SlideShare a Scribd company logo

Mcis 2018 DEFeND Project

DEFeND Project, profile picture
DEFeND Project

The document discusses the DEFEND project, funded by the EU's Horizon 2020 programme, which aims to support organizations in achieving GDPR compliance through a modular platform that integrates privacy-by-design and data protection management. It outlines the significant milestones of GDPR, its implications compared to previous regulations, and challenges related to implementing privacy by design and managing user consent. The document also highlights ongoing research and provides details on the project's objectives, architecture, and partners involved.

Technology
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787068. Aggeliki Tsohou, Assistant Professor Ionian University, Dept. of Informatics The Mediterranean Conference on Information Systems (MCIS 2018) 30th September 2018
Outline v The General Data Protection Regulation (GDPR): overview and history v Challenges of GDPR compliance v The DEFeND project and how it addresses (some) of the challenges: • Objectives • Architecture and Components • Management and Organization of work
The drivers of the GDPR regulation v Need for modernization: new or advanced online services and technologies compared to the era that previous regulation rules were introduced (e.g., social networks, location-based services, cloud computing, data processing and storage capabilities) v Need to give to individuals back control over of their personal data vNeed to simplify the regulatory environment for business vUnnecessary administrative requirements for businesses (e.g. notification to several data protection authorities) causing significant costs 3
Significant Milestones of the GDPR v In January 2012 EU proposes a reform of data protection rules to increase users' control of their data and to cut costs for businesses v In March 2014 the European Parliament approves the proposal for the new regulation (first reading) v In April 2016 the GDPR is announced v In May 2016 the GDPR enters into force v In May 2018 the GDPR applies
GDPR: Changes and Implications Compared to the 95/46/EC v Extension of data that fall under the categories of personal data and special categories of personal data v Heavier responsibility and role for the data controllers and processors v Appointment of Data Protection Officer v Wider territorial scope v Additional rights to the data subjects v Differentiations on the role for the data protection authorities v Privacy by default and personal data impact assessment as core principle for the design of information systems
GDPR: Changes and Implications Compared to the Previous Regulation And of course…higher penalties! Up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
(only some of the) Research Gaps and Opportunities v Obtaining data subjects’ consent v Ensuring data subjects’ rights (e.g., right to erasure, right to data portability) v Ensuring personal data control v Designing and Implementing information systems that ensure privacy by design and by default v Demonstrating compliance with GDPR v Performing privacy impact assessment 7
Our Group’s Ongoing Research in Informed Consent and Privacy Awareness 8 § Tsohou, A. and Kosta, E. (2017), Enabling valid informed consent for location tracking through privacy awareness of users: A process theory, Computer Law & Security Review: The International Journal of Technology Law and Practice, Vol. 33, No. 4, pp. 434-457 § Soumelidou K. and Tsohou A. Effects of Privacy Policy Visualization on Users’ Information Privacy Awareness Level – The Case of Instagram, IT & People (under Review) § Paspatis, I., Tsohou A. and Kokolakis S. (2017), Mobile Application Privacy Risks: Viber Users’ De-Anonymization Using Public Data, 11th Mediterranean Conference on Information Systems, Genova, Italy, September 2017 § Paspatis, I., Tsohou A. and Kokolakis S. (2018), AppAware: A Model For Privacy Policy Visualization For Mobile Applications, 12th Mediterranean Conference on Information Systems, Corfu, Greece, September 2018
9
10 7 KEY PRINCIPLES • Lawfulness, fairness and transparency • Purpose limitation • Data minimization • Integrity and confidentiality • Storage limitation • Accuracy • Accountability ACCOUNTABILITY • Contractual organization • Privacy-by-design & Privacy-by-default • Records of data processing activities • Privacy Impact Assessments • Data Protection Officer RIGHTS OF INDIVIDUALS • Information • Access • Rectification • Erasure • Restriction • Portability • Objection • Automated decision-making / profiling GDPR: CHALLENGES
