to national practices.

2.1.5. Criterion 5 – The nature of the system/application exercise

The main question which should be addressed by the system owner is: what is the nature of the
application or system?

What components/functions of the application will be considered in the scope? The idea of this criterion
is not to reproduce in detail the step 3 of the DPIA process but to provide a first overview of the possible
perimeter of the application at stake. This step will provide an initial insight in the system and potential
necessity to execute a DPIA.

2.1.6. Criterion 6 - Legal base and public concern

The processing of personal data is regulated by the EU legal framework (Directive 95/46/EC) transposed
by Member States14. The word 'processing' means any operation or set of operations performed upon
personal data or sets of personal data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination,
erasure or destruction. The system owner of the application needs to determine if at least one of these
operations is implemented and how far the organisation has control on it (see criterion 2).

The choice of the legal basis for these processing operations has to be carefully selected and duly
justified. Article 7 of Directive 95/46/EC offers a series a possible legal basis which might be applied.
Further guidance on the processing of smart metering data and compliance with the Data Protection
Directive can be found in Article 29 Working Party opinion WP18315 on smart metering.

The non-exhaustive list below provides some illustrative examples of processing of personal data.

 Reading out a meter manual/remote, entering data into database;

 Storage of meter data in meter or telecommunication device incl. intermediate storage;
 Adding meter data to tariff registers in the meter and/or back end systems,

14
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
15
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp183_en.pdf

19
  Transfer of meter data / tariff register data via WAN to a back end system naming
addressing, encryption, data plausibility mechanism (e.g. detecting tampered data);
 Applying tariffs to the meter data, e.g. multiplication of annual consumption with price/kWh
in the back end system;
 Creating a bill out of the aforementioned data (Billing data).

Following the Article 29 Working Party opinion WP20516, it could be stated that the following processing
operations do not request user consent and might be triggered by the legal obligations of the smart grid
operator:

 the provision of energy,

 the billing thereof,
 detection of fraud consisting of unpaid use of the energy provided,
 Preparation of aggregated data necessary for energy-efficient maintenance of the grid
(forecasting and settlement).

On the other hand, tracking and profiling processing operations for the purpose of targeted
advertisement will require a freely given, specific, informed and explicit consent.

Illustrative example 1:

The advanced smart grid functionality of load balancing requires data collectors to have near real time
access to the mapped meters readings to be able to efficiently manage energy production and
consumption, including micro generation and distributed generation. The Smart Meter readings are
critical for the processing of the smart grid response for a load balancing event using the described
strategy of near real time data collection on meter level.

2.1.7. Other Criteria

Besides the above mentioned criteria there could be other reasons to execute a DPIA. These should be
identified.

2.1.8. Documented conclusion

At the end of this section a documented conclusion identifying whether a DPIA is needed or not should
be produced based upon the answers to the questions. This should be endorsed by the management.

Expected deliverables for this preliminary step: a documented decision endorsed by higher
management on whether or not the organisation shall conduct a DPIA

16
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-
recommendation/files/2013/wp205_en.pdf

20
2.2. Step 2 - Initiation
When initiating a DPIA different elements should be considered. The table in section 3.2 should help by
documenting the necessary information.

2.2.1. Organisational requirements for conducting a DPIA

Before describing the process itself, this document presents a non-exhaustive series of organisational
guidelines which will contribute to the success of a DPIA. These guidelines have been drafted based on
several guidelines on Privacy Impact Assessment in Europe17 as well as the expertise of the EG2 members
in the field of risk management.

2.2.1.1. Purposes to execute the DPIA

The DPIA can be used in different ways for different purposes by different types of persons. Use of the
DPIA will provide them with answers to different questions such as:

Investor / Management / Project initiator / system owner

• Will the investment be realistic from the viewpoint of data protection?
• Are the risks known and can they be mitigated?

Project management
• Are non-functional requirements sufficiently dealt with?
• Are the risks known and are we (still) dealing with them?

Compliance and oversight functions

• Is the risk assessment properly executed?
• Are all stakes of stakeholders dealt with and balanced?

System developers / project executions

• What measures do we need to take?
• What are the boundaries for performing the work?

2.2.1.2. The DPIA team

Three possible options for the management of the DPIA should be envisaged, each of them having its
merits and drawbacks:
1. A dedicated team within the organisation but not the one in charge of the application. The Data
Protection Officer should be involved or contribute to this team from an evaluation or an
operational point of view:
a. Persons with knowledge of the automation environment (hardware, software, networks
and network components);
b. Persons in the user environment;
2. A third party providing external expertise needed for the DPIA;

17
http://www.piafproject.eu/

21
 3. The persons in charge of the application/system which is the target of the DPIA. This might
especially apply in the case of SMEs with limited resources.

When the resources of the organisation allow it, option 1 should be favoured. The team conducting the
DPIA should be as independent as possible from the team working on the smart grid application itself.

The DPIA team requires strong understanding of the project itself, knowledge of privacy, data protection
and cyber security and expertise in the performance of risk assessments generally and privacy impact
assessment in particular. Because of the diversity of expertise and interests involved, it is common to
conduct the DPIA with a small and multidisciplinary team where the following expertise is combined:
• Risk assessment;
• IT architecture and system engineering;
• Information security;
• Privacy and data protection;
• Legal;
• Organisational design;
• Project management.

2.2.1.3. The resources

A key success factor for the success of the DPIA is the support of higher management. If higher
management does not give the necessary support, the workload and time could be increased and the
results can be disputed or disregarded.

The necessary resources that will be used in order to execute the DPIA will be obtained through
interviews or available documents such as:
• Project documents such as project plan, project initiation document, business case;
• Architectures, such as IT and enterprise architectures;
• Requirements documentation, such as functional, technical and non-functional requirements;
• Type of data to be generated and its purpose of use;
• Contracts with system engineers, IT hosting parties, IT service providers, installation and service
providers;
• System design documentation, such as interface design, communication protocols.

The outcome will be a good understanding and description of the data flow and the parties and systems
involved in that data-flow as well as the data protection and security measures envisaged.

22
2.3. Step 3 - Identification, characterisation and description of Smart Grid
systems/applications processing personal data, including data flows
In this step, the system owner should give a comprehensive and full picture of the application, its
environment, processed data and system boundaries. The application design, its adjacent interfaces with
other systems, and information flows are to be described.

Data flow diagrams that show processing of primary and secondary data are recommended to visualize
origin, locations and destination of data. Data structures need to be documented too, so that potential
links can be analysed. In order to accomplish these, the system owner will be invited to fill in a set of
tables as they go through the template. Each table is accompanied by a set of instructions about how it
should be filled in order to provide guidance through this part of the process.

2.3.1. The use case

The aim of the template in section 3.3 is to gather relevant and overall information regarding the
processed data, the use case, the organisation, actors involved, the system owner, and the project.
Introduced at the beginning of the DPIA, this table should be completed and finalised at the end of the
process. The system owner should refer to the document18 prepared by M/490 smart grid coordination
group for assistance in order to complete the use case template description in a standardised way. .

All roles and responsibilities in relation to personal data processing operations need to be clearly
documented and, when necessary, communicated.

2.3.2. System Information

The system owner should fill-in this table with the requested information in order to characterise the
targeted smart grid/ smart metering application. It should be filled with “NA” when the field in question
is Not Applicable to the application; not already listed objectives that are specific to the application
should also be included in this table.

2.3.3. Description of primary and supporting assets of the system

Each system identified in the tables should be described including workflows of personal data (the
categories of data subjects and category, nature of the process, the recipient to whom data may be
disclosed, how information is provided to the data subject, retention policy, technology uses,
communication protocols uses , etc. ). A clear description of the data flows, including the primary assets
on which the processing of personal data rely on (e.g. a database acting as a repository of the data
collected in a certain area) should be provided.

For each processing of personal data, primary assets are the following:

- processes: those of the processing operations specific to smart grid management

dealing with personal data and those required by Directive 95/46 and listed in Annex I
“Privacy and data protection targets” (for example the data subject's right of access or
right to object require specific processing operation which need to be described)

18
http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/xpert_group1_sustainable_processes.pdf

23
 - personal data: those directly concerned by the processing operations necessary for the
management of the smart grid and those concerned by the processes required by the
Directive 95/46 and listed in Annex I “Privacy and data protection targets”.

It is of great importance that the legal basis for these processing operations is clearly identified and
presented in detail, and for those of them requiring the consent of the end-user, the process for
obtaining this consent needs to be documented as well as the process foreseen for the withdrawal of
consent. These processes are considered as well as primary assets to be appropriately protected.

These primary assets rely as well on various information system components considered as supporting
assets which include the following elements:

 Hardware: computers, communications relay, USB drives, hard drives, sensors, smart meters,
remote terminal units (RTU), intelligent electrical devices (IED), actuators, data concentrators,
servers, front-ends, work stations
 Software: operating systems, messaging, databases, business applications, Advanced Metering
Infrastructure (AMI) Head-end…
 Networks: electricity and data cable, wireless, fibre optic, routing and switching devices
 People: users, administrators, top management…
 Paper media: printing, photocopying, invoices, delivery contracts…
 Paper transmission channels: mail, workflow…, personalised web-portals

The system owner should pay great attention to the description of the primary and supporting assets as
they will provide, in addition to the list of controls, the main input for the risk evaluation step.

