DEFeND is an international partnership that will deliver a platform to empower organisations in different sectors to assess and comply to the The European Union’s General Data Protection Regulation (GDPR), increasing their maturity in different aspects of GDPR.
Magic exist by Marta Loveguard - presentation.pptx
DEFeND Project Presentation - July 2018
1. This project has received funding from the European
Union’s Horizon 2020 research and innovation
programme under grant agreement No 787068.
Project Start-up
2. 2
7 KEY PRINCIPLES
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Integrity and confidentiality
• Storage limitation
• Accuracy
• Accountability
ACCOUNTABILITY
• Contractual organization
• Privacy-by-design & Privacy-by-default
• Records of data processing activities
• Privacy Impact Assessments
• Data Protection Officer
RIGHTS OF INDIVIDUALS
• Information
• Access
• Rectification
• Erasure
• Restriction
• Portability
• Objection
• Automated decision-making
/ profiling
GDPR: CHALLENGES
Project Start-up
3. 3
IMPLEMENTING PRIVACY BY
DESIGN/PRIVACY ENGINEERING
Implement technical and organization
measures to show that the origination
has considered and integrated data
compliance measures into data
processing activities
DATA DE-IDENTIFICATION/
ANONYMIZATION
Assess and implement anonymization
and pseudonymization techniques to
fall outside the scope of the GDPR or
comply with certain requirements
MEETING REGULATORY
REPORTING REQUIREMENTS
Set up methods to review compliance
activities and keep records for internal
and external reporting to demonstrate
compliance (e.g. privacy notices and
records of privacy-related escalation
handling activities)
ADDRESSING INTERNATIONAL
DATA TRANSFERS
Map international data flows and
manage mechanism to allow for
transfer of data to non-EEA countries
(BCRs, MCCs, Privacy Shield, etc.)
DEVELOPING A GDPR PRIVACY
PLAN
Conduct a comprehensive
assessment of the organization
readiness for GDPR and develop a
plan of action to reach compliance
CREATING A THIRD PARTY
MANAGEMENT PROGRAM
Manage third party vendor risk and
create policies, procedures and on-
going management to ensure third
party compliance and implementation
of necessary contractual
arrangements
MANAGING PRIVACY
COMPLAINTS AND INDIVIDUAL
RIGHTS
Develop processes and policies to
respond to requests made by
individuals (right to information but
also access, rectification, restriction,
objection, erasure and portability
rights)
MANAGING PRIVACY INCIDENTS
AND BREACH NOTIFICATION
Review information security policies
and breach handling incident response
plans to comply with the strict formal
reporting (notification) obligations
CREATING DATA INVENTORY
AND MAPS
Inventory of processing activities and
data flows, classified by data type,
purpose and responsibilities.
CONDUCTING PRIVACY RISK
ASSESSMENTS (PIAs/DPIAs)
Design and implement processes to
conduct and manage PIAs/DPIAs and
risk assessments across the
organization, based on legal and
regulatory requirements
OBTAINING AND MANAGING
USER CONTENT
Develop processes to comply with
new content requirements: ‘a
statement or a clear affirmative action’
from the data subject, must be ‘freely
given, specific, informed and
unambiguous’
Implement physical, technical, and
administrative measures to keep
personal data secure and confidential
through adequate standard or
certification
SELECTION OF APPROPRIATE
SECURITY TECHNICAL AND
ORGANISATIONAL MEASURES
Project Start-up
4. 4
ORGANISATION
START DATE
1 July 2018
CALL TOPIC
H2020-DS08-2017 Cybersecurity
PPP: Privacy, Data Protection,
Digital Identities
DURATION
30 months
GRANT AMOUNT
EUR 2,737,300.00
Project Start-up
5. 5
Design and development of a successful,
MARKET-ORIENTED, PLATFORM to support
organizations towards GDPR compliance
1
Develop a MODULAR SOLUTION that
covers different aspects of the GDPR
2
AUTOMATED methods and techniques
to elicit, map and ANALYZE DATA that
organizations hold for individuals
3
Advanced modelling languages and
methodologies for privacy-by-design and
DATA PROTECTION management
4
Specification, management and
enforcement of PERSONAL DATA
CONSENT
5
Integrated ENCRYPTION AND
ANONYMIZATION solutions for GDPR
6
DEPLOYMENT and VALIDATION of the
DEFeND platform in real operational
environments
7
OBJECTIVES
Project Start-up
6. 6
The Model-Driven Privacy Governance (MDPG) paradigm enables building (from an abstract to
a concrete level) and analyzing privacy related models following a Privacy-by-Design approach