11 IMPLEMENTING PRIVACY BY DESIGN/PRIVACY ENGINEERING Implement technical and organization measures to show that the origination has considered and integrated data compliance measures into data processing activities DATA DE-IDENTIFICATION/ ANONYMIZATION Assess and implement anonymization and pseudonymization techniques to fall outside the scope of the GDPR or comply with certain requirements MEETING REGULATORY REPORTING REQUIREMENTS Set up methods to review compliance activities and keep records for internal and external reporting to demonstrate compliance (e.g. privacy notices and records of privacy-related escalation handling activities) ADDRESSING INTERNATIONAL DATA TRASNFERS Map international data flows and manage mechanism to allow for transfer of data to non-EEA countries (BCRs, MCCs, Privacy Shield, etc.) DEVELOPING A GDPR PRIVACY PLAN Conduct a comprehensive assessment of the organization readiness for GDPR and develop a plan of action to reach compliance CREATING A THIRD PARTY MANAGEMENT PROGRAM Manage third party vendor risk and create policies, procedures and on- going management to ensure third party compliance and implementation of necessary contractual arrangements MANAGING PRIVACY COMPLAINTS AND INDIVIDUAL RIGHTS Develop processes and policies to respond to requests made by individuals (right to information but also access, rectification, restriction, objection, erasure and portability rights) MANAGING PRIVACY INCIDENTS AND BREACH NOTIFICATION Review information security policies and breach handling incident response plans to comply with the strict formal reporting (notification) obligations CREATING DATA INVENTORY AND MAPS Inventory of processing activities and data flows, classified by data type, purpose and responsibilities. CONDUCTING PRIVACY RISK ASSESSMENTS (PIAs/DPIAs) Design and implement processes to conduct and manage PIAs/DPIAs and risk assessments across the organization, based on legal and regulatory requirements OBTAINING AND MANAGING USER CONTENT Develop processes to comply with new content requirements: ‘a statement or a clear affirmative action’ from the data subject, must be ‘freely given, specific, informed and unambiguous’ Implement physical, technical, and administrative measures to keep personal data secure and confidential through adequate standard or certification SELECTION OF APPROPRIATE SECURITY TECHNICAL AND ORGANISATIONAL MEASURES
12 ORGANISATION START DATE 1 July 2018 CALL TOPIC H2020-DS08-2017 Cybersecurity PPP: Privacy, Data Protection, Digital Identities DURATION 30 months GRANT AMOUNT EUR 2,737,300.00
13 Design and development of a successful, MARKET-ORIENTED, PLATFORM to support organizations towards GDPR compliance 1 Develop a MODULAR SOLUTION that covers different aspects of the GDPR 2 AUTOMATED methods and techniques to elicit, map and ANALYZE DATA that organizations hold for individuals 3 Advanced modelling languages and methodologies for privacy-by-design and DATA PROTECTION management 4 Specification, management and enforcement of PERSONAL DATA CONSENT 5 Integrated ENCRYPTION AND ANONYMIZATION solutions for GDPR 6 DEPLOYMENT and VALIDATION of the DEFeND platform in real operational environments 7 OBJECTIVES
14 The Model-Driven Privacy Governance (MDPG) paradigm enables building (from an abstract to a concrete level) and analyzing privacy related models following a Privacy-by-Design approach that spans over two levels, the Planning Level and the Operational Level, and across three management areas, i.e. Data Scope, Data Process and Data Breach DEFeND PARADIGM
15 DATA SCOPE MANAGEMENT (DSM) DATA PROCESS MANAGEMENT (DPM) DATA BREACH MANAGEMENT (DBM) Data flows Identify data, assets Identify accountability Organisational information establishments DEFeND PLATFORM toward GDPR compliance Personal data consent ART. 6, 7, 8, 13,14 Data access rights ART. 15 Security and privacy specification ART. 24 ART. 4 ART. 4 ART. 4 ART. 5 Data Breach Plan Specification ART. 34 Data Protection Impact Assessment (DPIA) Security and Privacy Threats Privacy by Design Data transparency, lawfulness, minimisation ART. 35 ART. 23 ART. 25 ART. 4, 25 Security and Privacy Technologies ART. 32 Privacy Data Consent Monitoring and Notification ART. 19 Data breach Detection, Notification and Response ART. 23, 33, 34, 36 PLANNING LEVEL OPERATIONAL LEVEL