Expected deliverables for this step: A detailed inventory of the primary and supporting assets of
processing operations is established, together with any contribution thoroughly describing the system
and application.

24
2.4. Step 4 - Identification of relevant risks

2.4.1. Introduction
The goal of this step is to identify the conditions and potential risks that may threaten or compromise
personal data of the data subject and impact his/her privacy using the EU Directive as a reference for
important hallmarks of privacy and data protection targets to protect.

A risk assessment process should typically consider the risks of a smart grid Application in terms of their
likelihood of occurrence (likelihood) and the impact of their consequences (severity). These privacy risks
are mainly constituted by a feared event and the threats which might trigger these events (several
threats can trigger the same feared event). Whenever available within the organisation, the Data
Protection Officer should take part in this analysis as already suggested in 2.2.1.2.

The feared events represent the following situations to be avoided:

 Unavailability of legal processes: they do not or no longer exist or work;

 Change in processing: it deviates from what was originally planned (diversion of the purpose,
excessive or unfair collection...);
 Illegitimate access to personal data: they are known by unauthorized persons;
 Unwanted change in personal data: they are altered or changed;
 Disappearance of personal data: they are not or no longer available.
 Diverting of personal data to other users: they are distributed to people that have no need.

Whenever these events will take place, they will have impacts on the privacy of the data subjects and
these impacts need to be properly and systematically assessed and ultimately mitigated.

Accidentally or deliberately, these feared events will be triggered by one or more risk sources, mainly the
following:

 Insider: persons who belong to the organisation: user, system operator, grid operator, service
operator, call centre operator, commercial service employee
 Outsider: persons from outside the organisation: recipient, provider, competitor, authorized
third party, government organisation, human activity surrounding, external/sub-contracted
maintenance
 Machine: non-human sources: corrupt sensor, computer virus, natural disaster such as lightning,
energy imbalance, energy disruption an outage.

2.4.2. Threats Identification for each feared event

Starting from the analysis performed in step 3 (description of the system), threats can be identified for
each feared event described above. The aim is to establish, for the system which is under the scope of
this assessment, a detailed and prioritized list of all threats that would trigger these feared events.

25
In 3.4.1 a list of potential threats and specific energy industry examples are listed. This non-exhaustive
list need to be made applicable and tailored to your circumstances. The list of threats and the answers to
the questionnaire in 3.4.1 should provide guidance on the identification of the threats related to your
system.

The system owner should select an appropriate internal numbering system for the ID of the threats in
order to allow the reviewer of the DPIA report to uniquely identify given threats.

Expected deliverables for this step: A detailed inventory (see proposed table in part 3.4.2) of the threats
related to the primary and supporting assets of processing operations identified in the previous step and
triggering specific feared events.

26
2.5. Step 5 - Data protection risk assessment
In this step the identified feared events and related threats will be weighed with the severity of impact
on the individuals and likelihood of occurrence. In order to classify the impact and likelihood, several
widely available models can be used.

The illustrative model for classification which is proposed and detailed below is mainly based on ISO 31
000, EBIOS methodology and the synthesis produced by the CNIL19, the French data protection authority.

However, it is acceptable to use alternate methodologies; either industry standard or internal ones as
long as the privacy risks which can impact the data subject are properly identified and quantified.

2.5.1.1. Impact of feared events

The feared events are ranked by determining their impact and severity based on the level of
identification of personal data and the prejudicial effect of these potential impacts. This potential impact
is defined by the consequences each feared event could have on a data subject's privacy and other
fundamental rights and freedoms, including e.g. crime related risks such as identity theft and fraud, or
freedom to move, independence, equal treatment, social relationships, financial interests, etc. due to
e.g. profiling, unsolicited marketing, discrimination or individual decisions on wrong information. The
consequences of feared events may not impact all data subjects equally. Vulnerable consumers or
consumers in vulnerable circumstances may be more adversely affected by privacy risks than consumers
generally, so it is important that the assessment reflects the greater impact relating to specific consumer
groups.

When assessing the impact and severity of a certain identified threat, the following elements need to be
considered.

 The privacy targets (see Annex I)

 Crime related risks such as identity theft and fraud
 Impact on other privacy principles such as freedom to move, loss of independence, loss of
equality etc. due to e.g. profiling, unsolicited marketing, discrimination or individual decisions
based on wrong information.
 The potential impact from feared events may extend beyond those consumers who are directly
affected and this should also be considered in the impact assessment.

The first step to conduct is to assess the level of identification of all personal data established
beforehand in the list of primary assets. In other words, how easy is it to identify data subjects with the
available data processed by the system?

1. Negligible: Identifying an individual using their personal data appears to be virtually impossible
(e.g. searching throughout a Member State population on one meter reading).

19
http://www.cnil.fr/fileadmin/documents/en/CNIL-ManagingPrivacyRisks-Methodology.pdf

27
 2. Limited: Identifying an individual using their personal data appears to be difficult but is possible
in certain cases (e.g. searching throughout a Member State population using an individual's 1 day
history of meter readings).
3. Significant: Identifying an individual using their personal data appears to be relatively easy (e.g.
searching throughout a Member State population using an individual's history of meter readings
of multiple days).
4. Maximum: Identifying an individual using their personal data appears to be extremely easy (e.g.
searching throughout a Member State population using an individual's history of meter
readings).

The value of the level that best matches the personal data identified is then selected. Any existing or
planned measures that reduce the identification should be documented and will be taken into account in
the next step (Step 6 on controls and final risk level).

The prejudicial effect of each feared event should then be estimated. In other words, how much damage
would be caused by all the potential impacts?

1. Negligible: Data subjects either will not be affected or may encounter a few inconveniences,
which they will overcome without any problem (time spent re-entering information, annoyances,
irritations, etc.).
2. Limited: Data subjects may encounter significant inconveniences, which they will be able to
overcome despite a few difficulties (extra costs, denial of access to business services, fear, lack of
understanding, stress, minor physical ailments, etc.).
3. Significant: Data subjects may encounter significant consequences, which they should be able to
overcome albeit with serious difficulties (misappropriation of funds, blacklisting by banks,
property damage, loss of employment, subpoena, worsening of state of health, etc.).
4. Maximum: Data subjects may encounter significant, or even irreversible, consequences, which
they may not overcome (financial distress such as substantial debt or inability to work, long-term
psychological or physical ailments, death, etc.).

The value of the level that best matches the potential impacts identified is then selected. Any existing or
planned measures that reduce the prejudicial effect should be documented and will be taken into
account in the next step (Step 6 on controls and final risk level).

The last step of this process is to determine the severity/impact of the feared events and their related
threats. It is accomplished by adding the number obtained with respective personal data level of
identification and the number of prejudicial effects of potential impacts values obtained (a table is
provided in part 3.5).

2.5.1.2. Likelihood of threats

The likelihood will be assessed by the combination of the level of vulnerability of the supporting assets
and the capability of the risk source for the exploitation of this vulnerability.

28
First, the vulnerabilities of the supporting assets are estimated for each threat identified previously. In
other words, to what degree can the properties of supporting assets be exploited in order to carry out a
threat?

1. Negligible: Carrying out a threat by exploiting the properties of supporting assets does not
appear possible (e.g. theft of paper documents stored in a room protected by a badge reader
and access code).
2. Limited: Carrying out a threat by exploiting the properties of supporting assets appears to be
difficult (e.g. theft of paper documents stored in a room protected by a badge reader).
3. Significant: Carrying out a threat by exploiting the properties of supporting assets appears to be
possible (e.g. theft of paper documents stored in offices that cannot be accessed without first
checking in at reception).
4. Maximum: Carrying out a threat by exploiting the properties of supporting assets appears to be
extremely easy (e.g. theft of paper documents stored in a lobby).

The value of the level that best matches the supporting asset vulnerabilities identified is then selected.
Control measures which are already implemented or planned for the system/application and which
should in principle reduce these vulnerabilities and impact the value of this level will be taken into
account in the next step (Step 6 on controls and final risk level).

Then the capabilities of risk sources to exploit vulnerabilities (skills, available time, financial resources,
proximity to system, motivation, feeling of impunity, etc.) are estimated for each threat.

1. Negligible: Risk sources do not appear to have any special capabilities to carry out a threat (e.g.
software function creep by an individual acting without malicious intent and who has limited
access privileges).
2. Limited: The capabilities of risks sources to carry out a threat are limited (e.g.: software function
creep by a malicious individual with limited access privileges).
3. Significant: The capabilities of risk sources to carry out a threat are real and significant (e.g.
software function creep by an individual acting without malicious intent and who has unlimited
administration privileges).
4. Maximum: The capabilities of risk sources to carry out a threat are definite and unlimited (e.g.
software function creep by a malicious individual with unlimited administration privileges).

