Update the handbook.
Change-Id: Id5ccfe532b1bee3c6109a8532f27acafe0085234
diff --git a/handbook/eclipse.html b/handbook/eclipse.html
index e80fd8f..c362b89 100644
--- a/handbook/eclipse.html
+++ b/handbook/eclipse.html
@@ -147,6 +147,11 @@
<li><a href="#8_Revisions">8. Revisions</a></li>
</ul>
</li>
+<li><a href="#dpia">Data Protection Impact Assessment Guidelines</a>
+<ul class="sectlevel2">
+<li><a href="#dpia-contents">What should a DPIA include?</a></li>
+</ul>
+</li>
</ul>
</li>
</ul>
@@ -164,7 +169,7 @@
<p>This document includes content originally authored on the <a href="http://wiki.eclipse.org">Eclipsepedia wiki</a> by Wayne Beaton, Fabian Steeg, Denis Roy, Dave Carver, Ed Merks, Bjorn Freeman-Benson, Anne Jacko, Ian Skerrett, Mike Milinkovich, and John Arthorne.</p>
</div>
<div class="paragraph">
-<p>Version 1.0M5.</p>
+<p>Version 1.0M6.</p>
</div>
</div>
</div>
@@ -5698,4 +5703,115 @@
</div>
</div>
</div>
+</div>
+<div class="sect1">
+<h2 id="dpia"><a class="anchor" href="#dpia"></a><a class="link" href="#dpia">Data Protection Impact Assessment Guidelines</a></h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>Version 1.0
+Last updated: September 11, 2019</p>
+</div>
+<div class="paragraph">
+<p>This document is meant to provide advice to the Eclipse Foundation projects and community, in order to help determine where and when a data protection impact assessment (DPIA) is required and what it should contain.</p>
+</div>
+<div class="paragraph">
+<p>This document is maintained by the Eclipse Foundation and the following individuals are responsible for it:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Paul White, Data Protection Officer</p>
+</li>
+<li>
+<p>Matt Ward, IT Manager</p>
+</li>
+<li>
+<p>Denis Roy, IT Director</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>The General Data Protection Regulation (GDPR) requires a DPIA be completed when there is a “high risk to the rights and freedoms of natural persons” due to the collection and processing of data. Some examples of this would be things like:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Combining data sets in order to profile users;</p>
+</li>
+<li>
+<p>Where the collected data can be used to make automated decisions about a person or to deny them access to services; or</p>
+</li>
+<li>
+<p>The data is personally sensitive.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>When considering the risk you should adopt the perspective of the person providing this information. Would you feel comfortable providing this information to someone else, what concerns would you have about the handling or management of the data?</p>
+</div>
+<div class="sect2">
+<h3 id="dpia-contents"><a class="anchor" href="#dpia-contents"></a><a class="link" href="#dpia-contents">What should a DPIA include?</a></h3>
+<div class="paragraph">
+<p>At a minimum a good DPIA includes:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>A description of the planned processing operations;</p>
+</li>
+<li>
+<p>An explanation of why you are collecting this data, and how you plan to use it;</p>
+</li>
+<li>
+<p>An assessment of the risks to individuals; and</p>
+</li>
+<li>
+<p>How do you plan to protect this data (technologically or procedurally).</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>As a best practice the results from creating a DPIA should be published, in order to promote transparency and trust in the people performing the assessment. However you may wish to produce a slightly ‘pared down’ version for publication if the original version would cause security of the data to be compromised</p>
+</div>
+<div class="exampleblock">
+<div class="title">Example 2. Example Data Protection Impact Assessment</div>
+<div class="content">
+<div class="paragraph">
+<p><strong>Fish Data Protection Impact Assessment</strong></p>
+</div>
+<div class="paragraph">
+<p>The Fish IoT project is looking to start combining data from a family of IoT devices (PetFinder Plus series) that are produced by a third party, and to combine that with data from our public management server in order to produce a contact list of people.</p>
+</div>
+<div class="paragraph">
+<p>We will do this by using cloud based virtual servers and cross referencing the email addresses stored in our management server with the registration email stored by the PetFinder plus devices and provided by the device when it is contacted by the registration server.</p>
+</div>
+<div class="paragraph">
+<p>There is a moderate risk to individuals as they may be using email addresses that are not published elsewhere, and the data returned from the remote devices can contain GPS coordinates which could allow a specific individual to be identified.</p>
+</div>
+<div class="paragraph">
+<p>In order to reduce the risks we:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Use SSL/TLS to protect the data in transit between our server and the remote device;</p>
+</li>
+<li>
+<p>Ensure that the data storage area is encrypted using commercially available tools;</p>
+</li>
+<li>
+<p>Limit access to the information to only those identified in our Data retention policy;</p>
+</li>
+<li>
+<p>Keep the data only as long as needed, in keeping with out Data retention policy; and</p>
+</li>
+<li>
+<p>Engage in active monitoring of the server and associated access requests.</p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+</div>
+</div>
</div>
\ No newline at end of file
