O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

de

Pdp4 e forum Slide 1 Pdp4 e forum Slide 2 Pdp4 e forum Slide 3 Pdp4 e forum Slide 4 Pdp4 e forum Slide 5 Pdp4 e forum Slide 6 Pdp4 e forum Slide 7 Pdp4 e forum Slide 8 Pdp4 e forum Slide 9 Pdp4 e forum Slide 10 Pdp4 e forum Slide 11 Pdp4 e forum Slide 12 Pdp4 e forum Slide 13 Pdp4 e forum Slide 14 Pdp4 e forum Slide 15 Pdp4 e forum Slide 16 Pdp4 e forum Slide 17 Pdp4 e forum Slide 18 Pdp4 e forum Slide 19 Pdp4 e forum Slide 20 Pdp4 e forum Slide 21 Pdp4 e forum Slide 22 Pdp4 e forum Slide 23 Pdp4 e forum Slide 24 Pdp4 e forum Slide 25 Pdp4 e forum Slide 26 Pdp4 e forum Slide 27 Pdp4 e forum Slide 28 Pdp4 e forum Slide 29 Pdp4 e forum Slide 30 Pdp4 e forum Slide 31 Pdp4 e forum Slide 32 Pdp4 e forum Slide 33 Pdp4 e forum Slide 34 Pdp4 e forum Slide 35 Pdp4 e forum Slide 36 Pdp4 e forum Slide 37
Próximos SlideShares
What to Upload to SlideShare
Avançar
Transfira para ler offline e ver em ecrã inteiro.

0 gostaram

Compartilhar

Baixar para ler offline

Pdp4 e forum

Baixar para ler offline

PDP4E presentation during the Forum of 2020 on march.

