Methods and tools for GDPR compliance through Privacy and Data Protection Engineering

Problem to be addressed
GDPR entered in force in May 2018 bringing an array of binding data protection principles, individuals’ rights, and legal obligations to ensure the protection of personal data of EU citizens. But the legal approach is not enough if it does not come along with technical measures to protect privacy and personal data in practice. There is a need on how to address the protection of personal data during the design and development of products, services and systems, which is reflected by the principles of Privacy and Data Protection by Design. Engineers are ultimately responsible for conceiving, designing, constructing and maintaining the systems, services and software and hardware products to comply with GDPR.

Why it is important for society
PDP4E will spread the adoption of data protection practice by promoting the adaptation of the tools and methods to the mainstream needs of engineers. It will foster the broadest practice of privacy and data protection engineering.

What are the overall objectives
PDP4E mission is to bring privacy and data protection knowhow into mainstream practice of software and systems engineering, by providing engineers with methods and tools that operationalise data protection principles and regulation, and which are integrated with those others which they customarily use in the different activities that take place throughout the stages of the SDLC (System Development Lifecycle). The project aims to empower engineers to leverage the existent knowhow on data protection and will focus on four principal domains of engineering to provide these methods and tools: risk management, model-driven engineering, requirements engineering and Assurance. The following objectives have been defined:

O1: Introduce features to support privacy by design and data protection into existent mainstream software and system engineering tools.
O2: Integrate privacy by design and data protection activities within existent mainstream software.
O3: Empower engineers overall to leverage the existent know-how on data protection; even if they are not savvy in the field.
O4: Spread the adoption of data protection practice in time and space, by promoting the adaptation of the tools and methods to the mainstream needs of engineers.
O5: Foster the broadest practice of privacy and data protection engineering, by advancing the existent communities of practice of privacy engineering (IPEN) and bridging them to mainstream development communities.

Conclusion of the action
A set of tools (risk management, requirements, design, assurance) based on model-driven engineering has been developed and demonstrated in two use cases. The creation of a community has been started to allow application developers to develop and reuse existing privacy protection models.

WP1 (management): the adapted work planned has been followed without major delays, except for the minimal delays caused by the sudden crisis of Covid-19 that has modified the way to work due to lockdowns and security measures.
WP2 (Multi-stakeholder specification and architecture of methods and tools for data protection engineering), the work carried out includs: the final specification of the overall requirements, the framework and the final integration report of the tool box.
WP3 (Methods and tools for data protection risk management), the final release of method and risk management tool has been produced and it is available in the market through the partner Beawre, which is actually exploiting it with several clients. A knowledge base is also built and available for the public (Available here: https://www.pdp4e-project.eu/risk-management/(s’ouvre dans une nouvelle fenêtre))
WP4 (Methods and tools for data protection requirements engineering), a final extended release of the method Propan for requirements engineering is available together with the final release of the tool PDP-Req to elicit requirements. A Knowledge base of requirements is also built and available. It is actually available through eclipse papyrus project (For more information: https://www.pdp4e-project.eu/requirements-engineering/(s’ouvre dans une nouvelle fenêtre))
WP5 (Methods and tools for data protection model-driven design), the final release of the method to support engineers for privacy-by-design was delivered. A Privacy and Data Protection by Design Framework (PDPbD) final release was delivered, including three components: a Personal Data Detector, a module for Privacy Model-Driven Design and a module for Code Validation. The three modules are available (https://www.pdp4e-project.eu/privacy-aware-design/(s’ouvre dans une nouvelle fenêtre)).
WP6 (Methods and tools for assurance) the final release of the method is delivered and also the final release of the Assurance tool (OpenCert) for Privacy and Data protection. All of this includes a knowledge base for assurance and certification. (For more information: https://www.pdp4e-project.eu/assurance-management/(s’ouvre dans une nouvelle fenêtre))
WP7 (Validation, demonstration and exploitation), a reassessment of the market analysis was done taking into account Covid-19 crisis in order to better address the challenges. A final exploitation plans per partner was provided together with the strong standards contributions in Privacy, Data Protection for risk management and Assurance, together with the official ISO liaison with PC317 (privacy-by-design for consumer goods and services). As a final conclusion, there have been conducted several external consultation with experts and stakeholders in the domain and close areas to leverage and build the community (Alliance) "Privacy by Models", which is being built, hosted by Eclipse and expected to be launched, at the CPDP 2022.
WP8 (Dissemination, communication and liaison), PDP4E participated in several events (EclipseCON APF, CPDP2020, CPDP2021). More than 9 scientific publications were made as well as general public papers. A bi monthly newsletter continue. A live workshop was conducted and organised by the project in the CEA headquarters to validate the first release of the tools and methods.

Progress beyond the state of the art
PDP4E results will impact in the increased observance of the rights to privacy and data protection of EU citizens by software, systems and services that perform processing activities.
PDP4E will create methods and tools that support engineers in observing rights of the data subject, through the application of different software and systems engineering disciplines.
PDP4E will ensure proper alignment of the engineering methods and tools proposed with the regulatory and legal framework.

Expected results
A release of the PDP4E tools, in the risk management, requirements engineering, model-driven design and assurance management arenas validated in two use cases (big data exchange for smart grids and connected vehicles). All these tools are being developed with the different articles of the GDPR, so that data subject’s rights are preserved.

Potential impact
PDP4E will create a new market for PDP engineering solutions, targeting a segment (engineers). PDP4E will specifically address the needs from two industries (connected vehicles and smart grid) where data protection has a relevant impact. Organizations will find it easier to comply with GDPR, and avoid cost of non-compliance (e.g. fines). PDP4E will also congribute to a more educated workforce. PDP4E will influence policy makers on the most effective and efficient way to articulate privacy and data protection regulations.
PDP4E will have a strong impact on privacy standards.