Overview

Gira Group is a center of excellence in the areas of cybersecurity, data protection, AI governance, enterprise risk management, third part risk management and related services. The services we provide to our clients strives to make the programs within their organizations more effective, more efficient, reducing redundancies and reducing costs. One such emerging area where we see most impact is the various assessments the organizations have to perform as a result of different regulations emerging in EU.  

As with any problem, there are many approaches to solve a problem. The approach in this post describes a general approach we find it most pragmatic, holistic and effective in long run.

Too many assessments!

Data Protection Impact Assessment (DPIA), Fairness Risk Impact Assessment for Fundamental Rights Impact Assessment (FRIA), Human Rights Impact Assessment (HRIA) and Trust Impact Assessment (TIA) are different types of assessments that aim to identify and mitigate the potential risks and harms of data-driven systems and technologies. These assessments are often conducted separately but share common goals and challenges.

• Data Protection Impact Assessment (DPIA): a process to help organizations identify and minimize the data protection risks of a project or activity that involves personal data.

• Privacy Impact Assessment (PIA): a process to help organizations identify and address the privacy risks of a project or activity that involves personal information.

• Fairness or Fundamental Rights Impact Assessment (FRIA): a process to help organizations evaluate and improve the fairness of a project or activity that involves algorithmic decision-making or data analysis.

• Human Rights Impact Assessment (HRIA): a process to help organizations assess and mitigate the potential adverse effects of a project or activity on the human rights of affected stakeholders.

• Transfer (Trustworthiness) Impact Assessment (TIA): a process to help organizations ensure that a project or activity meets the principles of trustworthiness, such as transparency, accountability, reliability, security and ethics when the data is transferred outside the jurisdiction of EU.

Although these assessments have different origins, scopes, methods, and legal frameworks, they also share common goals and challenges. For example, they all aim to:

• Identify and address a project or activity's potential harms and benefits for individuals and society.

• Involve relevant stakeholders in the assessment process and communicate the results effectively.

• Comply with applicable laws and regulations and adhere to ethical standards and best practices.

• Foster a culture of responsibility and accountability within the organization.

However, they also face some common difficulties, such as:

• Finding the appropriate time, resources and expertise to conduct the assessments.

• Balancing the trade-offs between different values, interests and expectations of stakeholders.

• Dealing with uncertainty, complexity and ambiguity in the assessment process and outcomes.

• Integrating the assessment results into the design, development and implementation of the project or activity.

Next section lists benefits of combining the assessments in detail. However, combining different assessments also poses some challenges, such as:

• Finding a common framework and language to harmonize the different concepts, methods and criteria of each assessment.

• Resolving potential conflicts or inconsistencies between different legal requirements or ethical principles of each assessment.

• Managing the increased complexity and workload of conducting multiple assessments in parallel or sequentially.

• Communicating the results of multiple assessments in a clear and accessible way to different audiences.

Subsequent sections will describe the potential solutions to the challenges of combining the assessments as one.

Why should you combine different assessments?

One of the main benefits of combining these assessments is that they can provide a more holistic and comprehensive view of the impacts of a data-driven system or technology. By considering different dimensions of impact, such as privacy, fairness, fundamental rights, human rights and trust, the combined assessment can reveal the interconnections and trade-offs between these dimensions, and help to balance them in a way that respects the values and interests of all stakeholders. For example, a combined assessment can help to ensure that a system that protects personal data does not compromise fairness or human rights, or that a system that enhances trust does not violate privacy or human rights.

Another benefit of combining these assessments is that they can reduce the duplication of efforts and resources. By conducting a single assessment that covers multiple aspects of impact, the combined assessment can save time and money, and avoid inconsistencies or conflicts between different assessments. For example, a combined assessment can avoid asking the same questions or collecting the same data for different assessments, or having to reconcile different results or recommendations from different assessments.

A third benefit of combining these assessments is that they can increase the transparency and accountability of data-driven systems and technologies. By providing a clear and comprehensive report of the impacts and risks of a system or technology, the combined assessment can inform and empower the decision-makers and the public, and help to build trust and confidence in the system or technology. For example, a combined assessment can explain how a system or technology respects privacy, fairness, human rights and trust, and how it addresses any potential harms or challenges.

Fourth benefit of the combined assessments is facilitating cross-learning and collaboration among different teams and experts within the organization. The stakeholders interact and collaborate during the assessments, helping them understand when an introduction of change in a system can impact an upstream or downstream process increasing the risk to the organization for causing any potential harms or challenges.

How can these assessments be combined in practice? 

Combining different assessments is not a one-size-fits-all solution. It requires careful planning, customization and evaluation according to the specific context, objectives and needs of each project or activity. Some factors that could influence the decision to combine different assessments are:

• The nature, scope and scale of the project or activity: some projects or activities may have more significant or diverse impacts than others, requiring more comprehensive or specialized assessments.