16 DEFeND ARCHITECTURE DATA ASSESSMENT COMPONENT (DAC) Organisation Data Collection Assessment Translator Data Privacy Model DATA PRIVACY ANALYSIS COMPONENT (DPAC) PRIVACY SPECIFICATION COMPONENT (PSC) PRIVACY IMPLEMENTATION AND MONITORING COMPONENT (PIMC) Security/Privacy Technologies Data Access Rights Analysis Consent Analysis Security/Privacy Specification Model Privacy Data Consent (PDC) Model Privacy Technologies Runtime Privacy Data Consent Monitoring Notification DATASCOPE MANAGEMENT(DSM) DATAPROCESS MANAGEMENT(DPM) Data Breach Modelling and Analysis Data breach Detection and Response DATA BREACH COMPONENT (DBC) DATABREACH MANAGEMENT(DBM) Data Breach Model Data Assessment Model DPIA Analysis Data Minimisation Analysis Threat AnalysisPrivacy by Design/Default
17 dashBoardBackEnd GDPR Authorities Report Organisational Information Data Assessment Model Privacy Data Consent Model GDPR Report Security/Privacy Specification Model Breach Notification DATA CONTROLLER-PROCESSOR DATA SUBJECT SUPERVISORY AUTHORITIES GDPR Readiness Report Consent Preferences Privacy Data Consent Model Privacy Implementation and Monitoring Component (PIMC) Data Assessment Component (DAC) GDPR Reporting Service Data Scope Management Service (DSM) GDPR Planning Service Data Breach Management Service (DSM) Data Process Management Service (DPM) Data Privacy Analysis Component (DPAC) Data Breach Component (DBC) Privacy Specification Component (PSC) GDPR DASHBOARD
18 T6.1: Dissemination and public communication T6.2: Exploitation, Business and Commercialization T6.3: Training and Awareness T6.4: Projects and stakeholders networking WP6: DISSEMINATION AND EXPLOITATION T5.1: Pilots’ preparations T5.2: Pilots’ execution and evaluation T5.3: Pilots’ final demonstration WP5: PILOTS PREPARATION AND EXECCUTION T4.1: Services’ integration T4.2: Security and Legal Compliance Audit T4.3: Platform Testing and Refinement WP4: INTEGRATION, DEPLOYMENT AND TESTING T3.1: Data Scope Management T3.2: Data Process Management T3.3: Data Breach Management T4.4: Dashboard WP3: DEVELOPMENT OF PLATFORMS SERVICES T1.1: Project Management T2.2: Quality and Innovation Management T2.3: Compliance and Ethics Management T1.4: Technical Management T1.5: Security Advisory Board WP1: PROJECT, QUALITY AND COMPLIANCE MANAGEMENT WORK PLAN T2.1: Requirements and Specifications T2.2: Privacy and Compliance Requirements T2.3: Platform Architecture T2.4: Definition of pilots’ scenarios WP2: REQUIREMENTS AND ARCHITECTURE
19 ENERGY SECTOR (PRIVATE) GP (France) BANKING SECTOR (PRIVATE) ABILab (Italy) HEALTH CARE (PUBLIC) Fundacion Para la Investigacion Biomedica Hospital Infantil Universitario Niño Jesus (Spain) PUBLIC ADMINISTRATION (PUBLIC) PESHTERA MUNICIPALITY (Bulgaria) DEFeND platform will be tested in operational environment (TRL 7) for two different types of scenarios across four sectors, focusing on the GDPR compliance process for end-users and on the GDPR implications for external stakeholders. DEFeND PILOTS
DEFeND: PARTNERS AND CONTACTS 11 UNIVERSITY OF BRIGHTON Haris Mouratidis Prof of Software Systems Engineering computing engineering & mathematics H.Mouratidis@brighton.ac.uk BUSINESS-E Claudio Girlanda Competence Center Applications Manager claudio.girlanda@maticmind.it ATOS Pedro Soria Rodriguez Head of Market pedro.soria@atos.net FIB Andrés G. Castillo Sanz Head of Innovation Department andres.castillo@salud.madrid.org IONIAN UNIVERSITY Aggeliki Tsohou Assistant Professor atsohou@ionio.gr PESHTERA MUNICIPALITY Georgi Simeonov Project Manager simeonov@reap-bg.eu Nikolay Zaychev Mayor zaichev@abv.bg
DEFeND: PARTNERS AND CONTACTS Benoit Van Asbroeck Partner Benoit.Van.Asbroeck@twobirds.com 12 Filip Gluszak President filip.gluszak@gridpocket.com Luis Miguel Serra da Costa Campos CEO luis.campos@pdmfc.com Romano STASI General Manager r.stasi@abilab.it Teresa Spada Responsible for the Institutional Projects t.spada@abilab.it Marco Crabu In House Consultant marcocrabu@gmail.com Marco Rotoloni Research Analyst m.rotoloni@abilab.it ABI LAB GRIDPOCKET Papa Niamadio Project Manager papa.niamadio@gridpocket.com PDM Francisco Correia Loureiro Director, Security Solutions francisco.loureiro@pdmfc.com Luis Miguel Landeiro Ribeiro CTO luis.ribeiro@pdmfc.com BIRD & BIRD Julien Debussche Associate Julien.Debussche@twobirds.com Jasmien César Associate Jasmien.Cesar@twobirds.com
22 Coordinator: Beatriz Gallego-Nicasio Crespo, Atos, beatriz.gallego-nicasio@atos.net DEFeND: PROJECT CONTACTS 13 COORDINATOR TECHNICAL MANAGER COMMUNICATION WEBSITE Technical Manager: Prof. Haralambos (Haris) Mouratidis, UoB, H.Mouratidis@brighton.ac.uk Communication: info@defend.eu Project website: www.defendproject.eu
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787068. THANK YOU Contacts Coordinator: Beatriz Gallego-Nicasio Crespo, Atos, beatriz.gallego-nicasio@atos.net Technical Manager: Prof. Haralambos (Haris) Mouratidis, UoB, H.Mouratidis@brighton.ac.uk Communication: info@defend.eu | Project website: www.defendproject.eu

