120 likes | 205 Views
Project Start-up. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787068. Project Start-up. GDPR: CHALLENGES. 7 KEY PRINCIPLES. ACCOUNTABILITY. RIGHTS OF INDIVIDUALS. Lawfulness, fairness and transparency
E N D
Project Start-up This project has received funding from the European Union’s Horizon 2020 research and innovation programmeunder grant agreement No 787068.
Project Start-up GDPR: CHALLENGES 7 KEY PRINCIPLES ACCOUNTABILITY RIGHTS OF INDIVIDUALS • Lawfulness, fairness and transparency • Purpose limitation • Data minimization • Integrity and confidentiality • Storage limitation • Accuracy • Accountability • Contractual organization • Privacy-by-design & Privacy-by-default • Records of data processing activities • Privacy Impact Assessments • Data Protection Officer • Information • Access • Rectification • Erasure • Restriction • Portability • Objection • Automated decision-making / profiling
Project Start-up MANAGING PRIVACY COMPLAINTS AND INDIVIDUAL RIGHTS OBTAINING AND MANAGING USER CONTENT CREATING A THIRD PARTY MANAGEMENT PROGRAM IMPLEMENTING PRIVACY BY DESIGN/PRIVACY ENGINEERING DEVELOPING A GDPR PRIVACY PLAN CONDUCTING PRIVACY RISK ASSESSMENTS (PIAs/DPIAs) MANAGING PRIVACY INCIDENTS AND BREACH NOTIFICATION ADDRESSING INTERNATIONAL DATA TRANSFERS CREATING DATA INVENTORY AND MAPS DATA DE-IDENTIFICATION/ ANONYMIZATION MEETING REGULATORY REPORTING REQUIREMENTS Assess and implement anonymization and pseudonymization techniques to fall outside the scope of the GDPR or comply with certain requirements Conduct a comprehensive assessment of the organization readiness for GDPR and develop a plan of action to reach compliance Implement physical, technical, and administrative measures to keep personal data secure and confidential through adequate standard or certification Develop processes to comply with new content requirements: ‘a statement or a clear affirmative action’ from the data subject, must be ‘freely given, specific, informed and unambiguous’ Design and implement processes to conduct and manage PIAs/DPIAs and risk assessments across the organization, based on legal and regulatory requirements Map international data flows and manage mechanism to allow for transfer of data to non-EEA countries (BCRs, MCCs, Privacy Shield, etc.) Set up methods to review compliance activities and keep records for internal and external reporting to demonstrate compliance (e.g. privacy notices and records of privacy-related escalation handling activities) Review information security policies and breach handling incident response plans to comply with the strict formal reporting (notification) obligations Implement technical and organization measures to show that the origination has considered and integrated data compliance measures into data processing activities Manage third party vendor risk and create policies, procedures and on-going management to ensure third party compliance and implementation of necessary contractual arrangements Inventory of processing activities and data flows, classified by data type, purpose and responsibilities. Develop processes and policies to respond to requests made by individuals (right to information but also access, rectification, restriction, objection, erasure and portability rights) SELECTION OF APPROPRIATE SECURITY TECHNICAL AND ORGANISATIONAL MEASURES
Project Start-up ORGANISATION START DATE DURATION GRANT AMOUNT CALL TOPIC 1 July 2018 EUR 2,737,300.00 30 months H2020-DS08-2017 Cybersecurity PPP: Privacy, Data Protection, Digital Identities
Project Start-up 4 1 Advanced modelling languages and methodologies for privacy-by-design and DATA PROTECTION management Design and development of a successful, MARKET-ORIENTED, PLATFORM to support organizations towards GDPR compliance 5 2 Specification, management and enforcement of PERSONAL DATA CONSENT Develop a MODULAR SOLUTION that covers different aspects of the GDPR OBJECTIVES 3 6 Integrated ENCRYPTION AND ANONYMIZATION solutions for GDPR AUTOMATED methods and techniques to elicit, map and ANALYZE DATA that organizations hold for individuals 7 DEPLOYMENT and VALIDATION of the DEFeND platform in real operational environments
Project Start-up DEFeNDPARADIGM The Model-Driven Privacy Governance (MDPG) paradigm enables building (from an abstract to a concrete level) and analyzing privacy related models following a Privacy-by-Design approach that spans over two levels, the Planning Level and the Operational Level, and across three management areas, i.e. Data Scope, Data Process and Data Breach
