+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Mcis 2018 DEFeND Project
1. This project has received funding from the European
Union’s Horizon 2020 research and innovation
programme under grant agreement No 787068.
Aggeliki Tsohou, Assistant Professor
Ionian University, Dept. of Informatics
The Mediterranean Conference on Information Systems (MCIS 2018)
30th September 2018
2. Outline
v The General Data Protection Regulation (GDPR):
overview and history
v Challenges of GDPR compliance
v The DEFeND project and how it addresses (some) of
the challenges:
• Objectives
• Architecture and Components
• Management and Organization of work
3. The drivers of the GDPR regulation
v Need for modernization: new or advanced online services and
technologies compared to the era that previous regulation rules
were introduced (e.g., social networks, location-based services,
cloud computing, data processing and storage capabilities)
v Need to give to individuals back control over of their personal
data
vNeed to simplify the regulatory environment for business
vUnnecessary administrative requirements for businesses
(e.g. notification to several data protection authorities)
causing significant costs
3
4. Significant Milestones of the GDPR
v In January 2012 EU proposes a reform of data protection rules
to increase users' control of their data and to cut costs for
businesses
v In March 2014 the European Parliament approves the
proposal for the new regulation (first reading)
v In April 2016 the GDPR is announced
v In May 2016 the GDPR enters into force
v In May 2018 the GDPR applies
5. GDPR: Changes and Implications Compared to
the 95/46/EC
v Extension of data that fall under the categories of personal data
and special categories of personal data
v Heavier responsibility and role for the data controllers and
processors
v Appointment of Data Protection Officer
v Wider territorial scope
v Additional rights to the data subjects
v Differentiations on the role for the data protection authorities
v Privacy by default and personal data impact assessment as core
principle for the design of information systems
6. GDPR: Changes and Implications Compared to
the Previous Regulation
And of course…higher penalties!
Up to 20 000 000 EUR, or up to 4 % of the total
worldwide annual turnover of the preceding financial
year, whichever is higher
7. (only some of the) Research Gaps and
Opportunities
v Obtaining data subjects’ consent
v Ensuring data subjects’ rights (e.g., right to erasure,
right to data portability)
v Ensuring personal data control
v Designing and Implementing information systems that
ensure privacy by design and by default
v Demonstrating compliance with GDPR
v Performing privacy impact assessment
7
8. Our Group’s Ongoing Research in Informed
Consent and Privacy Awareness
8
§ Tsohou, A. and Kosta, E. (2017), Enabling valid informed consent for location
tracking through privacy awareness of users: A process theory, Computer Law &
Security Review: The International Journal of Technology Law and Practice, Vol. 33,
No. 4, pp. 434-457
§ Soumelidou K. and Tsohou A. Effects of Privacy Policy Visualization on Users’
Information Privacy Awareness Level – The Case of Instagram, IT & People (under
Review)
§ Paspatis, I., Tsohou A. and Kokolakis S. (2017), Mobile Application Privacy Risks:
Viber Users’ De-Anonymization Using Public Data, 11th Mediterranean Conference
on Information Systems, Genova, Italy, September 2017
§ Paspatis, I., Tsohou A. and Kokolakis S. (2018), AppAware: A Model For Privacy
Policy Visualization For Mobile Applications, 12th Mediterranean Conference on
Information Systems, Corfu, Greece, September 2018
10. 10
7 KEY PRINCIPLES
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Integrity and confidentiality
• Storage limitation
• Accuracy
• Accountability
ACCOUNTABILITY
• Contractual organization
• Privacy-by-design & Privacy-by-default
• Records of data processing activities
• Privacy Impact Assessments
• Data Protection Officer
RIGHTS OF INDIVIDUALS
• Information
• Access
• Rectification
• Erasure
• Restriction
• Portability
• Objection
• Automated decision-making
/ profiling
GDPR: CHALLENGES
11. 11
IMPLEMENTING PRIVACY BY
DESIGN/PRIVACY ENGINEERING
Implement technical and organization
measures to show that the origination
has considered and integrated data
compliance measures into data
processing activities
DATA DE-IDENTIFICATION/
ANONYMIZATION
Assess and implement anonymization
and pseudonymization techniques to
fall outside the scope of the GDPR or
comply with certain requirements
MEETING REGULATORY
REPORTING REQUIREMENTS
Set up methods to review compliance
activities and keep records for internal
and external reporting to demonstrate
compliance (e.g. privacy notices and
records of privacy-related escalation
handling activities)
ADDRESSING INTERNATIONAL
DATA TRASNFERS
Map international data flows and
manage mechanism to allow for
transfer of data to non-EEA countries
(BCRs, MCCs, Privacy Shield, etc.)