• The availability of resources and expertise: some organizations may have more capacity or experience than others to conduct multiple assessments effectively and efficiently.

• The expectations and preferences of stakeholders: some stakeholders may have more interest or influence than others in the assessment process and outcomes, requiring more consultation or engagement.

There are different possible approaches, depending on the context and the objectives of the assessment. One approach is to use a common framework or methodology that integrates the different dimensions of impact into a single process. For example, the European Commission has proposed a framework for trustworthy artificial intelligence (AI) that includes seven key requirements: human agency and oversight, technical robustness and safety, privacy and data governance, transparency, diversity, non-discrimination and fairness, societal and environmental well-being, and accountability. Another approach is to use existing tools or standards that cover multiple dimensions of impact, such as the Data Ethics Canvas or the ISO 31000 standard for risk management. A third approach is to coordinate or align different assessments that are conducted separately, but share some common elements or criteria. For example, the DPIA can be used as a basis for conducting other assessments, such as FRIA or HRIA.

Detailed process for combining assessments

If you want to conduct a combined assessment of the impacts and risks of a data-driven system or technology, you need to follow some steps. Here are some possible steps that you can take:

• Define the purpose and scope of the assessment. What are the objectives and questions of the assessment? What are the system or technology and its context and use cases? What are the dimensions of impact that you want to assess, such as privacy, fairness, human rights and trust?

• Identify and engage the stakeholders. Who are the people or groups that are affected by or involved in the system or technology? How can you involve them in the assessment process, such as through consultation, participation or co-creation?

• Collect and analyze the data and information. What are the sources and methods that you can use to collect and analyze the data and information about the system or technology and its impacts? How can you ensure the quality, validity and reliability of the data and information?

• Identify and evaluate the impacts and risks. What are the positive and negative impacts and risks of the system or technology on privacy, fairness, human rights and trust? How can you measure, quantify or qualify these impacts and risks? How can you compare and weigh them against each other?

• Develop and recommend solutions. What are the possible solutions or actions that can be taken to prevent, reduce or mitigate the negative impacts and risks, or to enhance the positive impacts and benefits, of the system or technology? How can you prioritize and justify these solutions or actions?

• Report and communicate the results. How can you present and explain the results and recommendations of the assessment in a clear, concise and accessible way? Who are the audiences that you want to reach and inform? What are the formats and channels that you can use to communicate the results?

• Monitor and review the outcomes. How can you monitor and review the implementation and outcomes of the solutions or actions that were recommended by the assessment? How can you measure and evaluate their effectiveness and efficiency? How can you learn from the feedback and experience?

These are some general steps that you can follow to conduct a combined assessment. However, you may need to adapt them to your specific situation and context. You may also need to use different tools or frameworks that can help you to combine different dimensions of impact into a single process. For example, you can use the European Commission's framework for trustworthy AI, or the Data Ethics Canvas, or the ISO 31000 standard for risk management.

How can standards like ISO 31000 and ISO 42001 support effective assessments?

Another possible strategy to improve their effectiveness and efficiency is to use existing standards that provide guidance and best practices for conducting impact assessments. For example:

• ISO 31000: Risk management – Guidelines: this standard provides principles, framework and a process for managing risk. It can help organizations identify, analyze, evaluate, treat, monitor and communicate risks associated with any activity, function or process. It can be applied to any type of risk, including those related to data protection, privacy, fairness, human rights and trustworthiness.

• ISO 42001: Artificial intelligence – Trustworthiness – Requirements: this standard specifies requirements for establishing, implementing, maintaining and improving a trustworthy artificial intelligence system. It covers aspects such as governance, design principles, data quality management, performance evaluation, monitoring review audit assurance learning improvement communication transparency stakeholder engagement accountability ethics human oversight safety security robustness resilience reliability accuracy interpretability bias fairness privacy data protection societal environmental well-being. It can be used as a basis for conducting impact assessments for artificial intelligence systems.

Using these standards can support organizations in conducting different assessments by providing:

• A common terminology and framework for understanding and managing impacts.

• A systematic and consistent process for conducting impact assessments.

• A set of criteria and indicators for measuring and evaluating impacts.

• A set of recommendations and best practices for mitigating and enhancing impacts.

However, using these standards also requires some adaptation and customization according to the specific context, objectives and needs of each project or activity. Some challenges that could arise when using these standards are:

• Aligning the standards with the specific legal and regulatory requirements of each assessment.

• Adapting the standards to the specific characteristics and features of each project or activity.

• Integrating the standards with the existing policies and procedures of the organization.

• Train and educate the staff and stakeholders on the use and application of the standards.

Besides these two standards, some other standards can be relevant for conducting impact assessments, depending on the type, scope and context of the project or activity. For example:

• IAIA: The leading global network on impact assessment: this organization provides resources, training, events and publications on various types of impact assessment, such as environmental impact assessment, social impact assessment, health impact assessment, strategic environmental assessment, cumulative effects assessment, etc. It also offers guidance on integrating different types of impact assessment into a single process.