The value of the level that best matches the risk sources identified is then selected. Any existing or
planned measures that reduce the capabilities of risk sources should be documented and will be taken
into account in the next step (Step 6 on controls and final risk level).

The last step is to determine the likelihood of the identified threats by summing the values obtained for
the vulnerabilities of the supporting assets and the one related to capabilities of the risk sources (a table
is provided in part 3.5).

29
2.5.1.3. Final risk level / value and priority
Once the relevant threats have been identified, their quantification will lead to risks related to the feared
events which should be considered from the point of view of their impact/severity and likelihood (as
highlighted above). Risks should be presented in order of priority. According to their respective levels,
they can require additional measures as explained in the next step (step 6).

If not already documented, this should also include details of the impacted part of the application
/system and stakeholders which should have been listed in the description.

The order of priority for the identified and quantified risks should lead to the following statement:

1. Risks with a high severity and likelihood must absolutely be avoided or reduced by implementing
security measures that reduce both their severity and their likelihood. Ideally, care should even
be taken to ensure that these risks are treated by independent measures of prevention (actions
taken prior to a damaging event), protection (actions taken during a damaging event) and
recovery (actions taken after a damaging event).
2. Risks with a high severity but a low likelihood must be avoided or reduced by implementing
security measures that reduce either their severity or their likelihood. Emphasis must be placed
on preventive measures.
3. Risks with a low severity but a high likelihood must be reduced by implementing security
measures that reduce their likelihood. Emphasis must be placed on recovery measures.
4. Risks with a low severity and likelihood may be taken, especially since the treatment of other
risks could also lead to their treatment.

The different actions for this assessment can be summarised as below:

30
 Identification Quantification Assessment
Feared event
Identifiability
From 1 to 4 points

severity
Prejudicial effect
From 1 to 4 points
Risk level
Threat
Level of vulnerability
From 1 to 4 points likelihood

Risk sources capabilities

From 1 to 4 points

Illustrative example: a feared event A with 2 points for identifiability and 1 point for prejudicial effects
will get 3 points for severity.

Expected deliverables for this step: A completed table as provided in paragraph 3.5 together with a
mapping of the identified risks within the map provided. At this stage, the controls and mitigation
measures implemented and planned are still not taken into account in the evaluation level of risks.

2.6. Step 6 - Identification and Recommendation of controls and residual risks

2.6.1. Assessment of implemented and planned controls

At this stage, the aim is to consider the risks identified and assessed in the previous step and to present
which controls have been implemented or are planned to be implemented in order to reduce the risk at
appropriate levels. Each identified risk needs to be appropriately mitigated by one or more controls
considering their likelihood and impact. In Annex II an indicative list of possible controls is provided. The
EG2 is establishing a list of ‘Best Available Techniques’ in smart metering system environments which can
provide further guidance to the data controller regarding which control will be the most efficient.

31
Best Available Techniques, as defined in the point 3.f of the Recommendation20, refers to “ the most
effective and advanced stage in the development of activities and their methods of operation, which
indicate the practical suitability of particular techniques for providing in principle the basis for complying
with the EU data protection framework. They are designed to prevent or mitigate risks on privacy,
personal data and security.”

The controls adopted or already planned by the system owner should cover the following dimensions:

• The infrastructure (communication network, Equipment Protection, hardening, etc.);

• The agents/personnel involved in the process (Individual access and control mechanism, etc.);
• The organisation and procedure (Smart grid application governing practices, accountability
measures, etc.);
• The technologies (system protection measures including Security Controls and IT based security
methodology, etc.).

The DPIA report should explain in detail how the selected (implemented or planned) controls relate to
specific risks, and should demonstrate that they result in acceptable risk levels. When the risk is shared
with a third party, the system owner should also detail which control this third party has implemented or
planned to implement in order to address this risk in an acceptable way.

It is also recommended to design and implement an internal process (see step 8) with the aim of
regularly verifying if identified controls are in place (e.g. performing audits on a regular basis, which is
the ultimate control listed in the List of Controls in Annex II).

Expected deliverables: A list of planned and implemented controls for mitigating the identified risks and
a new risk map with location of residual risks (part 3.6) In principle this new risk map should have
residual risks at a lower level compared to the first risk map with no controls.

2.6.2. Risk Treatment

Having identified and assessed the risks, the system owner needs to specify the way in which these risks
will be managed. This can be done with the inclusion of a new column as proposed in table of part 3.6. In
this column, the system owner should also describe the way the privacy targets as defined in Annex I
have been implemented, OR provide a justification if they have not been implemented. The possible
options which can be adopted to manage those risks are proposed below:
• Risk Modification: The risk is managed by identifying and introducing additional (to those
already implemented or planned and described in section 2.6.1) appropriate controls, thereby
reducing the risk to acceptable levels;
• Risk Retention: The system owner accepts the risk as it is, if it meets the acceptance criteria,
without any further action;
• Risk Avoidance: The system owner decides not put the application in production;

20
Commission recommendation of 9 March 2012 on preparations for the roll-out of smart metering systems (COM
2012/148/EU

32
 • Risk Sharing: The risk is shared with a third party, which can manage the identified risk more
effectively and thereby reduce the risk at acceptable levels.

It is noted that these options are not mutually exclusive. The system owner may decide to go with more
than one option. Further details should be added to the report regarding the approach undertaken. The
following information should be at least included:

• Appropriate justification for the selection of specific option(s) for treating the risk and proposed
approach to ensure that the risk will be monitored to make sure acceptance is appropriate in
light of the evolving external landscape (e.g. threats, vulnerabilities, legal requirements etc.).
Ideally the system owner should perform a cost benefit analysis when selecting among these
option, considering the expected benefits and costs of implementing each option;
• Consultation of the Data Protection Officer (DPO) when available;
• Date: The decision was approved (this should include history demonstrating each time the action
was taken);
• Date of next review if already planned;
• External Review: Any details of this document being reviewed (with comments) from third party
review.

2.6.3. Residual risks and risk acceptance

According to ISO 27005, the residual risk is “the risk remaining after the risk treatment”. In this context,
the system owner needs to appropriately identify the residual risks that remain after implementing
controls. When those are identified (in the previous step), the system owner would then need to decide
whether additional controls would need to be implemented to address those residuals risks considered
as still unacceptable.

Finally, based on this analysis and the acceptance levels set by the management, the decision to accept
those risks may need to be made. The decision should be appropriately and carefully justified, especially
in the case of risks that don’t fall within the acceptable levels and that are accepted (e.g. because it is not
considered cost-efficient to address them, in view of the advantages associated with the risk etc.). The
system owner needs to demonstrate that the benefits of processing greatly outweigh the risks for the
individual.

It should be reminded that the right for the protection of personal data is a fundamental right and
compliance with it is a high-level legal requirement. Independently of the outcome of this risk
assessment, it has to be underlined that data protection and privacy targets (listed in Annex I) have to be
reached. For example the processing operations always need to be supported by a lawful ground.

An unencrypted data exchange which had a high risk of privacy breach is addressed by implementing a
cipher suite in the platform to ensure confidentiality. However, due to technology and cost limitations
the encryption algorithm is not that strong and proven to be vulnerable to brute force attacks. The initial
risk has been addressed; however, there are still residual risks. For instance, the implemented control
itself may be broken. Over time it may happen that the encryption algorithm becomes less secure and
will therefore impact the level of the residual risk. The likelihood of this happening increases in time.

33
2.6.4. Resolution
The resolution of the DPIA should be based on the results of the risk management process that has been
performed, as well as on the residual risks and the decision to accept risks or not (based on a cost-
benefits analysis as well).

A smart grid application/system will be considered by the system owner as satisfactory once the DPIA
process has been completed with relevant risks identified and appropriately treated to ensure no
unacceptable residual risks for the individuals remain, and in order to meet the requirements of
compliance, with appropriate internal reviews and approvals.

The following resolutions can be envisaged at the end of the DPIA process:

 A smart grid system or application already in production:

o The DPIA is positive: The DPIA reports should be registered and stored by the Data
Protection Officer (if any) of the organisation and kept at the disposal of the Data
Protection Authority
o The DPIA is negative: further consideration will require a specific corrective action plan
to be developed including proposal for more efficient or new controls, and a new DPIA
to be completed in order to determine if the application has reached an approvable
state.
 A smart grid system or application still under design:
o The DPIA is positive: risks have been assessed and controls addressing those risks
properly defined and tuned. Any residuals risks have been flagged and no further
controls have been identified and / or certain risks have been accepted. The system
implementation proceeds. The DPIA report should include future dates for checking the
system when it will be in production.
o The DPIA is negative: in addition to envisaging further controls for obtaining a new and
satisfactory level of residual risks, the report should also recommend when possible,
new design actions for the application following the principle of Privacy by Design.

It is important to note that the final resolution should be a management decision and it should be based
on the results of the assessment performed, including and reflecting the societal stakes related to the
development of the smart grid.

