Approaching the Data Protection Impact Assessment as a legal methodology to evaluate the degree of privacy by design achieved in technological proposals. A special reference to Identity Management systems

The process of digitalization of societies and innovation is involving the fast introduction of new technologies in different sectors. However, the development of technology represents a challenge as it involves technical, legal, economic and social aspects that have to be considered since its conception or design. The aim of this paper is to offer an adaptation of an existing legal methodology, the Data Protection Impact Assessment, as a legal obligation to evaluate technological proposals and assure compliance with privacy by design requirements. For that purpose, we will refer to the specific case of Identity Management technologies. We introduce the main challenges in the sector of Digital Identity Management as well as the importance of covering the "architecture" and "user" sides in the development of safer technologies by citing concrete examples. Finally, in order to provide a more practical view of the methodology to adapt the Data Protection Impact Assessment, we refer to the work developed in the research project OLYMPUS in the evaluation of its privacy implications. By introducing this example, the paper offers a specific methodology directly reusable for the study of technological proposals in IdM but that can be adapted to any other sector.