SPFAM (Simplified Privacy Friendliness Assessment Methodology)
SPFAM is simplified version of comprehensive Privacy Friendliness Assessment Methodology based on compiled requirements and best practices defined by:
- ISO 27701 Privacy Information Management standard,
- ISO 27001 Information security management standards,
- EDPB (WP29) guidelines for Data Protection Impact Assessment and ePrivacy directive.
SPAFM narrows down 16 essential parameters to evaluate 3 top level privacy risk indicators impacting privacy friendliness of the web page:
- communication privacy
- processing lawfulness and
- data subject impact.
Accuracy and objectivity assurance
PRIVACY FRIENDLY score is calculated based on the input provided by qualified cyber security and legal analysts using SPFAM methodology developed by the Ostendo Consulting, a company specialized for cyber security and compliance risk management in information systems.
To ensure reliable results, methodology ensures each web site to be analysed by at least two qualified analysts, one specialised for legal compliance and the other specialised for cyber security assessment. Methodology introduces control and corrective factors to ensure minimal error and provide in depth transparency.
Mathematical formulas responsible for the score calculation are designed to minimise possible errors and allow repeatible assessments for the comparison purposes.
Methodology also takes into account potential impact data processing conducted by web site could have to a visitor hence, sites processing sensitive data need to perform better to achieve same score.
How do we collect web site information?
To analyse a web site, we need to understand not only how it works, but also what it does, what kind of services it provides and how. We need to understand the meaning of the published information from the functional, technical and legal perspective. This is why, analysis is conducted site by site, by specially educated analysts.
Web site for analysis are selected based on risk assesment and direct requests by web site visitors or owners.
Visitors need to understand who they are sharing their personal information with. Web site owner is required to ensure communication confidentiality and provide transparent information about all data collected, not only directly from visitors, but also from their devices, as well as the information about how this data is used, stored and most importantly who is this data shared with. This score determines whether:
- web server has a valid certificate to prove its authenticity,
- web server uses appropriate encryption to protect confidentiality of the communication,
- transparent information about third parties able to access the content of such communication (i.e. third-party cookies) is provided in appropriate way,
- cookie management mechanism is established where required for the particular web site and
- cookie management mechanism is efficient.
The purpose of this score is to determine visitors’ ability to exercise their rights to personal data protection. Score is determined by the fulfilment analysis of the selected GDPR and ePrivacy requirements directly applicable to web sites.
It determines whether web site:
- provides transparent information about personal data processing (data and processing description as well as the lawful basis for processing),
- informs visitors about their rights and how to exercise them,
- provides appropriate information about the data controller and appropriate contact information,
- presents privacy protection related information in a clear and understandable way.
Data subject impact
Data subject impact is a number representing possible negative impact to a person caused by personal data breach. Such breach could include:
- data loss, destruction of data or data unavailability,
- data leakage, unauthorised access or processing, or
- loss of the data integrity.
Breach can be caused by and using ICT infrastructure, but it can also be a result of human error, failure of business processes or intentional action of authorised or unauthorised people.
Possible data subject impact of the web site is determined by type and amount of data processed on/by particular web site.
Data subject impact is one of three main elements determining privacy friendly score and is estimated by analysts reviewing the web. Score is estimated on a scale 0 to 100 based on the strict method analysts are trained to use. Main inputs for the evaluation include:
- What kind of data is collected using online forms, uploads or other types of interaction with the visitors (basic contact info, user credentials, sensitive information (i.e. credit card info), special categories of personal data (i.e. health information, sexual orientation etc.).
- What kind of cookies are used by the web site and what personal data do they process?
- Amount of data being collected. (based on the estimated number of visitors and amount of data they provide).