More Related Content

PPTX
GDPR and evolving international privacy regulations
Ulf Mattsson
 
PPTX
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
PPTX
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
CloudWATCH Consortium
 
PDF
Data Flow Mapping and the EU GDPR
IT Governance Ltd
 
PDF
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
IDC4EU
 
PDF
The interface between data protection and ip law
Francesco Banterle
 
PDF
A practical guide to GDPR preparation
Promapp Solutions
 
PPTX
Operations network - consent under gdpr 24.01.2018
MRS
 
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
CloudWATCH Consortium
 
Data Flow Mapping and the EU GDPR
IT Governance Ltd
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
IDC4EU
 
The interface between data protection and ip law
Francesco Banterle
 
A practical guide to GDPR preparation
Promapp Solutions
 
Operations network - consent under gdpr 24.01.2018
MRS
 

What's hot (19)

PDF
GDPR - a view for the non experts
Claudio Bolla, CISM
 
PPTX
GDPR master class - transparent research projects
MRS
 
PPTX
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
PPTX
MRS Code of Conduct 2019 - Changes to Fair Data
MRS
 
PDF
GDPR master class accountable research organisations (january 2018)
MRS
 
DOCX
DPIA template
Tommy Vandepitte
 
PPTX
MRS Operations Network: GDPR - Organisational Measures
MRS
 
PPTX
Operations network meeting 22 January 2019
MRS
 
PDF
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Michael Adamberry
 
PDF
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Michael Adamberry
 
PDF
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
PPTX
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
PPTX
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
PDF
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson LLP
 
PDF
GDPR considerations for blockchain solution architects.
Salman Baset
 
PDF
GDPR and Blockchain
Salman Baset
 
PDF
A Pratical Guide to GDPR - F.Coin
Franco Coin
 
PPTX
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
PPTX
20180619 Controller-to-Processor agreements
Brussels Legal Hackers
 
GDPR - a view for the non experts
Claudio Bolla, CISM
 
GDPR master class - transparent research projects
MRS
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
MRS Code of Conduct 2019 - Changes to Fair Data
MRS
 
GDPR master class accountable research organisations (january 2018)
MRS
 
DPIA template
Tommy Vandepitte
 
MRS Operations Network: GDPR - Organisational Measures
MRS
 
Operations network meeting 22 January 2019
MRS
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Michael Adamberry
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Michael Adamberry
 
