SlideShare a Scribd company logo
Methods and Tools for GDPR Compliance through
Privacy and Data
Protection 4 Engineering
PDP4E privacy
engineering toolkit
Yod Samuel Martín (UPM)
Gabriel Pedroza (CEA LIST)
IPEN Workshop 2019 - Rome, June 12 2019
This project has received funding from the European
Union’s Horizon 2020 research and innovation
programme under grant agreement No 787034
Should GDPR be an engineer’s job?
(Tip: It seems it should indeed)
18/06/2019 1/3 PDP4E
The privacy and data protection engineering gap
What engineers get… What engineers want…
18/06/2019 PDP4E
GDPR PbD
PETs PPM/PEM
PDP4E response: what engineers need
Software and
Systems
Engineering
Disciplines
Existent
Privacy &
Data Protection
Methods
Privacy and
Data Protection
Engineering
Methods and
Tools
Engineers are not privacy experts, yet they will face privacy issues (even if they may get expert advice)
Privacy adoption entails for methods and tools integrated within the large heritage of sw. & sys. engineering
1. Seamlessly include privacy & data protection into software & system engineering tools
2. Integrate privacy & data protection activities into the SDLC stages
3. Provide a readily available body of knowledge with existent wisdom
4. Foster a community of privacy & data protection engineering
“Endow engineers with privacy and data protection tools aligned to their mindset”
PDP4E response: what engineers need
Metamodels
Knowledge
Bases
Smart grid
demonstrator
Fintech
demonstrator
Requirements
engineering
Risk management
Model-driven
design
Assurance
and
certification
TRL6 TRL7Byproducts
Connected
vehicle
demonstrator
Smart grid
demonstrator
18/06/2019 PDP4E
System Models Requirements
Threats,
Controls…
Reqs.,
Controls…Privacy
Controls
Evidences
Risk Management
Model-Driven Design
Requirements Engineering
Assurance
Regulation,
Ass. Patterns
Threats,
Controls…
Reqs.,
Controls…
Patterns…
Risk-orientation of GDPR
Even if there is no damage to the data subject,
you are not compliant if you don’t assess and mitigate risks.
Multilateral risk management:
Data protection impact assessment
Security impact analysis, security measures
Compensations, liabilities and fines
Supply Chain and Vendor Relationship Management (i.e.
processors’, joint controllers, third parties, transfers…)
Risks to rights and freedoms of the data subjects
Risks derived from data breaches
Derived business risks
…
But not everything in GDPR is a risk:
- e.g. “risk of not asking the data subjects their age” GOAL
- e.g. “risk of not providing a transparent poilcy” GOAL
- vs “risk of misidentifying a child as an adult” UNCERTAINTY
- vs “risk of users having low reading skills” UNCERTAINTY
18/06/2019 PDP4E
MUSA risk management tool for
security impact assessment
18/06/2019 PDP4E
GDPR modelling in OpenCert:
Reference Framework and Assurance Patterns
18/06/2019 PDP4E
Papyrus overview
18/06/2019 PDP4E
Privacy & data protection requirements
metamodel (through Papyrus)
18/06/2019 PDP4E
PDP4E Privacy & data protection
requirements engin. method
18/06/2019 PDP4E
Requirement Information
Deduction
ProPAn Artefacts
PDP Goal
Requirement
Metamodel
Data Protection
Principle
Hansen
Generation of Privacy
Requirement Candidates
Semantic Template
Adjust Privacy
Requirements
Validate Privacy
Requirements
Requirement Information
Privacy Requirement Candidates
Adjusted Privacy Requirements
Validated Privacy Requirements
Method Step
External Input
Internal Input/output
P-DFD
ProPAn
Taxonomy
PDP Metamodel
External Input (new)
X
Personal
data
detector
Modelling-driven design for Privacy and Data
Protection engineering (through Papyrus)
18/06/2019 PDP4E
Code verification
and validation
Model
transformation
Risk
Management
Requirem.
Engineering
Systems
Assurance
System (Asset)
models
Evidences
