Periodic Reporting for period 2 - DEFeND (Data Governance for Supporting GDPR)
Berichtszeitraum: 2019-07-01 bis 2021-03-31
Although the market is full of companies offering their services and tools for GDPR compliance, such solutions are mostly focused on providing generic approaches and frameworks that allow organisations to evaluate their current GDPR readiness level and propose some generic guidelines for moving towards compliance. They do not however provide support for organisations to tackle a list of challenges related to GDPR compliance including the lack of privacy-by-design methods to ensure privacy is integrated into new services and systems, continuous compliance to empower organisations to sustain a level of GDPR compliance, appropriate privacy incidents and breach management, and reporting capabilities.
The main aim of the DEFeND project was to deliver an innovative data privacy governance platform, which facilitates scoping and processing of data and data breach management and supports organisations towards GDPR compliance.
To achieve the above aim, the project focused on providing a realistic and useful solution that dealt with the main research challenges mentioned above, through 7 objectives.
• Objective 1. Design and development of a successful, market-oriented, platform to support organisations towards GDPR compliance.
• Objective 2. Develop a modular solution that cover different aspects of the GDPR
• Objective 3. Automated methods and techniques to elicit, map and analyse data that organisations hold for individuals
• Objective 4. Advanced modelling languages and methodologies for privacy-by-design and data protection management
• Objective 5. Specification, management and enforcement of Personal Data Consent.
• Objective 6. Integrated encryption and anonymization solutions for GDPR.
• Objective 7. Deployment and validation of the DEFeND platform in real operational environments.
The project is directly linked to GDPR and the privacy of European Citizens’ personal data. DEFeND is a unique attempt to combine privacy related technological solutions coming from different research disciplines (privacy engineering, privacy requirements engineering, and policy enforcement and monitoring to create a solution that provides organisations with privacy management support from requirements to implementation to enforcement and monitoring. Such combination ensures that organisations which hold European Citizens’ data use state of the art privacy technologies and they have in place privacy measures to increase EU citizens’ data privacy protection.
The main aim of the DEFeND project was to deliver an innovative data privacy governance platform, which facilitates scoping and processing of data and data breach management and supports organisations towards GDPR compliance.
To achieve the above aim, the project focused on providing a realistic and useful solution that dealt with the main research challenges mentioned above, through 7 objectives.
• Objective 1. Design and development of a successful, market-oriented, platform to support organisations towards GDPR compliance.
• Objective 2. Develop a modular solution that cover different aspects of the GDPR
• Objective 3. Automated methods and techniques to elicit, map and analyse data that organisations hold for individuals
• Objective 4. Advanced modelling languages and methodologies for privacy-by-design and data protection management
• Objective 5. Specification, management and enforcement of Personal Data Consent.
• Objective 6. Integrated encryption and anonymization solutions for GDPR.
• Objective 7. Deployment and validation of the DEFeND platform in real operational environments.
The project is directly linked to GDPR and the privacy of European Citizens’ personal data. DEFeND is a unique attempt to combine privacy related technological solutions coming from different research disciplines (privacy engineering, privacy requirements engineering, and policy enforcement and monitoring to create a solution that provides organisations with privacy management support from requirements to implementation to enforcement and monitoring. Such combination ensures that organisations which hold European Citizens’ data use state of the art privacy technologies and they have in place privacy measures to increase EU citizens’ data privacy protection.
The project work programme was arranged across seven work packages. WP2-WP4 focused on the technical contributions of the project including the elicitation and analysis of the DEFeND platform requirements, the development of the platform services and the integration deployment and testing of the DEFeND platform. WP5 focuses on the pilots preparation, execution and validation, while WP6 was the main work package for the project dissemination, training and exploitation. WP7 focused on the ethical dimension of the project and WP1 focused on the project management.
After 33 months, the project has achieved the following milestones:
- Complete elicitation, specification, prioritization and analysis of the DEFeND Platform requirements from different perspectives: compliance and legal, privacy and security and stakeholders’ functional and non-functional.
- Design and implementation of the reference DEFeND Platform architecture. Such architecture specifies the five DEFeND services for Data Scope Management, Data Process Management, Data Breach Management, GDPR Reporting and GDPR Planning services and their functionalities, the governance structure, the communication approach with the different interfaces offered for internal and external communication.
- The DEFeND platform, which implements the reference architecture and integrates the five DEFeND services into a single software platform with a unified graphical user interface (Dashboard).. This platform can be provisioned to end-user organisations in three modes: as a service, hybrid and on-premise.
- Description of pilot scenarios that permit validation of the DEFeND approach in four different stakeholders’ domains: Public Administration (Municipality of Peshtera), Banking (Abi Lab), Healthcare (Fundación Hospital Universitario Niño Jesús) and Energy & Utilities (GridPocket), execution of the pilots demonstration, evaluation and confirmation of the platform reaching TRL 7.