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson LLP
 
GDPR considerations for blockchain solution architects.
Salman Baset
 
GDPR and Blockchain
Salman Baset
 
A Pratical Guide to GDPR - F.Coin
Franco Coin
 
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
20180619 Controller-to-Processor agreements
Brussels Legal Hackers
 
Ad

Similar to Mcis 2018 DEFeND Project (20)

PDF
DEFeND Project Presentation - July 2018
DEFeND Project
 
PDF
GDPR most actionable cheatsheet and checklist by cyberstratg
Tabish Asifi
 
PPTX
GDPR Benefits and a Technical Overview
Ernest Staats
 
PPTX
My presentation- Ala about privacy and GDPR
zayadeen2003
 
PDF
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
PPTX
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
PPTX
Gdpr brief and controls ver2.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PPSX
Gdpr demystified - making sense of the regulation
James Mulhern
 
PDF
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
PPTX
GDPR How to get started?
Peter Witsenburg
 
PPTX
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
PPT
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 
PPTX
Microsoft dynamics 365 for small and medium sized charities - session 2 gdpr
m-hance
 
PPTX
Using GDPR to Transform Customer Experience
MongoDB
 
PPTX
Prepare Your Firm for GDPR
MyComplianceOffice
 
PDF
10 Key GDPR Requirements You Must Know to Protect Your Business
VISTA InfoSec
 
PPTX
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
PPTX
Vuzion Love Cloud GDPR Event
Vuzion
 
DEFeND Project Presentation - July 2018
DEFeND Project
 
GDPR most actionable cheatsheet and checklist by cyberstratg
Tabish Asifi
 
GDPR Benefits and a Technical Overview
Ernest Staats
 
My presentation- Ala about privacy and GDPR
zayadeen2003
 
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Gdpr brief and controls ver2.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Gdpr demystified - making sense of the regulation
James Mulhern
 
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
GDPR How to get started?
Peter Witsenburg
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 
Microsoft dynamics 365 for small and medium sized charities - session 2 gdpr
m-hance
 
Using GDPR to Transform Customer Experience
MongoDB
 
Prepare Your Firm for GDPR
MyComplianceOffice
 
10 Key GDPR Requirements You Must Know to Protect Your Business
VISTA InfoSec
 
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
Vuzion Love Cloud GDPR Event
Vuzion
 
Ad

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Cloud computing and distributed systems.
kkkkkhan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Encapsulation theory and applications.pdf
gurumoop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
KodekX | Application Modernization Development
KodekX
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Teaching material agriculture food technology
LiaRayya
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

