Successfully reported this slideshow.
Your SlideShare is downloading. ×

Ipen 2019 roma status of privacy engineering standardisation v2

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 23 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to Ipen 2019 roma status of privacy engineering standardisation v2 (20)

Advertisement
Advertisement

Ipen 2019 roma status of privacy engineering standardisation v2

  1. 1. Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering Status of Privacy Engineering Standardisation Antonio Kung Trialog, 25 rue du Général Foy 75008 Paris antonio.kung@trialog.com 12 June 2019 Status of privacy engineering standardisation Slide 1
  2. 2. Outline Speaker Ecosystem viewpoint: big change in standardisation Privacy engineering: new standards in the pipe IPEN in the loop: recommendation for best practice sharing on privacy engineering 12 June 2019 Status of privacy engineering standardisation Slide 2
  3. 3. Speaker Engineering background Coordinator PRIPARE (pripareproject.eu) 2013-2015  Liaison with ISO/IEC JTC1/SC27/WG5  Member of OASIS (Privacy Management Reference Model - PMRM) Active participation in privacy standards Privacy by design principles  Privacy by design for consumer goods and services (ISO 31700) Privacy engineering  Privacy engineering (ISO/IEC 27550 – to be published)  Big data – Security and privacy fabric (ISO/IEC 20547-4)  Smart cities - Privacy guidelines for smart cities (ISO/IEC 27570)  IoT - Security and privacy guidelines for IoT (ISO/IEC 27030 )  Privacy preference management (ISO/IEC 27556)  Privacy engineering models - study 12 June 2019 Status of privacy engineering standardisation Slide 3
  4. 4. Administrator of IPEN wiki 12 June 2019 Status of privacy engineering standardisation Slide 4
  5. 5. Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering The ecosystem viewpoint 12 June 2019 Status of privacy engineering standardisation Slide 5
  6. 6. The Ecosystem Viewpoint Security Privacy Trust SafetySmart grid Transport Health Smart Cities Big data IoT Ecosystems Domains ConcernsStakeholders Citizens Business Policy makers Block chain Auto- nomous systems AI Technologies 12 June 2019 Status of privacy engineering standardisation Slide 6
  7. 7. An Integration Issue of Transversal Concern: Example of Security and Privacy 27550 Privacy engineering 20889 Privacy enhancing data de-identification techniques 27001 Information security management systems — Requirements 27005 Information security risk management 27009 Sector-specific application of 27001 – Requirements 27552 Extension to 27001/27002 for privacy management – Requirements and guidelines 29151 Code of practice for personally identifiable information protection 29100 Privacy framework 29134 Privacy impact assessment - Guidelines 27002 Code of practice for information security controls Lifecycle engineering Control design Risk analysis Requirement Privacy Security Privacy Security Privacy Security Privacy Security 27101 Guidelines for cybersecurity framework 12 June 2019 Status of privacy engineering standardisation Slide 7 31700 Privacy-by-design for consumer goods and services
  8. 8. Trends in Standards: Ecosystem Guidance 12 June 2019 Status of privacy engineering standardisation Slide 8 ISO/IEC 30141 IoT Reference Architecture ISO/IEC 20547-3 Big data Reference Architecture ISO/IEC 17789 Cloud computing Reference Architecture ISO/IEC 23751 Data sharing agreement Cloud service customer Ecosystem guidance Cloud service partner Cloud service provider ISO/IEC 27030 Security and privacy guidelines for IoT Iot user Ecosystem guidance IoT service developer IoT service provider ISO/IEC 20547-4 Big data security and privacy Big data service partner Ecosystem guidance Big data application provider Big data provider Big data consumer Big data framework provider
  9. 9. ISO/IEC 27570 Privacy guidelines for smart cities Five processes Governance Risk management Data exchange Engineering Citizen engagement Ecosystem Governance body Organisation 1 Organisation NOrganisation N 12 June 2019 Status of privacy engineering standardisation Slide 9
  10. 10. Example of 27556 Privacy Preference management 12 June 2019 Status of privacy engineering standardisation Slide 10 Privacy preference manager De- identification PII handling Data transfer control Data source collection Consent Information administration Privacy preference administration Control Rule generation Transparency administration Privacy Preference Manager
  11. 11. What is next? ISO/IEC JTC1 SG6 « Meta Reference Architecture » Workshop Montreal 20-22 August Will gather standard editors on important standards Architecture (system, cloud, big data, IoT, smart city) Cross cutting concern (security, privacy, safety, trust…) Governance and continuous improvement Objective Reach common understanding Define shape of convergent standards Define roadmap 12 June 2019 Status of privacy engineering standardisation Slide 11
  12. 12. Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering Privacy engineering standards 12 June 2019 Status of privacy engineering standardisation Slide 12
  13. 13. Current work 12 June 2019 Status of privacy engineering standardisation Slide 13 Principles ISO 37100 Privacy-by-design for consumer goods and services Pending ISO/IEC 29100 Privacy framework Published (free) Mechanism ISO/IEC 20889 Data de-identification terminology and classification of techniques Published ISO/IEC 29184 Online privacy notices and consent Pending Organisation practice ISO/IEC 27550 Privacy engineering for system life cycle processes 2019 ISO/IEC 27552 Privacy information management -- requirements and guidelines 2019 ISO/IEC 27555 Establishing a PII deletion concept in organisations Pending ISO/IEC 27556 User-centric framework for privacy preference management Pending ISO/IEC 29134 Privacy impact assessment guidelines Published ISO/IEC 29151 Code of practice for PII protection Published ISO/IEC 29190 Privacy capability assessment model Published Ecosystem practice ISO/IEC 20547-4 Big data security and privacy Pending ISO/IEC 27030 Security and privacy guidelines for IoT Pending ISO/IEC 27570 Privacy guidelines for smart cities Pending ISO/IEC 23751 Data sharing agreements Pending
  14. 14. Privacy Engineering: Integrating privacy concerns Privacy Privacy Privacy Privacy Privacy Privacy Privacy! 12 June 2019 Status of privacy engineering standardisation Slide 14
  15. 15. Beyond CIA Confidentiality Integrity Availability Unlinkability Intervenability Transparency 12 June 2019 Status of privacy engineering standardisation Slide 15 From ULD: ieee-security.org/TC/SPW2015/IWPE/2.pdf
  16. 16. Privacy threats analysis: LINDDUN https://distrinet.cs.kuleuven.be/software/linddun/catalog.php 12 June 2019 Property Threat Hard privacy Unlinkability Linkability Anonymity Identifiability Plausible deniability Non-repudiation Undetectability and unobservability Detectability Security Confidentiality Disclosure of information Soft Privacy Content awareness Unawareness Policy and consent compliance Non compliance Status of privacy engineering standardisation Slide 16
  17. 17. Design Strategy (J.H.Hoepman) https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design/at_download/fullReport Design strategy Description Data oriented strategies Minimize Limit as much as possible the processing of PII Separate Distribute or isolate personal data as much as possible, to prevent correlation Abstract Limit as much as possible the detail in which personal data is processed, while still being useful Hide Prevent PII to become public or known. Process oriented strategies Inform Inform PII principals about the processing of PII Control Provide PII principals control about the processing of their PII. Enforce Commit to PII processing in a privacy friendly way, and enforce this Demonstrate Demonstrate that PII is processed in a privacy friendly way. 12 June 2019 Status of privacy engineering standardisation Slide 17
  18. 18. What is next? New standards in the pipe A possible scenario 12 June 2019 Status of privacy engineering standardisation Slide 18 ISO 31700 Privacy by design for consumer goods and services principles 2019 2020 2021 2022 SC27/WG5 study Privacy engineering models Privacy engineering (IS) 27550 Edition 2 (from TR to IS)
  19. 19. Participation to Standardisation Liaison category C with ISO/IEC JTC1/SC27/WG5 12 June 2019 Status of privacy engineering standardisation Slide 19
  20. 20. Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering IPEN in the Loop: Recommendation for best practice sharing on privacy engineering 12 June 2019 Status of privacy engineering standardisation Slide 20
  21. 21. Creating a Virtuous Cycle Best practice sharing on privacy engineering will drive new standards Conditions Community participation  e.g. H2020 cluster of GDPR projects Repository operation Content  Textual information (use case like)  Models Management  Editorial and acceptance process 12 June 2019 Status of privacy engineering standardisation Slide 21 Privacy engineering standards Sharing Privacy engineering Practice Proposal for new standards
  22. 22. PDP4E Contribution to Best Practice Sharing Models for privacy engineering IPR free Guidelines for use Possible contributions Use case for smart grid big data Use case connected vehicles (C-ITS) 12 June 2019 Status of privacy engineering standardisation PDP4E– Slide 22 Repository of models for privacy engineering Models for Lifecycle processes? IPEN community Managed by Models for Risk analysis? Models for Requirements Engineering? Models for Privacy Assurance?
  23. 23. Question? antonio.kung@trialog.com www.trialog.com 12 June 2019 Status of privacy engineering standardisation Slide 23