(traceability, V&V…)
Privacy Controls
Requirements
(GDPR, ISO29100)
Privacy & data protection
model-driven design. method
1)Choose design
strategy to fulfill
goals/requirements
2)Design/enrich
system Process
view(s)
3)Apply strategy
(e.g., inform,
control, enforce,
demonstrate)
1)Choose design
strategy to fulfill
goals/requirements
2)Design/enrich
system Data
view(s)
3)Apply strategy
(e.g., minimize,
separate,
abstract, hide)
18/06/2019 PDP4E
Image sources
 Slides 1, 2, 5: all the logos of the PDP4E partners’, publications, and others are copyrighted and/or trademarked by the respective organizations.
 Slide 2: captures of the headlines from browsing through the following webpages, used under right of quotation:
 How GDPR Will Change The Way You Develop https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/ by Heather Burns, at Smashing Magazine.
 15 steps to developing GDPR-compliant apps https://techbeacon.com/security/15-steps-developing-gdpr-compliant-apps by Johanna Curiel, at TechBeacon.
 What Developers and Publishers Need to Know About the GDPR https://medium.com/struucom/what-developers-and-publishers-need-to-know-about-the-gdpr-cfe0f97412f by Struu blog on
Medium.
 What Developers Need to Know About Europe’s Data Privacy Rules https://spectrum.ieee.org/at-work/tech-careers/what-developers-need-to-know-about-europes-data-privacy-rules by Jeremy
Hsu, at IEEE Spectrum
 Your Guide to the GDPR https://spectrum.ieee.org/telecom/internet/your-guide-to-the-gdpr by Rosa María García Sanz, at IEEE Spectrum.
 I’m a Developer and General Data Protection Regulation (GDPR) is no big deal. Or is it? https://hackernoon.com/im-a-developer-and-general-data-protection-regulation-gdpr-is-no-big-deal-or-is-it-
2f2b7b3f124 by Bryan Soltis, at Hackernoon blog on Medium.
 Slides 3, 10 (images here cited under right of quotation or provided by PDP4E partners, unless otherwise specified):
 Judge Gavel https://www.publicdomainpictures.net/en/view-image.php?image=164515&picture=judge-gavel by George Hodan, image in the public domain.
 Privacy by Design 7 principles http://privacybydesign.ca/ (offline) by Ann Cavoukian
 OneTrust privacy shield dashboard https://www.onetrust.com/es/products/ © OneTrust
 ‘Time to adopt’ PETs poster © Enisa, use authorized under https://www.enisa.europa.eu/about-enisa/legal-notice
 Papyrus captures from https://www.eclipse.org/papyrus/ , https://www.eclipse.org/papyrus/components/sysml/0.8.0/ , https://www.polarsys.org/list-of-projects © Eclipse Foundation, Inc.
 OpenCert capture https://www.amass-ecsel.eu/content/opencert-base-tool-amass-management-assurance-and-compliance © Tecnalia, used under authorization.
 Slide 7: Figure cited from NOTARIO, Nicolás, et al. PRIPARE: integrating privacy best practices into a privacy engineering methodology. In 2015 IEEE Security and Privacy
Workshops. IEEE, 2015. p. 151-158.
 Slide 13:
 DFD by Howard, M., & Lipner, S. (2006). The security development lifecycle : SDL, a process for developing demonstrably more secure software., p.113
 Class diagram https://www.flickr.com/photos/79364035@N04/8402807365 by elisa_abuyah licensed under CC-BY--2.0 license https://creativecommons.org/licenses/by/2.0/
 SysML IBD http://www.conceptdraw.com/solution-park/resource/images/solutions/software-sysml/Software-Development-SYSML-Block-Definition-Diagram.png by CS Odessa, licensed under
the Creative Commons Attribution 4.0 International license.
18/06/2019 PDP4E
Methods and Tools for GDPR Compliance through
Privacy and Data
Protection 4 Engineering
Thank you for your attention
Questions?
For more information, visit:
www.pdp4e-project.org
We’ll be waiting for you
at the APF exhibition booth!
Yod Samuel Martín (UPM)
ys.martin@upm.es
Gabriel Pedroza (CEA)
gabriel.pedroza@cea.fr