Mcis 2018 DEFeND Project

  • 1. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787068. Aggeliki Tsohou, Assistant Professor Ionian University, Dept. of Informatics The Mediterranean Conference on Information Systems (MCIS 2018) 30th September 2018
  • 2. Outline v The General Data Protection Regulation (GDPR): overview and history v Challenges of GDPR compliance v The DEFeND project and how it addresses (some) of the challenges: • Objectives • Architecture and Components • Management and Organization of work
  • 3. The drivers of the GDPR regulation v Need for modernization: new or advanced online services and technologies compared to the era that previous regulation rules were introduced (e.g., social networks, location-based services, cloud computing, data processing and storage capabilities) v Need to give to individuals back control over of their personal data vNeed to simplify the regulatory environment for business vUnnecessary administrative requirements for businesses (e.g. notification to several data protection authorities) causing significant costs 3
  • 4. Significant Milestones of the GDPR v In January 2012 EU proposes a reform of data protection rules to increase users' control of their data and to cut costs for businesses v In March 2014 the European Parliament approves the proposal for the new regulation (first reading) v In April 2016 the GDPR is announced v In May 2016 the GDPR enters into force v In May 2018 the GDPR applies
  • 5. GDPR: Changes and Implications Compared to the 95/46/EC v Extension of data that fall under the categories of personal data and special categories of personal data v Heavier responsibility and role for the data controllers and processors v Appointment of Data Protection Officer v Wider territorial scope v Additional rights to the data subjects v Differentiations on the role for the data protection authorities v Privacy by default and personal data impact assessment as core principle for the design of information systems
  • 6. GDPR: Changes and Implications Compared to the Previous Regulation And of course…higher penalties! Up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
  • 7. (only some of the) Research Gaps and Opportunities v Obtaining data subjects’ consent v Ensuring data subjects’ rights (e.g., right to erasure, right to data portability) v Ensuring personal data control v Designing and Implementing information systems that ensure privacy by design and by default v Demonstrating compliance with GDPR v Performing privacy impact assessment 7
  • 8. Our Group’s Ongoing Research in Informed Consent and Privacy Awareness 8 § Tsohou, A. and Kosta, E. (2017), Enabling valid informed consent for location tracking through privacy awareness of users: A process theory, Computer Law & Security Review: The International Journal of Technology Law and Practice, Vol. 33, No. 4, pp. 434-457 § Soumelidou K. and Tsohou A. Effects of Privacy Policy Visualization on Users’ Information Privacy Awareness Level – The Case of Instagram, IT & People (under Review) § Paspatis, I., Tsohou A. and Kokolakis S. (2017), Mobile Application Privacy Risks: Viber Users’ De-Anonymization Using Public Data, 11th Mediterranean Conference on Information Systems, Genova, Italy, September 2017 § Paspatis, I., Tsohou A. and Kokolakis S. (2018), AppAware: A Model For Privacy Policy Visualization For Mobile Applications, 12th Mediterranean Conference on Information Systems, Corfu, Greece, September 2018
  • 9. 9
  • 10. 10 7 KEY PRINCIPLES • Lawfulness, fairness and transparency • Purpose limitation • Data minimization • Integrity and confidentiality • Storage limitation • Accuracy • Accountability ACCOUNTABILITY • Contractual organization • Privacy-by-design & Privacy-by-default • Records of data processing activities • Privacy Impact Assessments • Data Protection Officer RIGHTS OF INDIVIDUALS • Information • Access • Rectification • Erasure • Restriction • Portability • Objection • Automated decision-making / profiling GDPR: CHALLENGES