  • Seja a primeira pessoa a gostar disto

Pdp4 e forum

  1. 1. 
 Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering 
 
 Privacy and data protection 
 for engineering 
 Overall presentation Yod Samuel Martín 
 (Universidad Politécnica de Madrid) This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787034
  2. 2. PDP4E Forum About the speaker ➢Yod Samuel Martín ➢Scientific and Technical Lead of H2020 PDP4E project ➢Researcher at Universidad Politécnica de Madrid (UPM) – Departmento de Ingeniería de Sistemas Telemáticos (DIT) 10/03/2020
  3. 3. PDP4E Forum Outline ➢Motivation: problem – challenge – response ➢PDP4E overview and conceptual approach ➢Contributions from the different disciplines ❑Risk Management ❑Requirements Engineering ❑Model-Driven Design ❑Assurance ➢Methodological approach 10/03/2020
  4. 4. PDP4E Forum Privacy and data protection 
 are trendy… 10/03/2020
  5. 5. PDP4E Forum Should GDPR be an engineer’s job? 
 (Tip: It seems it should indeed) 10/03/2020
  6. 6. PDP4E Forum The privacy and data protection engineering gap 10/03/2020
  7. 7. PDP4E Forum The privacy and data protection engineering gap What engineers get… 10/03/2020 GDPR PbD PETs PPM/PEM
  8. 8. PDP4E Forum The privacy and data protection engineering gap What engineers get… What engineers want… 10/03/2020 GDPR PbD PETs PPM/PEM
  9. 9. PDP4E Forum PDP4E response: what engineers need 
 “Endow engineers with privacy and data protection tools aligned to their mindset” 10/03/2020
  10. 10. PDP4E Forum PDP4E response: what engineers need 
 “Endow engineers with privacy and data protection tools aligned to their mindset” Methods Tools Knowledge bases Demonstrators Community 10/03/2020
  11. 11. PDP4E Forum PDP4E response: what engineers need 
 “Endow engineers with privacy and data protection tools aligned to their mindset” Metamodels Knowledge Bases Smart grid demonstrator Fintech demonstrator Requirements engineering Risk management Model-driven design Assurance and certification TRL6 TRL7 Byproducts Connected vehicle demonstrator Smart grid demonstrator Methods Tools Knowledge bases Demonstrators Community 10/03/2020
  12. 12. PDP4E Forum PDP4E response: what engineers need 
 “Endow engineers with privacy and data protection tools aligned to their mindset” Metamodels Knowledge Bases Smart grid demonstrator Fintech demonstrator Requirements engineering Risk management Model-driven design Assurance and certification TRL6 TRL7 Byproducts Connected vehicle demonstrator Smart grid demonstrator Methods Tools Knowledge bases Demonstrators Community 10/03/2020
  13. 13. PDP4E Forum Privacy and data protection… ➢Personal data protection as subject-matter of GDPR ➢Privacy goals (ISO 27550) beyond security: 
 Confidentiality, Integrity, Availability, 
 Unlinkability, Transparency, Intervenability ➢Privacy strategies (ISO 27550): 
 Separate, Abstract, Hide, Inform, Control, Enforce, Demonstrate ➢Privacy principles (ISO 29100): 
 consent, choice, lawfulness/purpose legitimacy… accountability ➢Data subject rights (GDPR): 
 erasure (RtbF), information, access, portability, 
 rectification, restriction, object, ‘human decision’ ➢Controller and processor legal obligations under GDPR 10/03/2020
  14. 14. PDP4E Forum … for engineers ➢Systematic, economical, engineering methods and tools ❑Not just regulation, principles, craftmanship or management! ➢Threat model: ❑Honest but reckless engineer ❑Risks to the rights and freedoms of the data subject ❑Organization itself as a potential attacker ➢Privacy by Design and “shift-left” 10/03/2020
  15. 15. PDP4E Forum Contribution from Risk Management Methods & tools for PDP 
 Risk Management Multilateral Risk Management • Data protection impact assessment risk trees (LINDDUN) • Risks to rights and freedoms of the data subjects (+4U) • Security impact analysis and security measures (STRIDE) • Derived business risks • … beyond risks of non-compliance • … but not everything is a risk Support execution of (D)PIAs: • Identify personal data categories • Identify threats • Estimate risk factors • Evaluate and prioritize risks • Address risks: choice of controls, countermeasures, PETs • Document risks and risk management 10/03/2020
  16. 16. PDP4E Forum Risk Management and GDPR ➢Risk Management in GDPR: ❑Art. 25 Data protection impact assessment ❑Art. 26 Prior consultation ❑Art. 33 Notification of a personal data breach to the supervisory authority ❑Art. 34 Communication of a personal data breach to the data subject ❑Art. 32 Security of processing ❑… 10/03/2020
  17. 17. PDP4E Forum Contribution from Requirements Engineering Methods & tools for PDP 
 Requirements Engineering Requirements elicitation • Privacy goals and properties • Regulations (GDPR): principles, rights, obligations, measures • Standards (ISO29100) • … in the context of functional reqs. Techniques • Functional specification as requirements-oriented DFDs • Simplified Problem-frame based method • Operationalization process and hyerarchical taxonomy of meta- requirements 10/03/2020
  18. 18. PDP4E Forum Requirements engineering and GDPR ➢Requirements under GDPR: ❑Chapter 2: Principles relating to processing of personal data ❑Chapter 3: Rights of the data subject ❑Chapter 4: Obligations and responsibility of controllers and processors ❑Art. 24 Responsibility of the controller ➢Scope of requirements instantiation: ❑Nature, scope, context, purpose, lawfulness, and risks of the data processing activities ➢Other dependencies: ❑Specific data categories (sensitive) ❑Specific processing (profiling) ❑Specific purposes (marketing, research) ❑Size of the organization ❑Other regulation: corporate policies, binding rules, certifications…. 10/03/2020
  19. 19. PDP4E Forum Contribution from Model-Driven Design Methods & tools for PDP 
 Model- Driven Design Data mapping and inventory Enriched models • Structural 
 (data categories and properties) • Behavioural 
 (processing activities and data flows) • Architectural (deployment) Architectural analysis and strategies • Minimization • Separation • Aggregation • … Model-based Testing 10/03/2020
  20. 20. PDP4E Forum Model-driven design and the GDPR GDPR and the design stage: ➢Data protection measures enforced on the controller ❑Art. 24 Responsibility of the controller ❑Art. 25 Data protection by design and by default ❑E.g. pseudonymisation, minimisation... ➢Technical and organisational security measures ❑Art. 32 Security of processing ❑E.g. access control, encryption... ➢Measures by processors and secondary processors ❑Art. 28 Processor 10/03/2020
  21. 21. PDP4E Forum Contribution from Assurance Methods & tools for PDP 