34
2.7. Step 7 - Documentation and drafting of the DPIA Report
The performance of the DPIA following the phases identified above should be appropriately documented
and its results presented in the final DPIA report. The DPIA report can be structured around the phases
of work described in this document, presenting the results of each phase to the reader, annexing any
supporting documents or material used in the assessment.

The objective of the documentation is two-fold: (a) to facilitate the implementation of the process and
(b) to produce a final report that could be submitted to the DPA if requested.

DPIAs are internal processes and may handle proprietary classified information of the organisation
related to products and processes, with special confidentiality requirements. As such, the analysis
performed and its documentation may need to be appropriately secured, in accordance with the
organisation’s information classification scheme.

The signed DPIA Report that contains an approved resolution should be given to the assigned
organisation’s Data Protection Officer (if any21) in accordance with the system owner‘s internal
procedures. This report is provided without prejudice to the obligations set forth in Directive 95/46/EC
for data controllers, most notably the independent obligation to notify the competent authority as
described in section IX of Directive 95/46/EC.

In the resolution, the data and the name and title of the person signing should be clearly included.

Expected deliverables for this step: The DPIA report, which can be distributed to stakeholders when
appropriate.

2.8. Step 8 - Reviewing and maintenance

The purpose of this phase is to ensure that the undertaking arising from the conducted DPIA are carried
out in the existing system(s) or implemented project.

The following tasks are suggested:

• Reviewing the implementation of the mitigation and avoidance controls that were identified in
the DPIA;
• Preparing a review report;
• Presenting the privacy review report to the senior management and DPO where available;
• Rendering the privacy review report publicly available;
• Assessing whether there is a need for revising the DPIA after a certain amount of time or after a
new stage within the project or programme has been completed.
The review can be integrated within the organisation’s standard, periodic or occasional internal
processes.

21
In Germany there are legal obligations to have a data protection manager in organisations of more than 10
persons.

35
3. Questionnaires

3.1. Step 1 - Pre-assessment and criteria determining the need to conduct a

DPIA

3.1.1. Criterion 1 – Personal data involved

• Does the program/change require you to collect any personal data, such as detailed household
consumption data, organisational measurement data, etc.?
• Will the personal data be combined with other data from outside the program/change?
• Can the data collected become personal due to linkage by third parties?
• Will the program/change require you to collect personal data from other systems?

3.1.2. Criterion 2 – Data controller/data processor

• Are you defining the conditions and the means of the processing operations (controller)?
• Are you conducting the processing on behalf of another organisation following their
requirements (processor)?
• Have security and data protection requirements been defined between you and the
processor/controller?

3.1.3. Criterion 3 - Impact on rights and freedom

• Are the privacy impacts on consumers unknown to your organisation?
• Do consumers have to give up control of their personal data?
• Are consumers able to control which data are collected? Are they able to control their data after
it has been collected?
• Is it expected that consumers will change their behaviour due to the fact their personal data (e.g.
energy consumption or change of supply) will be collected (freedom of choice might be
jeopardized)?

3.1.4. Criterion 4 – When to perform a DPIA (right timing and motivation)

Are you:

 Designing a new program or service within the smart grid use case or situation?
 Making significant changes to an existing smart grid use case or situation?
 Operating a system in production without a DPIA having been carried out?
 Facing a data breach?
 Selecting a cloud based service for the processing operations using personal data?

36
3.1.5. Criterion 5 – The nature of the system/application exercise

Purpose:

• Is the purpose of collecting the personal data not clear or not shared with the consumers?
• Will the personal data collected by the program/change be used for any other purposes,
including research and statistical purposes?
• Is the purpose of the program/change inconsistent with community values of privacy?
• Will the data be used for profiling?

System:

• Will the use of the technology or purpose from the program/change raise questions and/or
resistance from the consumers?
• Are there new (e.g. unevaluated) measures being applied in the design of the technology?

Organisational:

• Are the roles and responsibilities for processing the personal data unclear?
• Will the personal data processing be executed by a third party processor?
• Will the personal data be transferred to other organisations?

3.1.6. Criterion 6 – Legal basis and public concern

• Is there a legal obligation to conduct a Data Privacy Impact Assessment?
• Is the legal basis for processing of consumer data still unidentified?
• Is there a legal framework for the application or the smart grid use case?
• Do you anticipate that the public will have any privacy concerns regarding the proposed program
or change?

3.1.7. Other criterion

• Does the program/change contain any other measures that may affect privacy?

3.2. Step 2 - Initiation

Aim of the DPIA

<answer>
Team member name Role Responsibility

37
 Inventory of necessary resources
Interviewees Documents Other resources

3.3. Step 3 - Identification, characterization and description of Smart Grid

systems/applications processing personal data.

3.3.1. What is the detailed description of Smart Grid program/change according to

M/490 Smart Grid Coordination Group use case template?

The support document can be found here:

http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/xpert_group1_sustainable_processes.pdf

Domain Name of Use Case

Narrative of Use Case

Short description – max 3 sentences

Complete description

Drawing or Diagram of Use Case “context diagram” and “sequence diagram” in UML
(as alternative, please include it in an annex and provide its name here)

3.3.2. What are the main scenarios of the Smart Grid use case?

Scenario
Name :

Step No. Description of Information Information Information Exchanged

38
 Process/Activity Producer Receiver

3.3.3. Who are the main actors of the system?

Actor Name Actor Description Individual (I) /

Organisation (O) /
System / Component
(S)

Table – Actors involved in the use case

The actors listed in the table above should be the ones involved in the personal data processing operations of the
system/application which is under the scope of the DPIA.

3.3.4. How can the use case be mapped to a Smart Grid Business and ICT architecture
(e.g. M/490 SGAM)?
At least the zones need to be identified in this reference architecture. The support document can be
found in page 17 of the following file:
http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/xpert_group1_sustainable_processes.pdf

3.3.5. To which Smart Grid objective does the use case refer?

To which Smart Grid Objective does the use case refer?

Description of objective

Personal Data Data Processing operation

Triggering
Actor Category How Reading Retention From For Who is Who is
event Required?
of data used? frequency? time? whom? whom? controller? processer?

Table – Objectives of the use case

39
3.3.6. What are the primary and supporting assets of the smart grid?

Questions related to the primary assets:

 Which primary assets need to be protected?
 Which processing operation is concerned?
 What is its purpose?
 Who is it intended for?
 What business process is executed by this processing operation?
 Which data subjects are affected by this processing operation?
 How will the legal processes be implemented (i.e. right of access, rectification, etc...)?
 What kinds of personal data will undergo processing?
 What kinds of personal data will be used by the legal processes?

Questions related to the supporting assets:

 What supporting assets are used for the primary assets?
 Which kinds of hardware (computers, routers, electronic media, etc.)?
 Which kinds of software (operating systems, messaging systems, databases, business
applications, etc.)?
 What are the kinds of computer communications networks (cables, Wi-Fi, fibre optics, etc.)?
 Who are the individuals involved?
 Which kinds of supporting paper assets (printouts, photocopies, etc.)?
 Which paper transmission channels (mail, workflow, etc.)?

3.4. Step 4 - Identification of relevant risks

40
3.4.1 Data Protection Threat identification

In order to facilitate the identification of threats, a non-exhaustive list of generic threats is provided below. They are grouped according to their
impact on confidentiality, integrity and availability of the data.

3.4.1.1 Threats that may jeopardize confidentiality

The following table presents the generic threats that can lead to:
Illegitimate access to personal data,
Compromise of processing (if this feared event is considered).

Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Abnormal use of Use of USB flash The use of uncontrolled hardware can 1. Are unknown devices accepted Reducing software
hardware drives or disks that are introduce viruses in a normally clean to use in the IT/OT vulnerabilities
ill-suited to the environment. Energy companies which environment?
sensitivity of the think they are secured against Internet 2. Are anti-virus and anti-malware Reducing
information; use or threats become vulnerable from measures present on all I/O- hardware
transportation of unexpected malware. ports? vulnerabilities
sensitive hardware for 2nd: the use of hardware, which is not 3. Are crucial systems protected
personal purposes, secure by energy companies, can cause against the use of unknown Reducing the
etc. serious risks (not able to mitigate DDoS storage devices (e.g. USB- vulnerabilities of
attacks, the use of hard coded high devices)? computer
privileged accounts with the use of communications
simple username/password, not able networks
to use VPN connections etc.).
Hardware Addition of Changing of smart meter hardware can 1. Is change of hardware Reducing
alteration incompatible lead to changes of metering data which components present? hardware
hardware resulting in will damage the integrity of the 2. Are measures in place to detect vulnerabilities
malfunctions; consumption profile. This can affect alteration in hardware in critical
changing of the billing process and may cause (smart energy) devices?
components essential reputation damage for the grid 3. Are these measures able to
to the owner operator. generate an alarm when a

41
Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

operation of an device is accessed or modified?

application, etc.