  • 11. 11 IMPLEMENTING PRIVACY BY DESIGN/PRIVACY ENGINEERING Implement technical and organization measures to show that the origination has considered and integrated data compliance measures into data processing activities DATA DE-IDENTIFICATION/ ANONYMIZATION Assess and implement anonymization and pseudonymization techniques to fall outside the scope of the GDPR or comply with certain requirements MEETING REGULATORY REPORTING REQUIREMENTS Set up methods to review compliance activities and keep records for internal and external reporting to demonstrate compliance (e.g. privacy notices and records of privacy-related escalation handling activities) ADDRESSING INTERNATIONAL DATA TRASNFERS Map international data flows and manage mechanism to allow for transfer of data to non-EEA countries (BCRs, MCCs, Privacy Shield, etc.) DEVELOPING A GDPR PRIVACY PLAN Conduct a comprehensive assessment of the organization readiness for GDPR and develop a plan of action to reach compliance CREATING A THIRD PARTY MANAGEMENT PROGRAM Manage third party vendor risk and create policies, procedures and on- going management to ensure third party compliance and implementation of necessary contractual arrangements MANAGING PRIVACY COMPLAINTS AND INDIVIDUAL RIGHTS Develop processes and policies to respond to requests made by individuals (right to information but also access, rectification, restriction, objection, erasure and portability rights) MANAGING PRIVACY INCIDENTS AND BREACH NOTIFICATION Review information security policies and breach handling incident response plans to comply with the strict formal reporting (notification) obligations CREATING DATA INVENTORY AND MAPS Inventory of processing activities and data flows, classified by data type, purpose and responsibilities. CONDUCTING PRIVACY RISK ASSESSMENTS (PIAs/DPIAs) Design and implement processes to conduct and manage PIAs/DPIAs and risk assessments across the organization, based on legal and regulatory requirements OBTAINING AND MANAGING USER CONTENT Develop processes to comply with new content requirements: ‘a statement or a clear affirmative action’ from the data subject, must be ‘freely given, specific, informed and unambiguous’ Implement physical, technical, and administrative measures to keep personal data secure and confidential through adequate standard or certification SELECTION OF APPROPRIATE SECURITY TECHNICAL AND ORGANISATIONAL MEASURES
  • 12. 12 ORGANISATION START DATE 1 July 2018 CALL TOPIC H2020-DS08-2017 Cybersecurity PPP: Privacy, Data Protection, Digital Identities DURATION 30 months GRANT AMOUNT EUR 2,737,300.00
  • 13. 13 Design and development of a successful, MARKET-ORIENTED, PLATFORM to support organizations towards GDPR compliance 1 Develop a MODULAR SOLUTION that covers different aspects of the GDPR 2 AUTOMATED methods and techniques to elicit, map and ANALYZE DATA that organizations hold for individuals 3 Advanced modelling languages and methodologies for privacy-by-design and DATA PROTECTION management 4 Specification, management and enforcement of PERSONAL DATA CONSENT 5 Integrated ENCRYPTION AND ANONYMIZATION solutions for GDPR 6 DEPLOYMENT and VALIDATION of the DEFeND platform in real operational environments 7 OBJECTIVES
  • 14. 14 The Model-Driven Privacy Governance (MDPG) paradigm enables building (from an abstract to a concrete level) and analyzing privacy related models following a Privacy-by-Design approach that spans over two levels, the Planning Level and the Operational Level, and across three management areas, i.e. Data Scope, Data Process and Data Breach DEFeND PARADIGM
  • 15. 15 DATA SCOPE MANAGEMENT (DSM) DATA PROCESS MANAGEMENT (DPM) DATA BREACH MANAGEMENT (DBM) Data flows Identify data, assets Identify accountability Organisational information establishments DEFeND PLATFORM toward GDPR compliance Personal data consent ART. 6, 7, 8, 13,14 Data access rights ART. 15 Security and privacy specification ART. 24 ART. 4 ART. 4 ART. 4 ART. 5 Data Breach Plan Specification ART. 34 Data Protection Impact Assessment (DPIA) Security and Privacy Threats Privacy by Design Data transparency, lawfulness, minimisation ART. 35 ART. 23 ART. 25 ART. 4, 25 Security and Privacy Technologies ART. 32 Privacy Data Consent Monitoring and Notification ART. 19 Data breach Detection, Notification and Response ART. 23, 33, 34, 36 PLANNING LEVEL OPERATIONAL LEVEL
  • 16. 16 DEFeND ARCHITECTURE DATA ASSESSMENT COMPONENT (DAC) Organisation Data Collection Assessment Translator Data Privacy Model DATA PRIVACY ANALYSIS COMPONENT (DPAC) PRIVACY SPECIFICATION COMPONENT (PSC) PRIVACY IMPLEMENTATION AND MONITORING COMPONENT (PIMC) Security/Privacy Technologies Data Access Rights Analysis Consent Analysis Security/Privacy Specification Model Privacy Data Consent (PDC) Model Privacy Technologies Runtime Privacy Data Consent Monitoring Notification DATASCOPE MANAGEMENT(DSM) DATAPROCESS MANAGEMENT(DPM) Data Breach Modelling and Analysis Data breach Detection and Response DATA BREACH COMPONENT (DBC) DATABREACH MANAGEMENT(DBM) Data Breach Model Data Assessment Model DPIA Analysis Data Minimisation Analysis Threat AnalysisPrivacy by Design/Default