Editor's Notes

  • 0.03 – 2.00

    My name is Antonio Kung
    I am the CTO of Trialog a French software house which focuses on IoT – involved in energy, mobility, health and care
    My background is engineering so I am not afraid to go in the details of technology and engineering

    I am very much involved on standardisation of privacy
    I am the editor of privacy engineering,
    contributor to big data, rapporteur for privacy in smart cities and privacy guidelnies in the IoT

    I am the member of an informal community launched by EDPS (European Data Protection Supervisor). And I manage a web site on existing work on privacy standards. The URL is ipen.trialog.com

    I am the lead the support action PRIPARE which has published a methodology for privacy engineering
  • 2.00 – 2.03

    I will take a policy maker viewpoin
  • 2.03 – 3.00

    Smart cities deal with a complex ecosystem

    We talk today about Smart cities, Big Data, The Internet of things. They can all be considered as complex ecosystems
    They integrate business domains such as smart grid, health, transport
    They integrate concerns such as privacy, security or others, for instance safety
  • 2.00 – 2.03

    I will take a policy maker viewpoin
  • 13.00
    From an engineering viewpoint, the main objective is to integrate privacy concerns along the lifecycle process.

    This picture is taken from the PRIPARE handbook

    It shows

    First the various phases from the analysis, design, implementation, verification, release, maintenance et decommissioning
    And secondly a central item called environment and infrastructure which consists of company knowledge, best practice, assets, …

    Note that the institutionalisation of privacy management is reflected in this central item.
  • 2.00 – 2.03

    I will take a policy maker viewpoin

×