Hardware Watching a person's Where copper wiring is still in use, it is 1. Includes an awareness program Reducing
espionage screen without them possible to listen to the signals on the these topics replacing copper to hardware
knowing while on the communication lines. This makes it fibre part of the planning? vulnerabilities
train; taking a photo possible to interpret and reuse signals 2. Are screen protectors in use to
of a screen; geo- send over the communications make it impossible to look at the
location of hardware; network. screen or take pictures of the
remote detection of screen?
electromagnetic 3. Are measures taken to protect
signals, shoulder- the data when using public
surfing etc. wireless network?
4. Are remote access controls
disabled in an unprotected area
(e.g. WiFi, Bluetooth, infrared)?
Hardware Key- Hardware Key-logger Hardware key-loggers can be used to 1. Are keyboard connectors, USB- Reducing
logger logs all keystrokes. collect data like usernames and ports and other I/O ports hardware
Allows attackers to passwords, commands, etc. This will checked for unknown hardware vulnerabilities
reuse usernames, make it possible to login the SCADA devices on regular bases?
passwords, system and use a dispatcher’s role to
compromising data to communicate with the SCADA system.
be observed and
searched for specific
words, sentences etc.

42
Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Hardware loss Theft of a laptop from Every device which contains sensitive 1. Are hardware devices containing Reducing
a hotel room; theft of data about the smart grid environment data protected against abuse? hardware
a professional mobile will cause unacceptable risk of (password, Pin code, biometrical vulnerabilities
phone by a alteration and abuse of those data. recognition, pattern
pickpocket; retrieval When information is retrieved about recognition) Reducing
of a discarded storage brand and type of firewalls, IP-ranges, 2. Is the data in the hardware vulnerabilities
device or hardware; OS and SCADA-system brand and type, encrypted? related to the
loss of an electronic a serious attack is made easy. circulation of
storage device, etc. paper documents
Viewing of paper Reading, Paper documents with personal 1. Are measures taken to prevent Reducing the
documents photocopying, (metering, billing) information of the unauthorized access to paper vulnerabilities of
photographing, etc. consumers are not securely stored and documents with personal data? individuals
therefore accessible to unauthorized 2. Is printing on demand installed?
persons. 3. Are there secure lockers Reducing the
available to store printed data? vulnerabilities of
paper documents

Reducing
vulnerabilities
related to the
circulation of
paper documents
Eavesdropping of Interception of Observation of metering and technical 1. Are measure taken to prevent Reducing software
computer Ethernet traffic; data between the smart meters and interception? (like Man-in-the- vulnerabilities
channels acquisition of data the central system with a false GSM middle-attack)
sent over a Wi-Fi base station by unauthorized person. 2. Is time-stamping in place? Reducing the
network, etc. 3. Is authentication and vulnerabilities of
authorisation in place to refuse computer
unknown devices? communications
4. Is the (wireless) connection networks
between an authorized object

43
 and the head-end protected
(e.g. an encrypted tunnel)?

Remote Unintentional Metering operators talking about 1. Are employees informed about Reducing the
espionage of disclosure of personal Information from consumers security, security risks and vulnerabilities of
individuals information while in their meetings or public areas. vulnerabilities? individuals
talking; 2. Is awareness part of working
use of listening meetings
devices to eavesdrop 3. Are incidents shared to learn
on meetings, etc. from them?
Software Key- Software Key-logger Allows attackers to engineer and reuse 1. Are all computer systems Reducing software
logger / Trojan logs all keystrokes usernames, passwords, compromising equipped with anti-virus, anti- vulnerabilities
Horse and/or Trojan sends data to be observed and searched for malware solutions? (if available
commands and data specific words, sentences etc. for the particular OS)
to attacker's computer 2. Are anti-malware and anti-virus
system solutions updated on daily
basis?
3. Is anti-virus set so that the full
computer scans on a regular
basis?

44
3.4.1.2 Threats that may jeopardize integrity
The following table presents the generic threats that can lead to:
Changes in processing,
Unwanted changes of personal data,
Alterations to legal processes (if this feared event is considered).

Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Software Errors during updates, Changing smart meter software can 1. Is configuration management in Reducing software
alteration configuration or lead to changes of metering data which place? vulnerabilities
maintenance; will damage the integrity of the 2. Is patch management in place?
infection by malicious consumption profile. This can affect 3. Are software updates tested in a
code; the billing process and may cause test environment, before use in
replacement of reputation damage for the grid the operational environment?
components, etc. operator. 4. Are source codes reviewed,
when software is custom or
customized for a specific
system?

Software Content scanning; Meter operators have the privilege to 1. Is change of data authorized by Reducing software
function creep illegitimate cross- make data accessible for viewing or a change management process? vulnerabilities
referencing of data; manipulation (deletion, modification, 2. Are dedicated devices in use to
raising of privileges, movement, etc.). change software function, to
wiping of usage tracks; avoid unwanted introduction of
sending of spam via an viruses or malware?
e-mail program;
misuse of network
functions, etc.
Man-in-the- Man-in-the-middle A man-in-the-middle attack has been 1. Is the data channel encrypted? Reducing software
middle attack via attack to modify or performed to modify the smart grid 2. Is time-stamping in place? vulnerabilities
computer add data to network data so that the whole energy system
channels traffic; replay attack will be unreliable. This may cause Reducing the

45
 (resending of damage to the energy supply. vulnerabilities of
intercepted data), etc. computer
communications
networks
Work overload High workload, stress When maintenance people are not 1. Are employees adequately Reducing the
or negative changes in skilled to do their job and/or stressed, trained to do their job? vulnerabilities of
working conditions; there is high risk of unnoticed security 2. Is the workload acceptable? individuals
assignment of staff to breaches. They will recognize a security 3. Are employees trained to
tasks beyond their breach when systems are already going recognise vulnerabilities which
abilities; poor use of down, which is too late. can lead to a security breach?
skills, etc.
Forgery of paper Changes to figures in a Changes to figures etc. is only possible 1. Are Identity and Access Reducing the
documents file; in an environment where RBAC does Management in place (e.g. Role vulnerabilities of
replacement of an not exist and people get much too Based Access Control)? individuals
original by a forgery, much access rights. In a controlled 2. For critical information change,
etc. environment where need to know and is separation of duties in place?
need to do is normal, this cannot be a
problem. Falsifiable information can
lead to unreliable consumer and
metering information
Insufficient Access rights are not (1) After a change of supplier the 1. Did you implement an access Managing persons
access control revoked when they former supplier still has valid access control policy? within the
procedures are no longer credentials to (historic) read out meter 2. Who has access to the personal organisation who
necessary. data. data? have legitimate
(2) After moving house, the new tenant 3. Does your access control policy access
has access to historic readings in the cover all persons involved in
meter. processing personal data? Monitoring logical
(3) Employees who change job 4. How do you deal with access access controls
positions are still authorized to access control rights when staff leaves
data, not necessary for their new job. the organisation? Managing third
5. Do you have a regular review of parties with
the access control policy? legitimate access
to personal data

46
Insufficient Unauthorized parties Load profile not end-to-end encrypted 1. Is an information security policy Protecting
information obtain access to and could be read & processed by described, implemented and in personal data
security controls personal information unauthorized third party, e.g. a place? archives
by breach of security network provider. 2. Have the information security Anonymizing
or lack of security controls been audited? Checked personal data
implementation. by an auditor? Encrypting
personal data
Partitioning
personal data
Managing
personal data
violations
Insufficient The implemented In a smart meter/ smart energy system 1. What are the security controls Monitoring logical
logging logging mechanism is it is not known which entity reads, taking non-repudiation into access controls
mechanism insufficient. It does collects, writes, changes or deletes account? Managing
not log administrative data. After an incident, or just for 2. How is the access to the personal data
processes. routine checks, it is necessary to have personal data being logged? violations
logging information to abbreviate Tracing the
earlier activities. activity on the IT
system

Breach in Though sufficient A faulty implementation of security 1. Did you perform a penetration Combating
security protective measures mechanisms (locally or on a centralized test after implementation of the malicious codes
implementation are theoretically in server) enables hackers to access a security controls? Reducing software
place, a breach in the memory area containing identifiable 2. How are the incident response vulnerabilities
implementation meter load profile history. management and the intrusion Reducing
enables unauthorized detection system implemented hardware
parties to obtain according to international vulnerabilities
access to personal standards? Reducing the
data. vulnerabilities of
computer
communications
networks

47
Access to data Unjustified data In case the tenant changes, the data 1. Do you have procedures Create procedures
that was not access after Change of from previous tenant is made available regarding personal data transfer to address CoT
intended (not Tenancy (CoT) or to the new tenant after CoT or CoS? and CoS
necessary for the Change of Supply In case of change of supply, old
purpose of (CoS). supplier still has access to data. Active measure to
collection) preclude the use
of particular data-
items in the
making of
particular
decisions