DEVELOPING A GDPR PRIVACY
PLAN
Conduct a comprehensive
assessment of the organization
readiness for GDPR and develop a
plan of action to reach compliance
CREATING A THIRD PARTY
MANAGEMENT PROGRAM
Manage third party vendor risk and
create policies, procedures and on-
going management to ensure third
party compliance and implementation
of necessary contractual
arrangements
MANAGING PRIVACY
COMPLAINTS AND INDIVIDUAL
RIGHTS
Develop processes and policies to
respond to requests made by
individuals (right to information but
also access, rectification, restriction,
objection, erasure and portability
rights)
MANAGING PRIVACY INCIDENTS
AND BREACH NOTIFICATION
Review information security policies
and breach handling incident response
plans to comply with the strict formal
reporting (notification) obligations
CREATING DATA INVENTORY
AND MAPS
Inventory of processing activities and
data flows, classified by data type,
purpose and responsibilities.
CONDUCTING PRIVACY RISK
ASSESSMENTS (PIAs/DPIAs)
Design and implement processes to
conduct and manage PIAs/DPIAs and
risk assessments across the
organization, based on legal and
regulatory requirements
OBTAINING AND MANAGING
USER CONTENT
Develop processes to comply with
new content requirements: ‘a
statement or a clear affirmative action’
from the data subject, must be ‘freely
given, specific, informed and
unambiguous’
Implement physical, technical, and
administrative measures to keep
personal data secure and confidential
through adequate standard or
certification
SELECTION OF APPROPRIATE
SECURITY TECHNICAL AND
ORGANISATIONAL MEASURES
12. 12
ORGANISATION
START DATE
1 July 2018
CALL TOPIC
H2020-DS08-2017 Cybersecurity
PPP: Privacy, Data Protection,
Digital Identities
DURATION
30 months
GRANT AMOUNT
EUR 2,737,300.00
13. 13
Design and development of a successful,
MARKET-ORIENTED, PLATFORM to support
organizations towards GDPR compliance
1
Develop a MODULAR SOLUTION that
covers different aspects of the GDPR
2
AUTOMATED methods and techniques
to elicit, map and ANALYZE DATA that
organizations hold for individuals
3
Advanced modelling languages and
methodologies for privacy-by-design and
DATA PROTECTION management
4
Specification, management and
enforcement of PERSONAL DATA
CONSENT
5
Integrated ENCRYPTION AND
ANONYMIZATION solutions for GDPR
6
DEPLOYMENT and VALIDATION of the
DEFeND platform in real operational
environments
7
OBJECTIVES
14. 14
The Model-Driven Privacy Governance (MDPG) paradigm enables building (from an abstract to
a concrete level) and analyzing privacy related models following a Privacy-by-Design approach
that spans over two levels, the Planning Level and the Operational Level, and across three
management areas, i.e. Data Scope, Data Process and Data Breach
DEFeND PARADIGM
15. 15
DATA SCOPE
MANAGEMENT (DSM)
DATA PROCESS
MANAGEMENT (DPM)
DATA BREACH
MANAGEMENT (DBM)
Data flows
Identify data, assets
Identify accountability
Organisational information establishments
DEFeND PLATFORM toward GDPR compliance
Personal data consent
ART. 6, 7, 8,
13,14
Data access rights ART. 15
Security and privacy
specification ART. 24
ART. 4
ART. 4
ART. 4
ART. 5
Data Breach Plan
Specification
ART. 34
Data Protection Impact Assessment
(DPIA)
Security and Privacy Threats
Privacy by Design
Data transparency, lawfulness,
minimisation
ART. 35
ART. 23
ART. 25
ART. 4, 25
Security and Privacy
Technologies
ART. 32
Privacy Data Consent
Monitoring and
Notification
ART. 19
Data breach
Detection,
Notification and
Response
ART. 23,
33, 34, 36
PLANNING
LEVEL
OPERATIONAL
LEVEL
16. 16
DEFeND ARCHITECTURE
DATA ASSESSMENT COMPONENT (DAC)
Organisation Data
Collection
Assessment Translator
Data Privacy Model
DATA PRIVACY ANALYSIS COMPONENT (DPAC)
PRIVACY SPECIFICATION COMPONENT (PSC) PRIVACY IMPLEMENTATION AND MONITORING
COMPONENT (PIMC)
Security/Privacy Technologies
Data Access Rights Analysis
Consent Analysis
Security/Privacy
Specification
Model
Privacy Data
Consent (PDC)
Model
Privacy Technologies Runtime
Privacy Data Consent
Monitoring Notification
DATASCOPE
MANAGEMENT(DSM)
DATAPROCESS
MANAGEMENT(DPM)
Data Breach Modelling and Analysis
Data breach Detection and Response
DATA BREACH COMPONENT (DBC)
