ENISA Data Protection Engineering - From Theory to Practice

European Union (ENISA)

vMultiple reports released between 2020 and 2024 (each report has its own publication date)

7 domains

28 controls

ENISA's primary report on the practical engineering of data protection (the umbrella PET / privacy-enhancing-technology document for the EU). 'Data Protection Engineering - From Theory to Practice' (January 2022) sets the connection from Data Protection by Design (GDPR Art.25) to engineering practice via the DPIA process, and surveys the main PETs and their applicability to data protection principles: anonymisation and pseudonymisation, differential privacy, homomorphic encryption, secure multiparty computation, trusted execution environments, private information retrieval, synthetic data, end-to-end encryption, proxy/onion routing, privacy-preserving storage, attribute-based credentials, zero-knowledge proofs, privacy policies/icons/sticky policies, privacy preference signals, privacy dashboards, consent management, and mechanisms for exercising data subject rights of access, erasure and rectification. Complementary ENISA PET works are referenced in the report (Pseudonymisation techniques 2019, Advanced Pseudonymisation 2021, Engineering Personal Data Sharing 2023, Engineering Personal Data Protection in EU Data Spaces 2023).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (7)

ENISA DPE - Access, Communication and Storage

3 controls

Controls in the ENISA DPE - Access, Communication and Storage domain of ENISA Data Protection Engineering - From Theory to Practice — 3 controls
Code	Title	Description
ENISA-DPE-5.1	Communication channels (end-to-end encryption, proxy/onion routing)	Protect communications using end-to-end encryption (preventing intermediaries from accessing content) and traffic-patter...
ENISA-DPE-5.2	Privacy-preserving storage	Storage protects personal data at rest via encryption, key management, access segmentation, deniable/searchable encrypti...
ENISA-DPE-5.3	Privacy-enhancing access control and authorisation (ABC, ZKP)	Privacy-enhancing access control includes privacy-enhancing attribute-based credentials (ABCs) and zero-knowledge proofs...

ENISA DPE - Anonymisation and Pseudonymisation

4 controls

Controls in the ENISA DPE - Anonymisation and Pseudonymisation domain of ENISA Data Protection Engineering - From Theory to Practice — 4 controls
Code	Title	Description
ENISA-DPE-3.1	Anonymisation	Anonymisation removes all means reasonably likely to be used to identify a natural person from a dataset; if successful...
ENISA-DPE-3.2	Pseudonymisation	Pseudonymisation (GDPR Art.4(5)) processes personal data in a way that the data can no longer be attributed to a specifi...
ENISA-DPE-3.3	Differential privacy	Differential privacy provides mathematically bounded privacy guarantees (parameterised by epsilon and delta) by adding c...
ENISA-DPE-3.4	Selecting an anonymisation scheme	Selecting an anonymisation/pseudonymisation scheme should be driven by the data utility required, the threat model (moti...

ENISA DPE - Conclusions and Assurance

3 controls

Controls in the ENISA DPE - Conclusions and Assurance domain of ENISA Data Protection Engineering - From Theory to Practice — 3 controls
Code	Title	Description
ENISA-DPE-7.1	Defining the most applicable technique	Selection of the most applicable PET should be driven by the data protection requirement (the principle being implemente...
ENISA-DPE-7.2	Establishing the state of the art	GDPR Article 32 requires measures that reflect the state of the art; engineers should track PET and security state-of-th...
ENISA-DPE-7.3	Demonstrate compliance and provide assurance	Demonstrate accountability under GDPR Article 5(2): document the data protection engineering decisions, the implemented...

ENISA DPE - Engineering Data Protection

3 controls

Controls in the ENISA DPE - Engineering Data Protection domain of ENISA Data Protection Engineering - From Theory to Practice — 3 controls
Code	Title	Description
ENISA-DPE-2.1	From DPbD to data protection engineering	Moves the high-level requirements of Data Protection by Design into engineering practice: identifying the data protectio...
ENISA-DPE-2.2	Connection with the Data Protection Impact Assessment	Engineering decisions on PETs and other measures should be informed by, and feed back into, the Data Protection Impact A...
ENISA-DPE-2.3	Privacy-Enhancing Technologies (overview and taxonomy)	Categorises Privacy-Enhancing Technologies (PETs) and frames how each addresses data protection principles. Three broad...

ENISA DPE - Introduction and Data Protection by Design

2 controls

Controls in the ENISA DPE - Introduction and Data Protection by Design domain of ENISA Data Protection Engineering - From Theory to Practice — 2 controls
Code	Title	Description
ENISA-DPE-1.1	Data Protection by Design	Data Protection by Design and by Default (GDPR Article 25) requires that, at the time of determining the means for proce...
ENISA-DPE-1.2	Scope of data protection engineering	The scope of data protection engineering is the practical implementation of GDPR-aligned privacy-engineering measures wi...