Destruction
schedules for
personal
information

48
The protection There is a risk that Data protection standards outside the 1. Do you transfer the personal Anonymizing
of data is smart metering data EEA may not be secure and robust as data outside the European personal data
compromised may be at risk if sent those countries are not subject to the Economic Area?
outside the outside of the EEA. obligations within the Data Protection 2. To which country outside the Limiting personal
European Another risk is that Directive. Foreign organisations use European Economic Area is the data transfer to
Economic Area personal data like information about vital infrastructures personal data transferred to? countries that
(EEA). metering data gives and personal information to investigate 3. Is the personal data transferred provide an
inside information people of interest. to a country that provides an adequate level of
about vital adequate level of protection protection
infrastructures in an according to article 25 of according to the
unknown, maybe Directive 95/46/EC? article 25 of the
untruthful 4. How did you guarantee the Directive
environment protection of the personal data 95/46/EC
when transferred outside the
European Economic Area? Active measures
5. Are all parties involved in to preclude the
implementation and operation disclosure of
established in the EU? particular data-
items

Not transferring
the source data,
but only the
outcomes

49
Inability to If data are going to be Petrol station and organisation 1. Is a procedure in place to easily Informing data
execute held by multiple data providing invoices work together to inform consumers about the use subjects
individual rights controllers, then enable charging of vehicles in joint of his personal data?
(inspection consumers should controllership. Individuals should be Obtaining the
rights) have a means by provided with easy means to get consent of data
which to access these insight in the data collected (e.g. by a subjects
data from multiple unified user access right).
sources using a single Giving the
subject access individual control
request. over his data, for
example by a
secured website
portal
Incomplete The information Information provided to consumers 1. How did you notify the purpose Informing data
information provided to the data only consists of usage data, of the processing operation of subjects
subject on the information about other information personal data to the
purpose and use of (such as the ability to detect consumers? Clear and
data is not complete communication disruptions) gathered consistent
is not provided. communication of
purpose and goals
of data collection
Prevention of Data subjects have the Consumers cannot opt out to reading 1. Is it possible to change the Permitting the
objections right to object to the of detailed energy load profiles collection of personal data in exercise of the
processing of data. If because read-out schemes are not the smart grid use case after the right to object
they want to execute configurable: There are no technical or consumer’s objection?
this right it must be operational means to allow compliance 2. Can consumers object to Make a privacy
(technically) possible. with a data subject’s objection. processing of personal data use policy, code of
by certain technologies? conduct or certify
the processing of
the data to be
more transparent

50
Unclear It is not clear to data (1) Installation organisation is acting as 1. Are responsibilities clearly Informing data
responsibilities subjects what parties a subcontractor for the metering described and carried out for all subjects
for data are involved in the operator and is collecting data for the parties?
processing. processing of data and grid operator. 2. Is responsibility for data Make a privacy
their respective roles. (2) The energy service company (ESCo) processing part of a sub- policy, code of
hires a third party to collect data to contractors contract? conduct or certify
provide energy saving advice to the the processing of
consumer. the data to be
more transparent
A lack of Automated processing Remote disconnect is performed 1. Are consumers informed of Informing data
transparency for of personal data without clear explanation provided to automated information subjects
automated intended to evaluate the user or the reasons why.. processing?
individual certain personal 2. How are the consumers notified
decisions aspects or conduct is of automated individual
used but the data decisions?
subjects are not
informed about the
logic of the decision-
making.
Lack of quality of If data is used for For billing on a daily basis data should 1. Are automated input validation Monitoring the
data for the certain processes it be registered on a daily basis. and reconciliation controls integrity of
purpose of use should be adequate. For disconnecting electricity supply the implemented? personal data
exact location (address) and reasons 2. How do you ensure data quality
should be conclusive. for the purpose of use? Introduction of
Based upon wrong consumption data a 3. Are there test procedures for automated
wrong invoice is sent. data quality? controls on the
A comma is used as a separator where data quality
a full-stop is intended. This leads to
wrong invoice.

51
Lack of access to There is no way for A personalized overview of personal 1. Are there processes to meet the Permitting the
personal data the data subject to data cannot be generated from the consumer’s rights on data exercise of the
initiate a correction or database that holds the data. collection, access, deletion and direct access right
erasure of his data. correction?
The data controller 2. Are you able to provide Allowing the
and / or processor are overview of data collected? exercise of the
not sufficiently 3. Are you able to provide what right to correct
prepared to respond data is transferred to a third
to such requests. party? Design,
4. Can an overview of what data is implementation
provided to whom be provided? and resourcing of
5. Are you able to delete the data a responsive
on request? complaints-
handling system,
backed by serious
sanctions and
enforcement
powers

Give the individual

control over his
data, for example
by a secured
website portal

52
Inability to The data is distributed Metering data is stored and maintained 1. Are there processes to meet the Allowing the
respond to across several by the technical department, reactions consumer’s rights on data exercise of the
requests for business units and an on commercial offers are stored at the collection, access, deletion and right to correct
subject access, integrated overview commercial department, questions and correction?
correction or cannot be made answers are stored at the service 2. Are you able to provide Design,
deletion of data within a short time department. Combining this data in overview of data collected? implementation
in a timely and frame. one overview takes (a lot of) effort. 3. Are you able to provide what and resourcing of
satisfying data is transferred to a third a responsive
manner. party? complaints-
4. Can an overview of what data is handling system,
provided to whom be provided? backed by serious
5. Are you able to delete the data sanctions and
on request? enforcement
powers

Give the individual

control over his
data, for example
by a secured
website portal
Abnormal use of Unwanted Unauthorized changes of personal 1. Is access control in place? Reducing software
software modifications to data data, metering data, etc. make the 2. Is the authorization structure vulnerabilities
in databases; system unreliable. well-tuned?
erasure of files 3. Are authorizations checked on a
required for software regular basis?
to run properly; 4. Are authorizations revoked
operator errors that immediately after job change or
modify data, etc. dismissal?
5. Are system operations logged?
6. Is separation of duties in place
in critical system operations?

53
3.4.1.3 Threats that may jeopardize availability
The following table presents the generic threats that can lead to:
Unavailability of legal processes,
Disappearance of personal data,
Unavailability of processing (if this feared event is considered).

Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Hardware loss Theft of a laptop from Every device which contains sensitive 1. Are hardware devices Reducing
a hotel room; theft of data about the smart grid environment containing data protected hardware
a professional mobile will cause unacceptable risk of against abuse? (password, vulnerabilities
phone by a alteration and abuse of those data. Pin code, biometrical
pickpocket; retrieval When information is retrieved about recognition, pattern Reducing
of a discarded storage brand and type of firewalls, IP-ranges, recognition) vulnerabilities
device or hardware; OS and SCADA-system brand and type, 2. Is the data in the hardware related to the
loss of an electronic a serious attack is made easy. encrypted? circulation of
storage device, etc. paper documents
Loss of Power Loss of power can Examples: 1. Are measures taken to avoid Reducing software
harm hardware and Due to power loss crash of hard drives disruption of power, such as vulnerabilities
software and lead to or other hardware components; UPS and no-break?
unavailability of Due to power loss crash of OS or loss of 2. For vital information systems Reducing
computing systems, unsaved data; are uninterruptible power hardware
network equipment Long time power loss has impact on supplies in place? vulnerabilities
and disruption of availability of systems. Not all systems 3. Are there provisions made in
smart grid devices will be covered by emergency power order to refuel in time? Reducing the
equipment; vulnerabilities of
Very long time loss of power will lead computer
to disruption in refuelling emergency communications
power and lack of emergency power. networks
Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

54
Denial of service Denial of service will DDoS attacks can lead to unavailability. 1. Are attack scenarios Reducing
lead to unavailability Consumers cannot reach websites of investigated and known? hardware
of computing systems supplier. Smart grid components 2. Are mitigating measures in place vulnerabilities
cannot communicate, which leads to to detect and stop a D(D)oS
disruption of the self-healing attack? Reducing the
opportunities of the grid. 3. Is a Disaster Recovery plan in vulnerabilities of
place to recover as soon as computer
possible after a successful communications
attack? networks

55
3.4.1.4 Threats that may jeopardize personal data
The following table presents the generic threats that can lead to:
Breaches of legal processes,
Breach of use of personal data

Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Collection More personal data is Collecting more detailed load profile 1. What personal data do you need Minimizing the
exceeding collected than what is data for the purpose of monthly billing, to collect for the purpose? amount of
purpose necessary to achieve a where much less detailed data would 2. Is the collected data personal data
specified purpose. be sufficient to achieve the same proportional to the purpose?
objective. Active measure to
preclude the use
of particular data-
items in the
making of
particular
decisions

Limits on the use

of information for
a very specific
purpose, with
strong legal,
organisational and
technical
safeguards
preventing its
application for any
other purpose

56
Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Combination Personal data is Information in smart metering load 1. Will the personal data be Minimizing the
exceeding combined to an extent profile used for billing is combined with combined with other data amount of
purpose that is not necessary personal data obtained from a third outside the scope of the personal data
to fulfil the specified party to provide (third party) additional system/application?
purpose. targeted services or products (e.g. 2. Is the personal data only Active measure to
insurance for stability in energy supply) collected for that specified preclude the use
predetermined purpose? of particular data-
items in the
making of
particular
decisions

