ENISA
https://www.enisa.europa.eu
Recommendations for a methodology of the assessment of severity of personal data breaches
https://www.enisa.europa.eu/publications/dbn-severity
The European Union Agency for Network and Information Security (ENISA) reviewed the existing measures and the procedures in EU Member States with regard to personal data breaches and published in 2011 a study on the technical implementation of the Art. 4 of the ePrivacy Directive, which included recommendations on how to plan and prepare for data breaches, how to detect and assess them, how to notify individuals and competent authorities and how to respond to data breaches. A proposal of a methodology for personal data breach severity assessment was also included as an annex to the above-mentioned recommendations, which was, however, not considered mature enough to be used at national level by the different Data Protection Authorities. Against this background, the Data Protection Authorities of Greece and Germany in collaboration with ENISA developed, based on the above mentioned work, an updated methodology for data breach severity assessment that could be used both by DPAs as well as data controllers. This working document is a first result of the co-operation between experts of the two DPAs and ENISA. It is planned to further develop the methodology with the aim to generate a final practical tool for a data breach severity assessment. No publisherPrivacy2013/12/06 19:25:00 GMT+2Report/StudyData breach notifications in the EU
https://www.enisa.europa.eu/publications/dbn
The introduction of a European data breach notification requirement for the electronic communication sector introduced in the review of the ePrivacy Directive (2002/58/EC) is an important development with a potential to increase the level of data security in Europe and foster reassurance amongst citizens on how their personal data is being secured and protected by electronic communication sector operators. Against this background, ENISA reviewed the current situation in order to develop a consistent set of guidelines addressing the technical implementation measures and the procedures, as described by Article 4 of the reviewed Directive 2002/58/EC.No publisherPrivacyIdentity & TrustGood Practice2011/01/13 17:15:00 GMT+2Report/StudyStudy on monetising privacy. An economic model for pricing personal information
https://www.enisa.europa.eu/publications/monetising-privacy
Do some individuals value their privacy enough to pay a mark-up to an online service provider who protects their information better? How is this related to personalisation of services? This study analyses the monetisation of privacy. ‘Monetizing privacy’ refers to a consumer’s decision of disclosure or non-disclosure of personal data in relation to a purchase transaction. The main goal of this report is to enable a better understanding of the interaction of personalisation, privacy concerns and competition between online service providers. Consumers benefit from personalisation of products on the one hand, but might be locked in to services on the other. Moreover, personalisation also bears a privacy risk, i.e. that data may be compromised once disclosed to a service provider. Privacy is a human right; thinking about the economics of privacy does not change this basic fact. The authors of this report consider an economic analysis of privacy as complementary to the legal analysis as it improves our understanding of human decision-making with respect to personal data. No publisherPrivacy2012/02/28 16:15:00 GMT+2Report/StudyPrivacy, Accountability and Trust – Challenges and Opportunities
https://www.enisa.europa.eu/publications/pat-study
In the study, we focus on some of the available technologies and research results addressing privacy and data protection and topics related to, or influencing privacy, such as consent, accountability, trust, tracking and profiling. The objective is to provide a comprehensive and realistic view of both limitations generated and possibilities provided by technologies in the case of personal data protection rights.No publisherIdentity & TrustPrivacy2011/03/08 16:30:00 GMT+2Report/StudyReadiness Analysis for the Adoption and Evolution of Privacy Enhancing Technologies
https://www.enisa.europa.eu/publications/pets
This report aims at developing a methodology that allows to compare different Privacy Enhancing Tech-nologies (PETs) with regard to their maturity, i.e., their technology readiness and their quality concerning the provided privacy notion. The report firstly sketches a methodology for gathering expert opinions and measurable indicators as evidence for a two dimensional rating scale. Secondly, this report reviews two pilots to test the proposed scales and methodology. The results of these pilots are presented in this study. Finally, a list of necessary steps towards a PET maturity repository is made available.No publisherPrivacy2016/03/30 23:00:00 GMT+2Report/StudyGovernance framework for European standardisation
https://www.enisa.europa.eu/publications/policy-industry-research
In response to the European Union’s Cybersecurity Strategy, the CSCG has published a White Paper with recommendations on digital security. The CSCG’s recommendations underline the importance of Cybersecurity standardisation to complete the European internal market and to raise the level of Cybersecurity in Europe in general. CSCG Recommendation #1 proposes a review of the current governance framework. This document analyses the good practices within the governance framework of the European Union and proposes recommendations for stakeholders. It has been written by CSCG and ENISA experts as a response to the Recommendation #1 and forms a logical entity together with the response to the CSCG Recommendation #2, Definition of Cybersecurity – Gaps and overlaps in standardisation, published by ENISA at the same time.No publisherPrivacy2016/06/30 23:00:00 GMT+2Report/StudyPrivacy and Data Protection by Design
https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
This report contributes to bridging the gap between the legal framework and the available technolog-ical implementation measures by providing an inventory of existing approaches, privacy design strat-egies, and technical building blocks of various degrees of maturity from research and development. Starting from the privacy principles of the legislation, important elements are presented as a first step towards a design process for privacy-friendly systems and services.No publisherPrivacy2015/01/12 11:20:00 GMT+2Report/StudyPrivacy considerations of online behavioural tracking
https://www.enisa.europa.eu/publications/privacy-considerations-of-online-behavioural-tracking
Internet users are being increasingly tracked and profiled and their personal data are extensively used as currency in exchange for services. It is important that this new reality is better understood by all stakeholders if we are to be able to support and respect the right for privacy.No publisherIdentity & TrustPrivacy2012/11/14 17:40:00 GMT+2Report/StudyOnline privacy tools for the general public