DATABREACH
MANAGEMENT(DBM)
Data Breach Model
Data Assessment
Model
DPIA Analysis Data Minimisation
Analysis
Threat AnalysisPrivacy by Design/Default
17. 17
dashBoardBackEnd
GDPR
Authorities
Report
Organisational
Information
Data Assessment
Model
Privacy Data
Consent Model
GDPR Report
Security/Privacy
Specification Model
Breach Notification
DATA CONTROLLER-PROCESSOR DATA SUBJECT SUPERVISORY AUTHORITIES
GDPR Readiness
Report
Consent Preferences
Privacy Data Consent Model
Privacy Implementation and
Monitoring Component
(PIMC)
Data Assessment
Component
(DAC)
GDPR Reporting Service
Data Scope Management
Service
(DSM)
GDPR Planning Service
Data Breach Management
Service
(DSM)
Data Process Management
Service
(DPM)
Data Privacy Analysis
Component
(DPAC)
Data Breach Component
(DBC)
Privacy Specification
Component
(PSC)
GDPR DASHBOARD
18. 18
T6.1: Dissemination and public communication
T6.2: Exploitation, Business and Commercialization
T6.3: Training and Awareness
T6.4: Projects and stakeholders networking
WP6: DISSEMINATION AND
EXPLOITATION
T5.1: Pilots’ preparations
T5.2: Pilots’ execution and evaluation
T5.3: Pilots’ final demonstration
WP5: PILOTS PREPARATION AND
EXECCUTION
T4.1: Services’ integration
T4.2: Security and Legal Compliance Audit
T4.3: Platform Testing and Refinement
WP4: INTEGRATION, DEPLOYMENT
AND TESTING
T3.1: Data Scope Management
T3.2: Data Process Management
T3.3: Data Breach Management
T4.4: Dashboard
WP3: DEVELOPMENT OF
PLATFORMS SERVICES
T1.1: Project Management
T2.2: Quality and Innovation Management
T2.3: Compliance and Ethics Management
T1.4: Technical Management
T1.5: Security Advisory Board
WP1: PROJECT, QUALITY AND
COMPLIANCE MANAGEMENT
WORK PLAN
T2.1: Requirements and Specifications
T2.2: Privacy and Compliance Requirements
T2.3: Platform Architecture
T2.4: Definition of pilots’ scenarios
WP2: REQUIREMENTS AND
ARCHITECTURE
19. 19
ENERGY SECTOR
(PRIVATE)
GP (France)
BANKING SECTOR
(PRIVATE)
ABILab (Italy)
HEALTH CARE (PUBLIC)
Fundacion Para la Investigacion
Biomedica Hospital Infantil
Universitario Niño Jesus (Spain)
PUBLIC ADMINISTRATION
(PUBLIC)
PESHTERA MUNICIPALITY
(Bulgaria)
DEFeND platform will be tested in operational environment (TRL 7) for two different types of scenarios
across four sectors, focusing on the GDPR compliance process for end-users and on the GDPR
implications for external stakeholders.
DEFeND PILOTS
20. DEFeND: PARTNERS AND CONTACTS
11
UNIVERSITY OF BRIGHTON
Haris Mouratidis
Prof of Software Systems Engineering
computing engineering & mathematics
H.Mouratidis@brighton.ac.uk
BUSINESS-E
Claudio Girlanda
Competence Center Applications Manager
claudio.girlanda@maticmind.it
ATOS
Pedro Soria Rodriguez
Head of Market
pedro.soria@atos.net
FIB
Andrés G. Castillo Sanz
Head of Innovation Department
andres.castillo@salud.madrid.org
IONIAN UNIVERSITY
Aggeliki Tsohou
Assistant Professor
atsohou@ionio.gr
PESHTERA MUNICIPALITY
Georgi Simeonov
Project Manager
simeonov@reap-bg.eu
Nikolay Zaychev
Mayor
zaichev@abv.bg
21. DEFeND: PARTNERS AND CONTACTS
Benoit Van Asbroeck
Partner
Benoit.Van.Asbroeck@twobirds.com
12
Filip Gluszak
President
filip.gluszak@gridpocket.com
Luis Miguel Serra da Costa Campos
CEO
luis.campos@pdmfc.com
Romano STASI
General Manager
r.stasi@abilab.it
Teresa Spada
Responsible for the Institutional Projects
t.spada@abilab.it
Marco Crabu
In House Consultant
marcocrabu@gmail.com
Marco Rotoloni
Research Analyst
m.rotoloni@abilab.it
ABI LAB
GRIDPOCKET
Papa Niamadio
Project Manager
papa.niamadio@gridpocket.com
PDM
Francisco Correia Loureiro
Director, Security Solutions
francisco.loureiro@pdmfc.com
Luis Miguel Landeiro Ribeiro
CTO
luis.ribeiro@pdmfc.com
BIRD & BIRD
Julien Debussche
Associate
Julien.Debussche@twobirds.com
Jasmien César
Associate
Jasmien.Cesar@twobirds.com
23. This project has received funding from the European
Union’s Horizon 2020 research and innovation
programme under grant agreement No 787068.
THANK YOU
Contacts
Coordinator: Beatriz Gallego-Nicasio Crespo, Atos,
beatriz.gallego-nicasio@atos.net
Technical Manager: Prof. Haralambos (Haris) Mouratidis, UoB,
H.Mouratidis@brighton.ac.uk
Communication: info@defend.eu | Project website: www.defendproject.eu