Active measures
to preclude the
disclosure of
particular data-
items

Limits on the use

of information for
a very specific
purpose, with
strong legal,
organisational and
technical
safeguards
preventing its
application to any
other purpose

57
Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Missing erasure Data is retained longer Metering data in energy systems is 1. Is there a legal obligation Managing
policies or than necessary to fulfil retained for x period in line with defining the data retention personal data
mechanisms; the specified purpose generic Archive Laws but is should only period? retention periods
excessive or to comply with be retained in line with data retention 2. Do you have data retention
retention legal obligations. policy, because it is not needed for the policy implemented? Active measure to
periods Detailed metering purpose anymore. 3. What is the retention time of preclude the use
data is kept in a the personal data? of particular data-
database for longer 4. What are the measures to items in the
than necessary to delete the personal data after making of
achieve its purpose this retention time? particular
and/or longer than 5. Is there an auditing mechanism decisions
required by law, for to inspect the erasure policies or
example, because of mechanisms? Minimisation of
the absence of 6. Is it necessary to store the data personal data
automatic deletion of for this retention period retention by
obsolete data or considering the purpose? destroying it as
because excessive soon as the
retention periods have transaction for
been established, which it is needed
without due regard to is completed
data protections
requirements. Destruction
schedules for
personal
information

58
Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Undeclared data Some data is secretly The DSO does remote meter readings 1. Are consumers informed about Informing data
collection recorded and thus of detailed load profile without collection of personal data, subjects
unknown to the data consumer's awareness. timing, data retention, usage
subject. 2. Is any data collected without Clear and
consumer notification? consistent
3. Are you collecting any data communication of
without informing the purpose and goals
consumer? of data collection
unlimited Personal data is used In an energy system metering billing 1. What is the purpose of using the Informing data
purpose for additional information can also be used for personal data? subjects
purposes that have marketing goals and awareness about 2. Is the purpose S.M.A.R.T.
not been adequately energy consumption and CO2 emissions defined? Clear and
justified and and for selling targeted electricity 3. Are all purposes of use in line consistent
documented to the schemes. with purpose of collection? communication of
data subject. purpose and goals
of data collection

59
Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Invalidation of When consent is used (1) Consumer is only offered 1. How did you ask and receive the Informing data
explicit consent as a legal basis for significantly higher tariffs unless he explicit consent from the subjects
data processing, it accepts the use of his load profile data consumer?
must be: for marketing purposes (in this case the 2. What were the choices for the Obtaining data
(a) freely given consent is not freely given); consumers (for system, type of subjects' consent
(b) specific and (2) consumer is not informed of the data, and way of collecting)?
(c) informed indication possibility that his load profile data 3. What are the consequences for Non-collection of
of the user’s wishes. If may be disclosed to third parties for the consumer if his consent is contentious data-
any of these marketing purposes when requested to not given? items
conditions are not opt in to half-hourly readings (consent
met, consent is is not given on informed base); Non-collection of
invalid. (3) consumer is required to give identifiable
consent to detailed (e.g. half-hourly) information, only
meter readings even when he does not pseudonyms, or
wish to sign up for a time-of-use tariff; anonym data
(consent is not specific);
(4) consumer provides consent based Use of
upon general contract conditions mathematical
(implicit consent instead of explicit); methods without
(5) The consumers accepts an collecting and
electricity scheme without signature. registration
source data to
reach goals

Clear and
consistent
communication of
purpose and goals
of data collection

60
Generic threats Explanation of threats Specific Energy industry examples of Questions for guidance Controls
supporting asset vulnerabilities (example)

Non legally Processing of personal (1) A smart grid operator shares 1. Is the collection of personal data Obtaining the
based personal data is not based on collected information with a third party based on explicit consent and/or consent of data
data processing consent, a contract, without notice, consent or as legitimate grounds? subjects
legal obligation, or otherwise legally allowed. 2. What is the legitimate ground
other relevant legal (2) New parties connect to the grid and for collection the personal data? Minimizing the
ground as per Article 7 use information for purposes not amount of
of Directive 95/46/EC. specified in the electricity law, personal data
although highly related (e.g. petrol
stations connect for the purpose of Make a privacy
charging vehicles but also need to policy, code of
maintain stability in energy supply). conduct or certify
the processing of
the data to be
more transparent
Lack of Data processing is not Information available to consumers 1. Are consumers informed about Informing data
transparency made transparent, or that lacks clear information on how type of data, data retention subjects
information is not data is processed and used, the policy, transfer of data to third
provided in a timely identity of the Operator, or the user’s parties? Make a privacy
manner. rights. 2. Do you notify the consumers policy, code of
about their privacy and data conduct or certify
protection rights? the processing of
the data to be
more transparent

61
3.4.1. Data Protection Threat identification - Outcome of the questionnaire

Within the table below the selection made from the table in section 3.4.1 of identified threats should be
listed. A feared event should be associated with one or more threats.

Feared events Threat Threat name Brief explanation why relevant

ID
Feared event 1
………

Feared event 2
………..

Feared event 3
………..

62
3.5. Step 5 - Data Protection Risk Assessment

Level of identification + prejudicial effects Severity/impact

<5 1. Negligible
=5 2. Limited
=6 3. Significant
>6 4. Maximum

Supporting asset vulnerabilities + risk source likelihood

capabilities
<5 1. Negligible
=5 2. Limited
=6 3. Significant
>6 4. Maximum

Feared Threat Related Affected Impact Likelihood Risk Level

events ID Privacy assets
targets
Feared
event 1
………
Feared
event 2
………..

Feared
event 3
………..

63
Map for locating the feared events from their risk level without considering the controls (source CNIL):

Severity

4. Maximum Feared
event 2

Feared
3. Significant
event 1

2. Limited Feared Feared

event 3 event 4

1. Negligible
Likelihood
1. Negligible 2. Limited 3. Significant 4. Maximum

64
3.6. Step 6 – Identification and Recommendation of controls and residual risks

Control identification table and residual risks

Feared Threat Controls planned or Risk level Risk treatment Residual

events ID implemented (including risk
implementation of
privacy targets)
Feared
event 1
………
Feared
event 2
………..

Feared
event 3
………..

Map of feared events with implemented or planned controls:

Severity

4. Maximum Feared
Feared event 2
event 2

3. Significant Feared
event 1

Feared
2. Limited event 1
Feared Feared
event 3 event 4

1. Negligible Feared
event 4 Likelihood
1. Negligible 2. Limited 3. Significant 4. Maximum
65
Glossary of terms and abbreviations

Article 29 The Article 29 Data Protection Working Party was set up under the Directive
Working Party 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the
free movement of such data.

CSO Charge Spot Operator

CSP Charge Service Provider

CoS Change of Supply

CoT Change of Tenancy

Data Controllers Data Controllers observe a number of principles when they process personal data.
These principles not only protect the rights of those about whom the data is
collected ("data subjects") but also reflect good business practices that contribute
to reliable and efficient data processing.

Data Subject An identified natural person or a natural person who can be identified, directly or
indirectly, by means reasonably likely to be used by the controller or by any other
natural or legal person, in particular by reference to an identification number,
location data, online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that person

DG Distributed Generation

DPA Data Protection Authority- supervises the compliance with acts that regulate the
use of personal data.

DPIA Data Protection Impact Assessment

DPO Data Protection Officer - The main task of the DPO is to ensure, in an independent
manner, the internal application of the provisions of the Regulation in his/her
organisation.

DSO Distribution System Operator - A distribution system's network carries electricity

from the transmission system and delivers it to consumers.

EC European Commission

EEA European Economic Area

EV Electric Vehicle

66
Grid Operator Transmission (TSO) and distribution system/network operators (DSOs).

Information Information security means protecting information and information systems from
Security unauthorized access, use, disclosure, disruption, modification, perusal, inspection,
recording or destruction

ISO 27005 An information security standard published by the International Organisation for
Standardization (ISO) and the International Electro technical Commission (IEC).

IT Information Technology

M490 Standardization Mandate to European Standardisation Organisations (ESOs) to

Standardisation support European Smart Grid deployment.
mandate

Personal Data 'personal data' shall mean any information relating to an identified or identifiable
natural person ('data subject'); an identifiable person is one who can be identified,
directly or indirectly, in particular by reference to an identification number or to
one or more factors specific to his physical, physiological, mental, economic,
cultural or social identity;

Privacy Defined as the right to be left alone and includes elements of protecting private life
such as integrity of a person’s home, body, conversations, data, honour and
reputation following the Article 7 of the Charter of fundamental rights of the
European Union.

Residual Risks The remaining risk after the treatment of a risk

Risk Assessment Risk assessment is the determination of quantitative or qualitative value of risk
related to a concrete situation and a recognized threat (also called hazard)

SG-SC Smart Grid Coordination Group

SGTF Smart Grid Task Force

SMART Systems Management of Alert Responsive Tasks' - is a mnemonic to guide people

when they set objectives, often called Key Performance Indicators (KPIs), for
example for project management, employee performance management and
personal development.