More Related Content

What's hot

Wp6 public
Wp6 publicWp6 public
Dpm presentation
Dpm presentationDpm presentation
Paris wp5 pd-pb_d
Paris wp5 pd-pb_dParis wp5 pd-pb_d
Wp4 tool demonstration_v1
Wp4 tool demonstration_v1Wp4 tool demonstration_v1
Wp4 tool demonstration_v1
Privacy Data Protection for Engineering
 
MECATECH, building the Future
MECATECH, building the FutureMECATECH, building the Future
MECATECH, building the Future
Agence du Numérique (AdN)
 
Data Privacy and Security in Autonomous Vehicles
Data Privacy and Security in Autonomous VehiclesData Privacy and Security in Autonomous Vehicles
Data Privacy and Security in Autonomous Vehicles
sulaiman_karim
 
Lightkone project : Lightweight computation for networks at the edge
Lightkone project : Lightweight computation for networks at the edgeLightkone project : Lightweight computation for networks at the edge
Lightkone project : Lightweight computation for networks at the edge
Agence du Numérique (AdN)
 
Towards Large-Scale, High-Density Indoor Ultra Wideband Geolocation Systems
Towards Large-Scale, High-Density Indoor Ultra Wideband Geolocation SystemsTowards Large-Scale, High-Density Indoor Ultra Wideband Geolocation Systems
Towards Large-Scale, High-Density Indoor Ultra Wideband Geolocation Systems
Agence du Numérique (AdN)
 
Multitel Cybersecurity Projects
Multitel Cybersecurity ProjectsMultitel Cybersecurity Projects
Multitel Cybersecurity Projects
Agence du Numérique (AdN)
 
e-SIDES workshop at ICT 2018, Vienna 5/12/2018
e-SIDES workshop at ICT 2018, Vienna 5/12/2018e-SIDES workshop at ICT 2018, Vienna 5/12/2018
e-SIDES workshop at ICT 2018, Vienna 5/12/2018
e-SIDES.eu
 
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
ijwscjournal
 
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
ijdms
 
Applying IoT to the Management of Natural Disasters Risk NIAGRISK - A digital...
Applying IoT to the Management of Natural Disasters Risk NIAGRISK - A digital...Applying IoT to the Management of Natural Disasters Risk NIAGRISK - A digital...
Applying IoT to the Management of Natural Disasters Risk NIAGRISK - A digital...
Agence du Numérique (AdN)
 
MIPLM research projekt ip and economic aspects of a predictive maintenance se...
MIPLM research projekt ip and economic aspects of a predictive maintenance se...MIPLM research projekt ip and economic aspects of a predictive maintenance se...
MIPLM research projekt ip and economic aspects of a predictive maintenance se...
MIPLM
 
IoT 2014 global challenges
IoT 2014 global challengesIoT 2014 global challenges
IoT 2014 global challenges
DunavNET
 
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
ijdms
 
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
albert ca
 
Who will buy IOT products and why.
Who will buy IOT products and why.Who will buy IOT products and why.
Who will buy IOT products and why.
Atanu Roy Chowdhury
 
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
ijdms
 
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
IJCNCJournal
 

What's hot (20)

Wp6 public
Wp6 publicWp6 public
Wp6 public
 
Dpm presentation
Dpm presentationDpm presentation
Dpm presentation
 
Paris wp5 pd-pb_d
Paris wp5 pd-pb_dParis wp5 pd-pb_d
Paris wp5 pd-pb_d
 
Wp4 tool demonstration_v1
Wp4 tool demonstration_v1Wp4 tool demonstration_v1
Wp4 tool demonstration_v1
 