that spans over two levels, the Planning Level and the Operational Level, and across three
management areas, i.e. Data Scope, Data Process and Data Breach
DEFeND PARADIGM
Project Start-up
7. 7
DATA SCOPE
MANAGEMENT (DSM)
DATA PROCESS
MANAGEMENT (DPM)
DATA BREACH
MANAGEMENT (DBM)
Data flows
Identify data, assets
Identify accountability
Organisational information establishments
DEFeND PLATFORM toward GDPR compliance
Personal data consent
ART. 6, 7, 8,
13,14
Data access rights ART. 15
Security and privacy
specification ART. 24
ART. 4
ART. 4
ART. 4
ART. 5
Data Breach Plan
Specification
ART. 34
Data Protection Impact Assessment
(DPIA)
Security and Privacy Threats
Privacy by Design
Data transparency, lawfulness,
minimisation
ART. 35
ART. 23
ART. 25
ART. 4, 25
Security and Privacy
Technologies
ART. 32
Privacy Data Consent
Monitoring and
Notification
ART. 19
Data breach
Detection,
Notification and
Response
ART. 23,
33, 34, 36
PLANNING
LEVEL
OPERATIONAL
LEVEL
Project Start-up
8. 8
DEFeND ARCHITECTURE
DATA ASSESSMENT COMPONENT (DAC)
Organisation Data
Collection
Assessment Translator
Data Privacy Model
DATA PRIVACY ANALYSIS COMPONENT (DPAC)
PRIVACY SPECIFICATION COMPONENT (PSC) PRIVACY IMPLEMENTATION AND MONITORING
COMPONENT (PIMC)
Security/Privacy Technologies
Data Access Rights Analysis
Consent Analysis
Security/Privacy
Specification
Model
Privacy Data
Consent (PDC)
Model
Privacy Technologies Runtime
Privacy Data Consent
Monitoring Notification
DATASCOPE
MANAGEMENT(DSM)
DATAPROCESS
MANAGEMENT(DPM)
Data Breach Modelling and Analysis
Data breach Detection and Response
DATA BREACH COMPONENT (DBC)
DATABREACH
MANAGEMENT(DBM)
Data Breach Model
Data Assessment
Model
DPIA Analysis Data Minimisation
Analysis
Threat AnalysisPrivacy by Design/Default
Project Start-up
9. 9
dashBoardBackEnd
GDPR
Authorities
Report
Organisational
Information
Data Assessment
Model
Privacy Data
Consent Model
GDPR Report
Security/Privacy
Specification Model
Breach Notification
DATA CONTROLLER-PROCESSOR DATA SUBJECT SUPERVISORY AUTHORITIES
GDPR Readiness
Report
Consent Preferences
Privacy Data Consent Model
Privacy Implementation and
Monitoring Component
(PIMC)
Data Assessment
Component
(DAC)
GDPR Reporting Service
Data Scope Management
Service
(DSM)
GDPR Planning Service
Data Breach Management
Service
(DSM)
Data Process Management
Service
(DPM)
Data Privacy Analysis
Component
(DPAC)
Data Breach Component
(DBC)
Privacy Specification
Component
(PSC)
GDPR DASHBOARD
Project Start-up
10. 10
T6.1: Dissemination and public communication
T6.2: Exploitation, Business and Commercialization
T6.3: Training and Awareness
T6.4: Projects and stakeholders networking
WP6: DISSEMINATION AND
EXPLOITATION
T5.1: Pilots’ preparations
T5.2: Pilots’ execution and evaluation
T5.3: Pilots’ final demonstration
WP5: PILOTS PREPARATION AND
EXECCUTION
T4.1: Services’ integration
T4.2: Security and Legal Compliance Audit
T4.3: Platform Testing and Refinement
WP4: INTEGRATION, DEPLOYMENT
AND TESTING
T3.1: Data Scope Management
T3.2: Data Process Management
T3.3: Data Breach Management
T4.4: Dashboard
WP3: DEVELOPMENT OF
PLATFORMS SERVICES
T1.1: Project Management
T2.2: Quality and Innovation Management
T2.3: Compliance and Ethics Management
T1.4: Technical Management
T1.5: Security Advisory Board
WP1: PROJECT, QUALITY AND
COMPLIANCE MANAGEMENT
WORK PLAN
T2.1: Requirements and Specifications
T2.2: Privacy and Compliance Requirements
T2.3: Platform Architecture
T2.4: Definition of pilots’ scenarios
WP2: REQUIREMENTS AND
ARCHITECTURE
11. 11
ENERGY SECTOR
(PRIVATE)
GP (France)
BANKING SECTOR
(PRIVATE)
ABILab (Italy)
HEALTH CARE (PUBLIC)
Fundacion Para la Investigacion
Biomedica Hospital Infantil
Universitario Niño Jesus (Spain)
PUBLIC ADMINISTRATION
(PUBLIC)
PESHTERA MUNICIPALITY
(Bulgaria)
DEFeND platform will be tested in operational environment (TRL 7) for two different types of scenarios
across four sectors, focusing on the GDPR compliance process for end-users and on the GDPR
implications for external stakeholders.
DEFeND PILOTS
Project Start-up
12. This project has received funding from the European
Union’s Horizon 2020 research and innovation
programme under grant agreement No 787068.
THANK YOU
Contacts
Coordinator: Beatriz Gallego-Nicasio Crespo, Atos,
beatriz.gallego-nicasio@atos.net
Technical Manager: Prof. Haralambos (Haris) Mouratidis, UoB,
H.Mouratidis@brighton.ac.uk
Communication: info@defendproject.eu | Project website: www.defendproject.eu