  • 17. 17 dashBoardBackEnd GDPR Authorities Report Organisational Information Data Assessment Model Privacy Data Consent Model GDPR Report Security/Privacy Specification Model Breach Notification DATA CONTROLLER-PROCESSOR DATA SUBJECT SUPERVISORY AUTHORITIES GDPR Readiness Report Consent Preferences Privacy Data Consent Model Privacy Implementation and Monitoring Component (PIMC) Data Assessment Component (DAC) GDPR Reporting Service Data Scope Management Service (DSM) GDPR Planning Service Data Breach Management Service (DSM) Data Process Management Service (DPM) Data Privacy Analysis Component (DPAC) Data Breach Component (DBC) Privacy Specification Component (PSC) GDPR DASHBOARD
  • 18. 18 T6.1: Dissemination and public communication T6.2: Exploitation, Business and Commercialization T6.3: Training and Awareness T6.4: Projects and stakeholders networking WP6: DISSEMINATION AND EXPLOITATION T5.1: Pilots’ preparations T5.2: Pilots’ execution and evaluation T5.3: Pilots’ final demonstration WP5: PILOTS PREPARATION AND EXECCUTION T4.1: Services’ integration T4.2: Security and Legal Compliance Audit T4.3: Platform Testing and Refinement WP4: INTEGRATION, DEPLOYMENT AND TESTING T3.1: Data Scope Management T3.2: Data Process Management T3.3: Data Breach Management T4.4: Dashboard WP3: DEVELOPMENT OF PLATFORMS SERVICES T1.1: Project Management T2.2: Quality and Innovation Management T2.3: Compliance and Ethics Management T1.4: Technical Management T1.5: Security Advisory Board WP1: PROJECT, QUALITY AND COMPLIANCE MANAGEMENT WORK PLAN T2.1: Requirements and Specifications T2.2: Privacy and Compliance Requirements T2.3: Platform Architecture T2.4: Definition of pilots’ scenarios WP2: REQUIREMENTS AND ARCHITECTURE
  • 19. 19 ENERGY SECTOR (PRIVATE) GP (France) BANKING SECTOR (PRIVATE) ABILab (Italy) HEALTH CARE (PUBLIC) Fundacion Para la Investigacion Biomedica Hospital Infantil Universitario Niño Jesus (Spain) PUBLIC ADMINISTRATION (PUBLIC) PESHTERA MUNICIPALITY (Bulgaria) DEFeND platform will be tested in operational environment (TRL 7) for two different types of scenarios across four sectors, focusing on the GDPR compliance process for end-users and on the GDPR implications for external stakeholders. DEFeND PILOTS
  • 20. DEFeND: PARTNERS AND CONTACTS 11 UNIVERSITY OF BRIGHTON Haris Mouratidis Prof of Software Systems Engineering computing engineering & mathematics H.Mouratidis@brighton.ac.uk BUSINESS-E Claudio Girlanda Competence Center Applications Manager claudio.girlanda@maticmind.it ATOS Pedro Soria Rodriguez Head of Market pedro.soria@atos.net FIB Andrés G. Castillo Sanz Head of Innovation Department andres.castillo@salud.madrid.org IONIAN UNIVERSITY Aggeliki Tsohou Assistant Professor atsohou@ionio.gr PESHTERA MUNICIPALITY Georgi Simeonov Project Manager simeonov@reap-bg.eu Nikolay Zaychev Mayor zaichev@abv.bg
  • 21. DEFeND: PARTNERS AND CONTACTS Benoit Van Asbroeck Partner Benoit.Van.Asbroeck@twobirds.com 12 Filip Gluszak President filip.gluszak@gridpocket.com Luis Miguel Serra da Costa Campos CEO luis.campos@pdmfc.com Romano STASI General Manager r.stasi@abilab.it Teresa Spada Responsible for the Institutional Projects t.spada@abilab.it Marco Crabu In House Consultant marcocrabu@gmail.com Marco Rotoloni Research Analyst m.rotoloni@abilab.it ABI LAB GRIDPOCKET Papa Niamadio Project Manager papa.niamadio@gridpocket.com PDM Francisco Correia Loureiro Director, Security Solutions francisco.loureiro@pdmfc.com Luis Miguel Landeiro Ribeiro CTO luis.ribeiro@pdmfc.com BIRD & BIRD Julien Debussche Associate Julien.Debussche@twobirds.com Jasmien César Associate Jasmien.Cesar@twobirds.com
  • 22. 22 Coordinator: Beatriz Gallego-Nicasio Crespo, Atos, beatriz.gallego-nicasio@atos.net DEFeND: PROJECT CONTACTS 13 COORDINATOR TECHNICAL MANAGER COMMUNICATION WEBSITE Technical Manager: Prof. Haralambos (Haris) Mouratidis, UoB, H.Mouratidis@brighton.ac.uk Communication: info@defend.eu Project website: www.defendproject.eu
  • 23. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787068. THANK YOU Contacts Coordinator: Beatriz Gallego-Nicasio Crespo, Atos, beatriz.gallego-nicasio@atos.net Technical Manager: Prof. Haralambos (Haris) Mouratidis, UoB, H.Mouratidis@brighton.ac.uk Communication: info@defend.eu | Project website: www.defendproject.eu