MECATECH, building the Future
MECATECH, building the FutureMECATECH, building the Future
MECATECH, building the Future
 
Data Privacy and Security in Autonomous Vehicles
Data Privacy and Security in Autonomous VehiclesData Privacy and Security in Autonomous Vehicles
Data Privacy and Security in Autonomous Vehicles
 
Lightkone project : Lightweight computation for networks at the edge
Lightkone project : Lightweight computation for networks at the edgeLightkone project : Lightweight computation for networks at the edge
Lightkone project : Lightweight computation for networks at the edge
 
Towards Large-Scale, High-Density Indoor Ultra Wideband Geolocation Systems
Towards Large-Scale, High-Density Indoor Ultra Wideband Geolocation SystemsTowards Large-Scale, High-Density Indoor Ultra Wideband Geolocation Systems
Towards Large-Scale, High-Density Indoor Ultra Wideband Geolocation Systems
 
Multitel Cybersecurity Projects
Multitel Cybersecurity ProjectsMultitel Cybersecurity Projects
Multitel Cybersecurity Projects
 
e-SIDES workshop at ICT 2018, Vienna 5/12/2018
e-SIDES workshop at ICT 2018, Vienna 5/12/2018e-SIDES workshop at ICT 2018, Vienna 5/12/2018
e-SIDES workshop at ICT 2018, Vienna 5/12/2018
 
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
 
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
 
Applying IoT to the Management of Natural Disasters Risk NIAGRISK - A digital...
Applying IoT to the Management of Natural Disasters Risk NIAGRISK - A digital...Applying IoT to the Management of Natural Disasters Risk NIAGRISK - A digital...
Applying IoT to the Management of Natural Disasters Risk NIAGRISK - A digital...
 
MIPLM research projekt ip and economic aspects of a predictive maintenance se...
MIPLM research projekt ip and economic aspects of a predictive maintenance se...MIPLM research projekt ip and economic aspects of a predictive maintenance se...
MIPLM research projekt ip and economic aspects of a predictive maintenance se...
 
IoT 2014 global challenges
IoT 2014 global challengesIoT 2014 global challenges
IoT 2014 global challenges
 
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
 
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
 
Who will buy IOT products and why.
Who will buy IOT products and why.Who will buy IOT products and why.
Who will buy IOT products and why.
 
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2 nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
 
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
2nd International Conference on Cloud, Big Data and IoT (CBIoT 2021)
 

Similar to Pdp4 e privacy engineering toolkit ipen 2019

Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
Privacy as a Career
Privacy  as a CareerPrivacy  as a Career
Privacy as a Career
DaviesParker
 
GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.
James Seville
 
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp
 
Paris wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_studyParis wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_study
Privacy Data Protection for Engineering
 
GDPR Benefits and a Technical Overview
GDPR  Benefits and a Technical OverviewGDPR  Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
Ernest Staats
 
Big Data: Privacy and Security Aspects
Big Data: Privacy and Security AspectsBig Data: Privacy and Security Aspects
Big Data: Privacy and Security Aspects
IRJET Journal
 
GDPR (En) JM Tyszka
GDPR (En)  JM TyszkaGDPR (En)  JM Tyszka
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
Ulf Mattsson
 
Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?
Joe Orlando
 
Specialized education for DPO and GDPR professionals
Specialized education for DPO and GDPR professionalsSpecialized education for DPO and GDPR professionals
Specialized education for DPO and GDPR professionals
Georges Ataya
 
GDPR: Data Privacy in the New
GDPR: Data Privacy in the NewGDPR: Data Privacy in the New
GDPR: Data Privacy in the New
accenture
 
DPO Circle 2018
DPO Circle 2018 DPO Circle 2018
DPO Circle 2018
Georges Ataya
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
Angad Dayal
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
Samo Zavašnik
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
Privacy by design Austin Chambers 11-9-17
Privacy by design Austin Chambers 11-9-17Privacy by design Austin Chambers 11-9-17
Privacy by design Austin Chambers 11-9-17
Janelle RW Hsia
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa   privacy by design & gdpr austin chambers 11-4-17Csa   privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
Interaktiv
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
Annelore van der Lint
 

Similar to Pdp4 e privacy engineering toolkit ipen 2019 (20)

Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
 
Privacy as a Career
Privacy  as a CareerPrivacy  as a Career
Privacy as a Career
 
GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.
 