- The project set-up the main communication channels (i.e. project website, social network profiles), developed marketing material, prepared public project presentations for academic and industrial events and submitted various scientific papers to create awareness about the project advances.
- The exploitation activities produced a market/competitor analysis, the identification of potential exploitable results and a business plan.
After 33 months, the project has achieved the following milestones:
- Complete elicitation, specification, prioritization and analysis of the DEFeND Platform requirements from different perspectives: compliance and legal, privacy and security and stakeholders’ functional and non-functional.
- Design and implementation of the reference DEFeND Platform architecture. Such architecture specifies the five DEFeND services for Data Scope Management, Data Process Management, Data Breach Management, GDPR Reporting and GDPR Planning services and their functionalities, the governance structure, the communication approach with the different interfaces offered for internal and external communication.
- The DEFeND platform, which implements the reference architecture and integrates the five DEFeND services into a single software platform with a unified graphical user interface (Dashboard).. This platform can be provisioned to end-user organisations in three modes: as a service, hybrid and on-premise.
- Description of pilot scenarios that permit validation of the DEFeND approach in four different stakeholders’ domains: Public Administration (Municipality of Peshtera), Banking (Abi Lab), Healthcare (Fundación Hospital Universitario Niño Jesús) and Energy & Utilities (GridPocket), execution of the pilots demonstration, evaluation and confirmation of the platform reaching TRL 7.
- The project set-up the main communication channels (i.e. project website, social network profiles), developed marketing material, prepared public project presentations for academic and industrial events and submitted various scientific papers to create awareness about the project advances.
- The exploitation activities produced a market/competitor analysis, the identification of potential exploitable results and a business plan.
The DEFeND project has progressed the state of the art in various directions as identified in the DoA. In particular:
• Advancement of the state-of-the-art in Privacy-by-Design by facilitating organisations to implement a privacy management approach that takes into account the PbD principles, enabling them to design or (re)design their processes with respect to their privacy requirements, at an operational level. This was achieved by extending the conceptual language and modelling process of the Secure Tropos methodology to include concepts and stages related to GDPR compliance including processing activity, breach, and privacy enhancing technologies analysis.
• Advancement of the state of the art in Consent Management. DEFeND approaches consent management in a holistic way, through its Privacy Data Consent (PDC) component that enables users to act as a contract among the data controller and data subject, encapsulating all the necessary information regarding the consent of the processing to their personal data. Moreover, DEFeND supports organisations centralising management of consent activities, facilitating monitoring and enforcement of data subject consent and keeping the associated documentation and evidence in a single data store.
• Advancement of the state of the art in data breach management by providing an in-depth organisational analysis for the identification of privacy incidents and data breaches, offering the ability to create and operationalise data breach plans according to privacy and security requirements. From an operational perspective, DEFeND supports organisations in the collection of the necessary information to properly document incidents and data breaches, firstly, to maintain an up-to-date register; and secondly, to be able to assess their severity and based on this, take adequate actions, including the notification to supervisory authorities and/or data subjects, in accordance to GDPR regulation. .
• Advancement of the state of the art in Data Protection Impact Assessment by providing an in-depth processing analysis based on a structured visual methodology. This analysis is performed with DEFeND in an easy and user-friendly interface and it requires minimum knowledge and expertise in security and/or risk analysis to be performed. The identified risks can be further analysed and monitored in real-time to support a continuous risk assessment approach.
• Advancement of the state-of-the-art in Privacy-by-Design by facilitating organisations to implement a privacy management approach that takes into account the PbD principles, enabling them to design or (re)design their processes with respect to their privacy requirements, at an operational level. This was achieved by extending the conceptual language and modelling process of the Secure Tropos methodology to include concepts and stages related to GDPR compliance including processing activity, breach, and privacy enhancing technologies analysis.
• Advancement of the state of the art in Consent Management. DEFeND approaches consent management in a holistic way, through its Privacy Data Consent (PDC) component that enables users to act as a contract among the data controller and data subject, encapsulating all the necessary information regarding the consent of the processing to their personal data. Moreover, DEFeND supports organisations centralising management of consent activities, facilitating monitoring and enforcement of data subject consent and keeping the associated documentation and evidence in a single data store.
• Advancement of the state of the art in data breach management by providing an in-depth organisational analysis for the identification of privacy incidents and data breaches, offering the ability to create and operationalise data breach plans according to privacy and security requirements. From an operational perspective, DEFeND supports organisations in the collection of the necessary information to properly document incidents and data breaches, firstly, to maintain an up-to-date register; and secondly, to be able to assess their severity and based on this, take adequate actions, including the notification to supervisory authorities and/or data subjects, in accordance to GDPR regulation. .
• Advancement of the state of the art in Data Protection Impact Assessment by providing an in-depth processing analysis based on a structured visual methodology. This analysis is performed with DEFeND in an easy and user-friendly interface and it requires minimum knowledge and expertise in security and/or risk analysis to be performed. The identified risks can be further analysed and monitored in real-time to support a continuous risk assessment approach.