• Impact assessments - European Commission: This website provides information on how the European Commission conducts impact assessments for its legislative proposals and other initiatives. It also provides guidelines, tools and best practices for conducting impact assessments, as well as examples of impact assessment reports.

• Health impact assessments - World Health Organization (WHO): this is a website that provides information on how to conduct health impact assessments, which are a combination of procedures, methods, and tools that systematically judge the potential effects of a policy, program, or project on the health of a population.

• How does the certification compare to other standards: this is a website that compares the B Impact Assessment, which is a tool to measure and improve the social and environmental performance of businesses, with other standards such as GRI (Global Reporting Initiative), ISO 26000 (Social Responsibility), SA8000 (Social Accountability) and UN Global Compact.

Links to the websites are available in the references section.

How can I measure the effectiveness of a solution?

One of the challenges of conducting a combined assessment of the impacts and risks of a data-driven system or technology is to measure the effectiveness of the solutions or actions that are recommended by the assessment. How can you know if the solutions or actions have achieved their intended goals and outcomes, and have prevented, reduced or mitigated the negative impacts and risks, or enhanced the positive impacts and benefits, of the system or technology?

There are different possible ways to measure the effectiveness of a solution or action, depending on the type, scope and context of the solution or action. Here are some possible steps that you can take:

• Define the indicators and criteria. What are the indicators and criteria that you can use to measure the effectiveness of the solution or action? How can you define them in a clear, specific and measurable way? How can you align them with the objectives and questions of the assessment?

• Collect and analyze the data and information. What are the sources and methods that you can use to collect and analyze the data and information about the implementation and outcomes of the solution or action? How can you ensure the quality, validity and reliability of the data and information?

• Compare and evaluate the results. What are the results of the data and information analysis? How can you compare them with the indicators and criteria that you defined? How can you evaluate if the solution or action has been effective or not?

• Report and communicate the findings. How can you present and explain the findings of the measurement in a clear, concise and accessible way? Who are the audiences that you want to reach and inform? What are the formats and channels that you can use to communicate the findings?

• Learn and improve. How can you learn from the feedback and experience of measuring the effectiveness of the solution or action? How can you use this learning to improve your assessment process, your system or technology, or your solution or action?

These are some general steps that you can follow to measure the effectiveness of a solution or action. However, you may need to adapt them to your specific situation and context. You may also need to use different tools or frameworks that can help you to measure different dimensions of impact, such as privacy, fairness, human rights and trust. For example, you can use privacy impact assessment tools, fairness metrics, human rights indicators, or trust surveys.

Conclusion

In conclusion, combining different assessments DPIA, PIA, FRIA, HRIA and TIA can be a useful strategy to improve the effectiveness and efficiency of impact management. However, it also requires careful consideration of the benefits and challenges of doing so. This paper has provided some general guidelines and factors to help organizations make informed decisions about whether and how to combine different assessments. It also discussed how standards like ISO 31000 or ISO 42001 can support these assessments by providing guidance and best practices. It also mentions some other standards that can be relevant for conducting impact assessments, depending on the type, scope and context of the project or activity.

References

• . "EU Impact Assessment." from https://commission.europa.eu/law/law-making-process/planning-and-proposing-law/impact-assessments_en.

• . "HIA: Health impact assessment." from https://www.who.int/health-topics/health-impact-assessment#tab=tab_1.

• . "IAIA: Impact Assessment." from https://www.iaia.org/.

• . "Privacy Impact Assessment and Data Protection Impact Assessment." from https://gdpr-info.eu/issues/privacy-impact-assessment/.

• . "Transfer Impact Assessment." from https://www.gdprsummary.com/gdpr-definitions/transfer-impact-assessment/.

• (2018). ISO 31000, ISO.

• (2020). "HUMAN RIGHTS IMPACT ASSESSMENT GUIDANCE AND TOOLBOX." from https://www.humanrights.dk/tools/human-rights-impact-assessment-guidance-toolbox.

• (2022). "Fundamental Rights Impact Assessment." from https://www.government.nl/documents/reports/2022/03/31/impact-assessment-fundamental-rights-and-algorithms.

• (2023). ISO 42001.

• Mantelero, A. (2022). "Fundamental rights impact assessments in the DSA."

• Europe, B. L. "How does the certification compare to other standards." from https://bcorporation.eu/what-is-a-b-corp/how-does-the-certification-compare-to-other-standards/.

This text was originally submitted as an assignment in the Integrated Risk Assessments course in the Advanced Master in Privacy, Cybersecurity and Data Management at the University of Maastricht, European Centre on Privacy and Cybersecurity. The author expresses his gratitude to peers and lecturers for their creative contributions to the development of the ideas.

Schedule a consultation to address your business requirements.