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
 
Paris wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_studyParis wp5 pd-pb_d_case_study
Paris wp5 pd-pb_d_case_study
 
GDPR Benefits and a Technical Overview
GDPR  Benefits and a Technical OverviewGDPR  Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
 
Big Data: Privacy and Security Aspects
Big Data: Privacy and Security AspectsBig Data: Privacy and Security Aspects
Big Data: Privacy and Security Aspects
 
GDPR (En) JM Tyszka
GDPR (En)  JM TyszkaGDPR (En)  JM Tyszka
GDPR (En) JM Tyszka
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
 
Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?Is Encryption the Only Key to GDPR?
Is Encryption the Only Key to GDPR?
 
Specialized education for DPO and GDPR professionals
Specialized education for DPO and GDPR professionalsSpecialized education for DPO and GDPR professionals
Specialized education for DPO and GDPR professionals
 
GDPR: Data Privacy in the New
GDPR: Data Privacy in the NewGDPR: Data Privacy in the New
GDPR: Data Privacy in the New
 
DPO Circle 2018
DPO Circle 2018 DPO Circle 2018
DPO Circle 2018
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
Privacy by design Austin Chambers 11-9-17
Privacy by design Austin Chambers 11-9-17Privacy by design Austin Chambers 11-9-17
Privacy by design Austin Chambers 11-9-17
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa   privacy by design & gdpr austin chambers 11-4-17Csa   privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
 

More from Privacy Data Protection for Engineering

Wp4 overall approach_v1
Wp4 overall approach_v1Wp4 overall approach_v1
Wp5 overall approach_3-pd_pbdmodules_v4
Wp5 overall approach_3-pd_pbdmodules_v4Wp5 overall approach_3-pd_pbdmodules_v4
Wp5 overall approach_3-pd_pbdmodules_v4
Privacy Data Protection for Engineering
 
Wp6 workshop 10_march2020
Wp6 workshop 10_march2020Wp6 workshop 10_march2020
Wp6 workshop 10_march2020
Privacy Data Protection for Engineering
 
Pdp4 e forum
Pdp4 e forumPdp4 e forum
Wp4 ws cea2020
Wp4 ws cea2020Wp4 ws cea2020
Beawre pitch
Beawre pitchBeawre pitch
Pdp4e IPEN-2019
Pdp4e  IPEN-2019Pdp4e  IPEN-2019

More from Privacy Data Protection for Engineering (7)

Wp4 overall approach_v1
Wp4 overall approach_v1Wp4 overall approach_v1
Wp4 overall approach_v1
 
Wp5 overall approach_3-pd_pbdmodules_v4
Wp5 overall approach_3-pd_pbdmodules_v4Wp5 overall approach_3-pd_pbdmodules_v4
Wp5 overall approach_3-pd_pbdmodules_v4
 
Wp6 workshop 10_march2020
Wp6 workshop 10_march2020Wp6 workshop 10_march2020
Wp6 workshop 10_march2020
 
Pdp4 e forum
Pdp4 e forumPdp4 e forum
Pdp4 e forum
 
Wp4 ws cea2020
Wp4 ws cea2020Wp4 ws cea2020
Wp4 ws cea2020
 
Beawre pitch
Beawre pitchBeawre pitch
Beawre pitch
 
Pdp4e IPEN-2019
Pdp4e  IPEN-2019Pdp4e  IPEN-2019
Pdp4e IPEN-2019
 

Recently uploaded

Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 

Recently uploaded (20)

Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Artificial Intelligence and Electronic Warfare
Artificial Intelligence and Electronic WarfareArtificial Intelligence and Electronic Warfare
Artificial Intelligence and Electronic Warfare
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 

Pdp4 e privacy engineering toolkit ipen 2019

  • 1. Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering PDP4E privacy engineering toolkit Yod Samuel Martín (UPM) Gabriel Pedroza (CEA LIST) IPEN Workshop 2019 - Rome, June 12 2019 This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787034
  • 2. Should GDPR be an engineer’s job? (Tip: It seems it should indeed) 18/06/2019 1/3 PDP4E
  • 3. The privacy and data protection engineering gap What engineers get… What engineers want… 18/06/2019 PDP4E GDPR PbD PETs PPM/PEM
  • 4. PDP4E response: what engineers need Software and Systems Engineering Disciplines Existent Privacy & Data Protection Methods Privacy and Data Protection Engineering Methods and Tools Engineers are not privacy experts, yet they will face privacy issues (even if they may get expert advice) Privacy adoption entails for methods and tools integrated within the large heritage of sw. & sys. engineering 1. Seamlessly include privacy & data protection into software & system engineering tools 2. Integrate privacy & data protection activities into the SDLC stages 3. Provide a readily available body of knowledge with existent wisdom 4. Foster a community of privacy & data protection engineering “Endow engineers with privacy and data protection tools aligned to their mindset”
  • 5. PDP4E response: what engineers need Metamodels Knowledge Bases Smart grid demonstrator Fintech demonstrator Requirements engineering Risk management Model-driven design Assurance and certification TRL6 TRL7Byproducts Connected vehicle demonstrator Smart grid demonstrator
  • 6. 18/06/2019 PDP4E System Models Requirements Threats, Controls… Reqs., Controls…Privacy Controls Evidences Risk Management Model-Driven Design Requirements Engineering Assurance Regulation, Ass. Patterns Threats, Controls… Reqs., Controls… Patterns…
  • 7. Risk-orientation of GDPR Even if there is no damage to the data subject, you are not compliant if you don’t assess and mitigate risks. Multilateral risk management: Data protection impact assessment Security impact analysis, security measures Compensations, liabilities and fines Supply Chain and Vendor Relationship Management (i.e. processors’, joint controllers, third parties, transfers…) Risks to rights and freedoms of the data subjects Risks derived from data breaches Derived business risks … But not everything in GDPR is a risk: - e.g. “risk of not asking the data subjects their age” GOAL - e.g. “risk of not providing a transparent poilcy” GOAL - vs “risk of misidentifying a child as an adult” UNCERTAINTY - vs “risk of users having low reading skills” UNCERTAINTY 18/06/2019 PDP4E
  • 8. MUSA risk management tool for security impact assessment 18/06/2019 PDP4E
  • 9. GDPR modelling in OpenCert: Reference Framework and Assurance Patterns 18/06/2019 PDP4E
  • 11. Privacy & data protection requirements metamodel (through Papyrus) 18/06/2019 PDP4E
  • 12. PDP4E Privacy & data protection requirements engin. method 18/06/2019 PDP4E Requirement Information Deduction ProPAn Artefacts PDP Goal Requirement Metamodel Data Protection Principle Hansen Generation of Privacy Requirement Candidates Semantic Template Adjust Privacy Requirements Validate Privacy Requirements Requirement Information Privacy Requirement Candidates Adjusted Privacy Requirements Validated Privacy Requirements Method Step External Input Internal Input/output P-DFD ProPAn Taxonomy PDP Metamodel External Input (new) X