Smart Grid An electricity network that can cost efficiently integrate the behaviour and actions
of all users connected to it – generators, consumers and those that do both – in
order to ensure economically efficient, sustainable power system with low losses
and high levels of quality and security of supply and safety”.

SME Small and Medium Enterprises

67
SRO Senior Risk Owner - is an Executive Director or Senior Management Board Member
who will take overall ownership of the Organisation’s Information Risk Policy, act
as champion for information risk on the Board and provide written advice to the
Accounting Officer on the content of the Organisation’s Statement of Internal
Control in regard to information risk.

WG RA Workgroup on Reference Architectures

WG SGIS Workgroup on Smart Grid Information Security

ANNEXES

Annex I – Privacy and data protection targets

Embedded in Directive 95/46/EC and reflecting on-going EU regulatory developments and practices, this
list of privacy targets and the associated risks of smart grid applications constitute the core element of
the development of the DPIA Process. While all targets are essential elements of organisational
compliance, in many cases only a subset of these requirements will be at issue in the application under
consideration.

Description of privacy targets

Safeguarding quality of personal data Data avoidance and minimisation, purpose specification
and limitation, quality of data and transparency are the
key targets that need to be ensured.

Legitimacy of processing personal data Legitimacy of processing personal data must be ensured
either by basing data processing on explicit consent,
contract, legal obligation, etc.

Legitimacy of processing sensitive Legitimacy of processing sensitive personal data must be

ensured either by basing data processing on explicit
personal data consent, a special legal basis, etc.

Compliance with the data subject’s It must be ensured that the data subject is informed
about the collection of his data in a timely manner.
right to be informed

Compliance with the data subject’s It must be ensured that the data subject’s wish to access,
correct, erase and block his data is fulfilled in a timely
right of access to data, correct and manner. Implementation of the right to be forgotten and
the right to data portability should be encouraged

68
erase data

Compliance with the data subject’s It must be ensured that the data subject’s data is no
longer processed if he or she objects. Transparency of
right to object automated decisions vis-à-vis individuals must be ensured
especially in the case of profiling.

Safeguarding confidentiality and Preventing unauthorized access, logging of data

processing, network and transport security and
security of processing preventing accidental loss of data are the key targets that
need to be ensured. Breach notification procedure should
be promoted

Compliance with notification Notification about data processing, prior compliance

checking and documentation are the key targets that
requirements need to be ensured. DPIA shall be considered as a
determinant tool for this target

Compliance with data retention Retention of data should be for the minimum period of
time consistent with the purpose of the retention or
requirements
other legal requirements.

Privacy by design Having regard to the state of the art and the cost of
implementation, technical and organisational measures
and procedures shall be designed both at the time of the
determination of the means for processing and at the
time of the processing itself in such a way that they fully
respect privacy and data protection rights of the data
subject.

Privacy by default Mechanisms shall be implemented for ensuring that, by

default, only those personal data are processed which are
necessary for each specific purpose of the processing and
are especially not collected or retained beyond the
minimum necessary for those purposes, both in terms of
the amount of the data and the time of their storage.

69
 Annex II – List of possible controls

Minimizing the amount of personal data

Objective: to reduce the severity of risks by limiting the amount of personal data to what is strictly
necessary to achieve a defined purpose.

Managing personal data retention periods

Objective: to reduce the severity of risks by ensuring that personal data is not retained for longer than
necessary.

Informing data subjects

Objective: to ensure that the subjects are informed.

Obtaining the consent of data subjects

Objective: to allow data subjects to make a free, specific and informed choice.

Managing persons within the organisation who have legitimate access

Objective: to reduce the risks associated with persons within the organisation (employees, seconded
subcontractors, interns and visitors) who have legitimate access to personal data.

Managing third parties with legitimate access to personal data

Objective: to reduce the risk that legitimate access to personal data by third parties may pose to the data
subjects' civil liberties and privacy.

Monitoring logical access controls

Objective: to limit the risks that unauthorized persons will access personal data electronically.

Partitioning personal data

Objective: to reduce the possibility that personal data can be correlated and that a breach of all personal
data may occur.

Encrypting personal data

Objective: to make personal data unintelligible to anyone without access authorization.
Anonymizing personal data
Objective: to remove identifying characteristics from personal data.

Protecting personal data archives

Objective: to define all procedures for preserving and managing the electronic archives containing the
personal data.

70
Managing personal data violations
Objective: to have an operational organisation that can detect and treat incidents that may affect the
data subjects' civil liberties and privacy.

Tracing the activity on the IT system

Objective: to allow early detection of incidents involving personal data and to have information that can
be used to analyse them or provide proof in connection with investigations.

Combating malicious codes

Objective: to protect access to public (Internet) and uncontrolled (partner) networks, workstations and
servers from malicious codes that could affect the security of personal data.

Reducing software vulnerabilities

Objective: to reduce the possibility to exploit software properties (operating systems, business
applications, database management systems, office suites, protocols, configurations, etc.) to adversely
affect personal data.

Reducing hardware vulnerabilities

Objective: to reduce the possibility to exploit hardware properties (servers, desktop computers, laptops,
devices, communications relays, removable storage devices, etc.) to adversely affect personal data.

Reducing the vulnerabilities of computer communications networks

Objective: to reduce the possibility to exploit communications networks properties (wired networks, Wi-
Fi, radio waves, fibre optics, etc.) to adversely affect personal data.

Reducing the vulnerabilities of paper documents

Objective: to reduce the possibility to exploit paper documents properties to adversely affect personal
data.

Reducing vulnerabilities related to the circulation of paper documents

Objective: to reduce the possibility to exploit paper document circulation properties (within an
organisation, delivery by vehicle, mail delivery, etc.) to adversely affect personal data.

Create procedures to address CoT and CoS

Objective: To ensure that after such a change, no personal data is available

Permitting the exercise of the right to object

Objective: to ensure that individuals have the opportunity to object to the use of their personal data.

Monitoring the integrity of personal data

Objective: to be warned in the event of an unwanted modification or disappearance of personal data.

71
Allowing the exercise of the right to correct
Objective: to ensure that individuals may correct, add, update, block or delete their personal data.

Permitting the exercise of the direct access right

Objective: to ensure that individuals have an opportunity to know about their personal data.

Reducing the vulnerabilities of individuals

Objective: to reduce the possibility to exploit people (employees, individuals who are not part of an
organisation but are under its responsibility, etc.) by adversely affecting personal data.

Non-collection of contentious data-items

Objective: to avoid collection of data-items against client’s wishes.

No collection of identifiable information, only pseudonyms, or anonym data

Objective: to prevent identification of the data subject through collected data.

Purpose limitation, e.g. taking appropriate measures to ensure that personal data is only used for the
purposes defined beforehand and not used for other related or unrelated purposes
Objective: to ensure that personal data is only used for the purposes defined beforehand and not used
for other related or unrelated purposes.

Active measure to preclude the use of particular data-items in the making of particular decisions
Objective: to ensure that decisions are made based only on due data-items.

Limits on the use of information for a very specific purpose, with strong legal, organisational and
technical safeguards preventing its application to any other purpose
Objective: to ensure that information is used for the specified purpose and for nothing more than that.

Active measures to preclude the disclosure of particular data-items

Objective: to ensure that only required and permitted data-items are disclosed.

Minimisation of personal data retention by destroying it as soon as the transaction for which it is
needed is completed
Objective: to ensure compliance with legislation and to prevent misuse of personal data.

Destruction schedules for personal information

Objective: to ensure compliance with legislation and to prevent misuse of personal data.

Use of mathematical methods without collecting and registration source data to reach goals
Objective: to avoid collection of non-authorized data without prejudice to reach goals.

72
Clear and consistent communication of purpose and goals of data collection
Objective: to ensure that the client and other interested parties are clearly informed of purpose and
goals of data collection.

Make a privacy policy, code of conduct or certify the processing of the data to be more transparent
Objective: to establish rights, responsibilities and boundaries in order to make data processing
transparent to those involved.

Not transferring the source data, but only the outcomes

Objective: to avoid disclosure of undue data.

Give the individual control over his data, for example by a secured website portal
Objective: to ensure that the individual has control over his data according to his rights and
responsibilities.

Introduction automated controls on the data quality

Objective: to ensure that data quality is monitored and maintained on a regular basis.

Design, implementation and resourcing of a responsive complaints-handling system, backed by serious

sanctions and enforcement powers
Objective: to ensure that clients have a way of communicating their requests and complaints and to
ensure that these are timely and adequately addressed.

Audit
Objective: this is a generic control to ensure that all implemented controls are in place.

73
Bibliography

1. European Commission, Smart Grid Mandate, Brussels: European Commission, 2011.

3. Workgroup on Smart Grid Information Security. SGCG- WG Smart Grid Information Security report, 2011.

2. ISO International Standard, Information technology - Security techniques - Information security management,
ISO/IEC 27005:2011

74