ENISA DPE - Privacy-Preserving Computation

5 controls

Controls in the ENISA DPE - Privacy-Preserving Computation domain of ENISA Data Protection Engineering - From Theory to Practice — 5 controls
Code	Title	Description
ENISA-DPE-4.1	Homomorphic encryption	Homomorphic encryption allows computation over encrypted data without first decrypting it, with partial schemes (additiv...
ENISA-DPE-4.2	Secure multiparty computation (MPC)	Secure multiparty computation lets parties jointly compute a function over their inputs while keeping those inputs priva...
ENISA-DPE-4.3	Trusted execution environments (TEEs)	TEEs (e.g. Intel SGX, ARM TrustZone, AMD SEV) provide a hardware-protected enclave where confidential computation can ru...
ENISA-DPE-4.4	Private information retrieval (PIR)	Private information retrieval allows a client to retrieve a record from a database without revealing which record was re...
ENISA-DPE-4.5	Synthetic data	Synthetic data generation produces artificial datasets that preserve statistical properties of the original data without...

ENISA DPE - Transparency, Intervenability and User Control

8 controls

Controls in the ENISA DPE - Transparency, Intervenability and User Control domain of ENISA Data Protection Engineering - From Theory to Practice — 8 controls
Code	Title	Description
ENISA-DPE-6.1	Privacy policies	Privacy policies provide the data subject with the GDPR Article 13/14 information in a concise, transparent, intelligibl...
ENISA-DPE-6.10	Exercising the rights to erasure and rectification	Engineering support for the rights to rectification (GDPR Article 16) and erasure (GDPR Article 17): identifying and rea...
ENISA-DPE-6.2	Privacy icons	Standardised privacy icons supplement textual notices and convey the key elements of a processing activity (purpose, ret...
ENISA-DPE-6.3	Sticky policies	Sticky policies bind a machine-readable usage policy to the personal data itself, supporting downstream enforcement of p...
ENISA-DPE-6.4	Privacy preference signals	Privacy preference signals (e.g. Global Privacy Control, OAS/Tracking Preference) let users automatically communicate co...
ENISA-DPE-6.5	Privacy dashboards	Privacy dashboards (service-side and user-side) give data subjects visibility into and control over the personal data a...
ENISA-DPE-6.6	Consent management (gathering and systems)	Consent management covers consent gathering (granular, specific, informed, unambiguous, freely given, easy to withdraw)...
ENISA-DPE-6.9	Exercising the right of access	Engineering support for data subject right of access (GDPR Article 15): authenticated request channels, machine-readable...

Maps to 2 other frameworks

28 total controls

GDPR

16 source controls mapped|3 target controls covered

57%

NIST Cybersecurity Framework 2.0

3 source controls mapped|3 target controls covered

11%

Compare ENISA Data Protection Engineering - From Theory to Practice with GDPR

Frequently Asked Questions

What is ENISA Data Protection Engineering - From Theory to Practice?

ENISA Data Protection Engineering - From Theory to Practice is a compliance framework from European Union (ENISA) with 7 domains and 28 controls. ENISA's primary report on the practical engineering of data protection (the umbrella PET / privacy-enhancing-technology document for the EU). 'Data Protection Engineering - From Theory to Practice' (January 2022) sets the connection from Data Protection by Design (GDPR Art.25) to engineering practice via the DPIA process, and surveys the main PETs and their applicability to data protection principles: anonymisation and pseudonymisation, differential privacy, homomorphic encryption, secure multiparty computation, trusted execution environments, private information retrieval, synthetic data, end-to-end encryption, proxy/onion routing, privacy-preserving storage, attribute-based credentials, zero-knowledge proofs, privacy policies/icons/sticky policies, privacy preference signals, privacy dashboards, consent management, and mechanisms for exercising data subject rights of access, erasure and rectification. Complementary ENISA PET works are referenced in the report (Pseudonymisation techniques 2019, Advanced Pseudonymisation 2021, Engineering Personal Data Sharing 2023, Engineering Personal Data Protection in EU Data Spaces 2023). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does ENISA Data Protection Engineering - From Theory to Practice have?

ENISA Data Protection Engineering - From Theory to Practice has 28 controls organised across 7 domains. The largest domains are ENISA DPE - Transparency, Intervenability and User Control (8 controls), ENISA DPE - Privacy-Preserving Computation (5 controls), ENISA DPE - Anonymisation and Pseudonymisation (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does ENISA Data Protection Engineering - From Theory to Practice map to?

ENISA Data Protection Engineering - From Theory to Practice maps to 2 other compliance frameworks. The top mapping partners are GDPR (57% coverage), NIST Cybersecurity Framework 2.0 (11% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with ENISA Data Protection Engineering - From Theory to Practice compliance?

Start your ENISA Data Protection Engineering - From Theory to Practice compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ENISA Data Protection Engineering - From Theory to Practice requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 28 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required