https://www.enisa.europa.eu/publications/privacy-tools-for-the-general-public
ENISA has published a study in the area of PETs for the protection of online privacy (online privacy tools) with two main objectives: a) to define the current level of information and guidance that is provided to the general public and b) to provide a proposal for an assessment model for online privacy tools that could bring more assurance in their use, supporting their wider adoption by internet and mobile users. No publisherPrivacy2015/12/17 00:00:00 GMT+2Report/StudyReport on Annual Privacy Forum 2012
https://www.enisa.europa.eu/publications/report-on-annual-privacy-forum-2012
The first Annual Privacy Forum1 (APF’12) was held in Limassol, Cyprus from 10–11 October 2012. The Forum was co-organised by the European Network and Information Security Agency (ENISA)2 and the European Commission Directorate General for Communications Networks, Content and Technology (DG CONNECT),3 with the support of the Department of Computer Science of the University of Cyprus. APF’12 was endorsed as an official event of the Cyprus Presidency of the Council of the European Union.No publisherEuropean Union InstitutionsPrivacyIdentity & Trust2012/12/12 15:00:00 GMT+2Report/StudySecuring personal data in the context of data retention
https://www.enisa.europa.eu/publications/securing-personal-data-in-the-context-of-data-retention
Data retention legislation has been adopted to address concerns related to national security and serious criminal activity. The legislation provides access to communication data for law enforcement purposes. However, according to the Data Retention Directive (DRD) personal data collected, stored or in any way processed in most European Union (EU) Member States (MSs) needs to be securely protected, to meet the requirements of data protection legislation. This study provides the results of (a) a survey on the national implementation of the DRD in six selected Member States on the requirements regarding technical and organisational security measures (in short ‘security measures’) and the implementation of the data security principles that are provided for in the Directive, and (b) a state-of-the-art analysis of the security measures proposed for the protection of personal data collected and stored in the context of the DRD. ENISA initiated this study following a request by the Directorate General Home Affairs (DG HOME) of the European Commission. This document aims at providing a set of recommendations for a common European approach on the security measures that should be taken in relation to retained data, taking into account existing specifications on security measures. No publisherPrivacy2013/12/10 18:45:00 GMT+2Report/StudySecurity certification practice in the EU - Information Security Management Systems - A case study
https://www.enisa.europa.eu/publications/security-certification-practice-in-the-eu-information-security-management-systems-a-case-study
This report aims at providing input for the adoption of a framework on privacy certifications, as well as for eGovernment certification in Europe. There are numerous IT security certification schemes across the European Member States that can serve as the basis for the drawing of recommendations on aspects of security certifications that could be applied to privacy and eGovernment services certification. This study addresses Information Security Management Systems (ISMS) certification.No publisherPrivacy2013/11/21 12:15:00 GMT+2Report/StudyInformation security and privacy standards for SMEs
https://www.enisa.europa.eu/publications/standardisation-for-smes
The analysis conducted for this study, based on the interviews with subject matter experts and review of available studies, shows that, despite rising concerns on information security risks, the level of SMEs information security and privacy standard adoption is relatively low. The main existing drivers and barriers that contribute to the limited uptake of information security and privacy standards in European SMEs have been identified and analysed in this No publisherPrivacy2016/03/30 23:00:00 GMT+2Report/StudyStudy on cryptographic protocols
https://www.enisa.europa.eu/publications/study-on-cryptographic-protocols
Cryptographic algorithms, when used in networks, are used within a cryptographic protocol. Even if the cryptographic primitives and schemes (discussed in the “Algorithms, key size and parameters” report of 2014, see link below) are deemed secure, their use within a protocol can result in a vulnerability which exposes the supposedly secured data. The report focuses on the current status in cryptographic protocols and encourages further research. A quick overview is presented on protocols which are used in relatively restricted application areas such as wireless, mobile communications or banking (Bluetooth, WPA/WEP, UMTS/LTE, ZigBee, EMV) and specific environments focusing on Cloud computing. The main emphasis of the report is on guidelines to researchers and organisations in the field. The key problem with protocols today is that many result from cryptographic design many years (even decades) ago. Thus cryptographic protocols suffer more from legacy issues than the underlying cryptographic components. The goal should be to work towards a better cryptographic protocol infrastructure which does not exhibit such problems. Thus we provide in this report guidelines to organisations which are developing new protocols. No publisherPrivacy2014/11/21 13:00:00 GMT+2Report/StudySurvey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments
https://www.enisa.europa.eu/publications/survey-pat
The study, using a survey, attempts to evaluate which are currently the mechanisms deployed in available online services for accountability, consent, trust, security and privacy. While the finding of this survey cannot be easily extrapolated to all online services, some trends are prominent and it is safe to assume that these are valid for most organisations that operate online. Besides these trends, we mention here the lack of a single coherent view on how to best achieve user privacy in online environments. An increase in awareness of privacy and security concepts within organisations and industry sectors appears to be desirable, in order to maintain a high level of security and confidence on the part of users and society in the ICT infrastructure and services provided within the EU. A major area of concern was how the EU would create and maintain a ‘level regulatory playing field’, especially with non-EU based multinationals entering the EU market without proper (privacy) compliance and rapidly establishing a significant user base. No publisherIdentity & TrustPrivacy2011/01/31 15:45:00 GMT+2Report/Study