  • 13. Personal data detector Modelling-driven design for Privacy and Data Protection engineering (through Papyrus) 18/06/2019 PDP4E Code verification and validation Model transformation Risk Management Requirem. Engineering Systems Assurance System (Asset) models Evidences (traceability, V&V…) Privacy Controls Requirements (GDPR, ISO29100)
  • 14. Privacy & data protection model-driven design. method 1)Choose design strategy to fulfill goals/requirements 2)Design/enrich system Process view(s) 3)Apply strategy (e.g., inform, control, enforce, demonstrate) 1)Choose design strategy to fulfill goals/requirements 2)Design/enrich system Data view(s) 3)Apply strategy (e.g., minimize, separate, abstract, hide) 18/06/2019 PDP4E
  • 15. Image sources  Slides 1, 2, 5: all the logos of the PDP4E partners’, publications, and others are copyrighted and/or trademarked by the respective organizations.  Slide 2: captures of the headlines from browsing through the following webpages, used under right of quotation:  How GDPR Will Change The Way You Develop https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/ by Heather Burns, at Smashing Magazine.  15 steps to developing GDPR-compliant apps https://techbeacon.com/security/15-steps-developing-gdpr-compliant-apps by Johanna Curiel, at TechBeacon.  What Developers and Publishers Need to Know About the GDPR https://medium.com/struucom/what-developers-and-publishers-need-to-know-about-the-gdpr-cfe0f97412f by Struu blog on Medium.  What Developers Need to Know About Europe’s Data Privacy Rules https://spectrum.ieee.org/at-work/tech-careers/what-developers-need-to-know-about-europes-data-privacy-rules by Jeremy Hsu, at IEEE Spectrum  Your Guide to the GDPR https://spectrum.ieee.org/telecom/internet/your-guide-to-the-gdpr by Rosa María García Sanz, at IEEE Spectrum.  I’m a Developer and General Data Protection Regulation (GDPR) is no big deal. Or is it? https://hackernoon.com/im-a-developer-and-general-data-protection-regulation-gdpr-is-no-big-deal-or-is-it- 2f2b7b3f124 by Bryan Soltis, at Hackernoon blog on Medium.  Slides 3, 10 (images here cited under right of quotation or provided by PDP4E partners, unless otherwise specified):  Judge Gavel https://www.publicdomainpictures.net/en/view-image.php?image=164515&picture=judge-gavel by George Hodan, image in the public domain.  Privacy by Design 7 principles http://privacybydesign.ca/ (offline) by Ann Cavoukian  OneTrust privacy shield dashboard https://www.onetrust.com/es/products/ © OneTrust  ‘Time to adopt’ PETs poster © Enisa, use authorized under https://www.enisa.europa.eu/about-enisa/legal-notice  Papyrus captures from https://www.eclipse.org/papyrus/ , https://www.eclipse.org/papyrus/components/sysml/0.8.0/ , https://www.polarsys.org/list-of-projects © Eclipse Foundation, Inc.  OpenCert capture https://www.amass-ecsel.eu/content/opencert-base-tool-amass-management-assurance-and-compliance © Tecnalia, used under authorization.  Slide 7: Figure cited from NOTARIO, Nicolás, et al. PRIPARE: integrating privacy best practices into a privacy engineering methodology. In 2015 IEEE Security and Privacy Workshops. IEEE, 2015. p. 151-158.  Slide 13:  DFD by Howard, M., & Lipner, S. (2006). The security development lifecycle : SDL, a process for developing demonstrably more secure software., p.113  Class diagram https://www.flickr.com/photos/79364035@N04/8402807365 by elisa_abuyah licensed under CC-BY--2.0 license https://creativecommons.org/licenses/by/2.0/  SysML IBD http://www.conceptdraw.com/solution-park/resource/images/solutions/software-sysml/Software-Development-SYSML-Block-Definition-Diagram.png by CS Odessa, licensed under the Creative Commons Attribution 4.0 International license. 18/06/2019 PDP4E
  • 16. Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering Thank you for your attention Questions? For more information, visit: www.pdp4e-project.org We’ll be waiting for you at the APF exhibition booth! Yod Samuel Martín (UPM) ys.martin@upm.es Gabriel Pedroza (CEA) gabriel.pedroza@cea.fr