The Challenge of Complying with GDPR

The European Parliament made significant changes in the European data processing ecosystem via the General Data Protection Regulation (GDPR) in 2016. Three years after, organizations are still struggling to fully understand its implications on their business and consequently, compliance costs are piling up.

The GDPR requires organizations to take a more proactive role with respect to their data protection practices. Instead of defining their practices in response to previous data breaches, organizations shall actively look for vulnerabilities and improvements on their data processing activities during the onset and operationalization of data-oriented products and services. In practice, organizations need to take a look at state-of-the-art techniques on privacy and data protection and understand how these can be applied to their existing systems. This is an extraordinary effort for those organizations that do not have the necessary expertise nor resources to monitor the vast, evolving cybersecurity ecosystem and in particular data protection.

The risk of not being on the edge of privacy-preserving techniques could lead to a loss of customer trust and, in some extreme cases, administrative fines up to 20M€ or 4% of global turnover.

Developing methods and tools for privacy engineering

As an answer to the challenge described above, PDP4E (Privacy and Data Protection 4 Engineering) is an innovative project that aims to empower engineers with methods and software tools to systematically apply privacy and data protection principles in the projects they carry out. This will facilitate binging Privacy and Data Protection by Design into practice and, hence, the creation of products that comply with the General Data Protection Regulation.

The project gathers 8 partners from 4 EU member states. It has an overall budget of 3.3 M€, including a contribution of 2.9 M€ from the European Commission in the scope of Horizon 2020 Research and Innovation program.

Aiming at Significant Compliance Costs Decrease

Within PDP4E project, a set of innovative tools and knowledge are generated, such as:

• Designing new developments with a model-driven approach that considers privacy as a core principle;
• A requirements elicitation process that operationalizes constraints and goals derived from abstract legal data protection regulations and standards;
• A risk management tool that guides development teams and product management boards in defining strategies to mitigate privacy and data protection risks;
• An assurance management solution connected to the above innovations, so that compliance burden is reduced;
• And an extendable body of knowledge consisting of design strategies, privacy and data protection requirements and threats.

The main impact of PDP4E will be to improve European practices on privacy and data protection of personal information and, consequently, a significant reduction on operating expenses for compliance efforts.

Need for Collaboration with Privacy Practitioners

To survive in an evolving cybersecurity ecosystem, the body of knowledge generated on PDP4E needs to be updated with new design strategies, requirements derived from new standards and new vulnerabilities or threats discovered by privacy practitioners.

To such aim, PDP4E will be looking for longstanding relationships with privacy practitioners, policy makers and privacy vendors to collaboratively create a body of knowledge that is easily consumed by data processing organizations. The tools developed by PDP4E will showcase a mechanism to integrate such knowledge on engineering practices.

TRIALOG, as a partner in the PDP4E project, seeks to involve external stakeholders through participation in the Internet Privacy Engineering Network (IPEN) workshop and the 2019 Annual Privacy Forum. Feedback from privacy practitioners and policy makers will be key to shape the collaboration and ensure that the body of knowledge provides continue value even after PDP4E.

TRIALOG provides Expertise on Cybersecurity, Smart Grid and e-Mobility

Besides coordination of the PDP4E consortium and project, TRIALOG is also involved in the definition, development and validation of the PDP4E tools and body of knowledge. The main contributions from TRIALOG are:

• Definition and validation of the tools on two use-cases related to the connected vehicles and smart grid scenarios,
• Integration of Risk Management activities into GDPR compliance activities such as conducting Data Protection Impact Assessment,
• Alignment of the results to market expectations, and shaping future standardization efforts to include knowledge generated by the PDP4E consortium.

This contribution is based on the strong know-how and experience of TRIALOG in:

• Designing, building and validating interoperable and secured industrial cyber-physical information systems,
• Privacy management of cooperative intelligent transport systems (C-ITS), in particular with regard to the analysis of privacy threats related to the processing of vehicle location and the minimisation of the risk of driver identification and surveillance,
• Experience on Smart Metering and Smart Grids.

Thanks to this project, TRIALOG will be able to support organizations to build, develop and test innovative technologies and solutions to meet tomorrow’s data processing challenges.