Project Start-up DEFeNDPLATFORM toward GDPR compliance DATA SCOPE MANAGEMENT (DSM) DATA PROCESS MANAGEMENT (DPM) DATA BREACH MANAGEMENT (DBM) Identify data, assets ART. 4 ART. 15 Data access rights Data flows ART. 34 Data Breach Plan Specification ART. 4 Organisational information establishments PLANNING LEVEL ART. 6, 7, 8, 13,14 Personal data consent ART. 5 Identify accountability Security and privacy specification ART. 24 ART. 4 ART. 32 Data Protection Impact Assessment (DPIA) ART. 35 Security and Privacy Technologies ART. 23, 33, 34, 36 Data transparency, lawfulness, minimisation Data breach Detection, Notification and Response ART. 4, 25 OPERATIONAL LEVEL ART. 19 Security and Privacy Threats Privacy Data Consent Monitoring and Notification ART. 23 Privacy by Design ART. 25
DEFeNDARCHITECTURE Project Start-up DATA PRIVACY ANALYSIS COMPONENT(DPAC) DATA ASSESSMENT COMPONENT(DAC) Organisation Data Collection Data Assessment Model Assessment Translator DATA SCOPE MANAGEMENT (DSM) Data Privacy Model DPIA Analysis Data Minimisation Analysis Privacy by Design/Default Threat Analysis PRIVACY SPECIFICATION COMPONENT(PSC) PRIVACY IMPLEMENTATION AND MONITORING COMPONENT(PIMC) Security/Privacy Specification Model DATA PROCESS MANAGEMENT (DPM) Security/Privacy Technologies Privacy Data Consent Monitoring Notification Privacy Data Consent (PDC) Model Data Access Rights Analysis Privacy Technologies Runtime Consent Analysis DATA BREACH COMPONENT(DBC) Data Breach Model DATA BREACH MANAGEMENT (DBM) Data Breach Modellingand Analysis Data breach Detection and Response
Project Start-up GDPR DASHBOARD DATA CONTROLLER-PROCESSOR DATA SUBJECT SUPERVISORY AUTHORITIES Organisational Information Consent Preferences Security/Privacy Specification Model Privacy Data Consent Model GDPR Report GDPR Authorities Report GDPR Readiness Report Data Assessment Model Privacy Data Consent Model Breach Notification Data Breach Management Service(DSM) GDPR Planning Service GDPR Reporting Service Data Process Management Service(DPM) Data Scope Management Service (DSM) dashBoard Data Assessment Component(DAC) Data Privacy Analysis Component(DPAC) Privacy Specification Component(PSC) Privacy Implementation and Monitoring Component(PIMC) Data Breach Component(DBC) BackEnd
WP1: PROJECT, QUALITY AND COMPLIANCE MANAGEMENT WP6: DISSEMINATION AND EXPLOITATION T1.5: Security Advisory Board T1.1: Project Management T3.1: Data Scope Management T6.2: Exploitation, Business and Commercialization T6.3: Training and Awareness T6.4: Projects and stakeholders networking T5.1: Pilots’ preparations T5.2: Pilots’ execution and evaluation T5.3: Pilots’ final demonstration T4.1: Services’ integration T4.2: Security and Legal Compliance Audit T4.3: Platform Testing and Refinement T3.2: Data Process Management T2.4: Definition of pilots’ scenarios T3.3: Data Breach Management T4.4: Dashboard T2.2: Quality and Innovation Management T2.3: Compliance and Ethics Management T1.4: Technical Management T2.1: Requirements and Specifications T2.2: Privacy and Compliance Requirements T2.3: Platform Architecture T6.1: Dissemination and public communication WORK PLAN WP5: PILOTS PREPARATION AND EXECCUTION WP2: REQUIREMENTS AND ARCHITECTURE WP3: DEVELOPMENT OF PLATFORMS SERVICES WP4: INTEGRATION, DEPLOYMENT AND TESTING
Project Start-up DEFeNDPILOTS DEFeND platform will be tested in operational environment (TRL 7) for two different types of scenarios across four sectors, focusing on the GDPR compliance process for end-users and on the GDPR implications for external stakeholders. ENERGY SECTOR (PRIVATE) GP (France) BANKING SECTOR (PRIVATE) ABILab (Italy) HEALTH CARE (PUBLIC) Fundacion Para la Investigacion Biomedica Hospital Infantil Universitario Niño Jesus (Spain) PUBLIC ADMINISTRATION (PUBLIC) PESHTERA MUNICIPALITY (Bulgaria)
THANK YOU Contacts Coordinator:Beatriz Gallego-Nicasio Crespo, Atos, beatriz.gallego-nicasio@atos.net Technical Manager: Prof. Haralambos (Haris) Mouratidis, UoB, H.Mouratidis@brighton.ac.uk Communication:info@defendproject.eu | Project website: www.defendproject.eu This project has received funding from the European Union’s Horizon 2020 research and innovation programmeunder grant agreement No 787068.