 Assurance Regulatory framework model • GDPR, EDPB guidance, ISO… • People: roles • Processes and activities • Formal requirements Reusable argumentation models • Processing activities • Protection activities Demonstrate compliance • Capture evidence • Associate to reqs and artefacts • Trace to regulation • Argument compliance 10/03/2020
  22. 22. PDP4E Forum Assurance and the GDPR Support to GDPR from assurance: ➢Transparency principle (Art. 5.1.a) ➢Accountability principle (Art. 5.2) ➢Related self-regulation, co-regulation and quasi-regulation: ❑Codes of conduct (Art. 40, Art. 41) ❑Certifications (Art. 42) ❑Binding corporate rules (Art. 47) ➢Involvement of multiple parties: ❑Joint controllers (Art. 26) ❑Processors (Art. 28) ❑Secondary processors (Art. 28.4, Art. 28.5) ❑International transfers (Art. 44, Art. 47) ➢Record keeping: ❑Processing activities (Art. 30) ❑Data subject's consent (Art. 7.1) ➢Data breaches: ❑Notification to data subject (Art. 33) ❑Communication to authorities (Art. 34) ➢Intervenability goal 10/03/2020
  23. 23. PDP4E Forum Contribution from Method engineering PDP 
 Method engineering Privacy Method Engineering • Putting it all together • Dependencies between one another • Methodologies and method fragments: work products, roles, tools, tasks, activities, processes • Activities: management, analysis, design, implementation, testing, deployment, operation, maintenance, and disposal Adaptability • Development methodologies or SDLC • Software engineering tools • Regulations (WP29/EDPB guidance, codes of conduct, derogations, non-EU…) Inherent toolset flexibility • Modularity and loose coupling • MDE and metamodelling • Evolving knowledge base • Flexible background tools • Open-source distribution • Flexible methodology 10/03/2020
  24. 24. PDP4E Forum Model engineering 
 and Model-driven engineering 10/03/2020 Model engineering constructing proportionally-scaled miniature working representations of full-sized machines
  25. 25. PDP4E Forum Model engineering 
 and Model-driven engineering 10/03/2020 Model engineering constructing proportionally-scaled miniature working representations of full-sized machines Model driven engineering expressing specifications through processable models. Diagram orientation (e.g. UML diagrams)
  26. 26. PDP4E Forum Complementary modelling views and disciplines 10/03/2020
  27. 27. PDP4E Forum Complementary modelling views and disciplines • Assets model • Threats model • Controls model ❖ Vuln./threat trees 10/03/2020 Risk 
 management
  28. 28. PDP4E Forum Complementary modelling views and disciplines •Problem frames models (optional) •Requirements model ❖ Meta-requirements taxonomy • Assets model • Threats model • Controls model ❖ Vuln./threat trees 10/03/2020 Risk 
 management Requirements engineering
  29. 29. PDP4E Forum Complementary modelling views and disciplines •Reference framework •Argumentation •Assurance case 
 and compliance model •Evidence model ❖ Argumentation patterns •Problem frames models (optional) •Requirements model ❖ Meta-requirements taxonomy • Assets model • Threats model • Controls model ❖ Vuln./threat trees 10/03/2020 Process assurance & method engineering Risk 
 management Requirements engineering
  30. 30. PDP4E Forum Complementary modelling views and disciplines •Structural (data) model e.g. •which data is personal? •is it sensitive? •what is the basis for collection? •Procedural (dataflow) model e.g. •which processes deal with personal data? •which processing operations it is being subject to? •which data flows between operations? •for what purpose it is being used? •who is authorized to access that data? •Architectural model •who stores and processes data? •under which jurisdiction? ❖ Minimization strategies and patterns •Reference framework •Argumentation •Assurance case 
 and compliance model •Evidence model ❖ Argumentation patterns •Problem frames models (optional) •Requirements model ❖ Meta-requirements taxonomy • Assets model • Threats model • Controls model ❖ Vuln./threat trees 10/03/2020 System analysis & 
 iterative design Process assurance & method engineering Risk 
 management Requirements engineering
  31. 31. PDP4E Forum Complementary modelling views and disciplines •Structural (data) model e.g. •which data is personal? •is it sensitive? •what is the basis for collection? •Procedural (dataflow) model e.g. •which processes deal with personal data? •which processing operations it is being subject to? •which data flows between operations? •for what purpose it is being used? •who is authorized to access that data? •Architectural model •who stores and processes data? •under which jurisdiction? ❖ Minimization strategies and patterns •Reference framework •Argumentation •Assurance case 
 and compliance model •Evidence model ❖ Argumentation patterns •Problem frames models (optional) •Requirements model ❖ Meta-requirements taxonomy • Assets model • Threats model • Controls model ❖ Vuln./threat trees 10/03/2020 System analysis & 
 iterative design Process assurance & method engineering Risk 
 management Requirements engineering
  32. 32. PDP4E Forum Cross-discipline abstract use cases 10/03/2020
  33. 33. PDP4E Forum Mental Model for gap analysis ➢Needs for different engineering disciplines posed by GDPR 
 are not covered by current tools (focused on management and operation) 10/03/2020
  34. 34. PDP4E Forum Method specification (SIPOC) 10/03/2020 SUPPLIER INPUT PROCESS OUTPUT CUSTOMER DEVELOPER IMPLEMENTATION UPDATES RISK MANAGEMENT IMPLEMENTATION ASSESS RISKS DEFINE CONTROLS ASSESS RESIDUAL RISKS CONTINUOUSLY MONITOR RISKS ARCHITECT DEVELOPER DPO PRODUCT OWNER DETERMINE NEED FOR DPIA DETERMINE RISK TREATMENT IDENTIFY THREATS LIST OF CONTROLS RISK MANAGEMENT PLAN TECHNICAL DPIA ARCHITECT DEFINITION OF ASSETS RISK ANALYST PRODUCT OWNER THREAT SOURCES PROCESSING OPERATIONS PRODUCT OWNER ARCHITECT RISK ANALYST SYSTEMS ASSURANCE ENGINEER
  35. 35. PDP4E Forum Method and functional integration 10/03/2020
  36. 36. PDP4E Forum Method and functional integration Methods and tools for PDP 
 Risk Management Methods and tools for PDP 
 Model-Driven Design System Models Evidences Threats, Controls… Methods and tools for PDP Requirements Engineering Methods and tools for PDP 
 Assurance Reqs., Controls… Regulation, Ass.Pattern s Privacy Controls Threats, Controls… Meta- requirements Patterns, techniques.. . Requirements 10/03/2020
  37. 37. 
 Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering 
 For more information, visit: 
 www.pdp4e-project.org 
 
 Thank you for your attention Questions?

PDP4E presentation during the Forum of 2020 on march.

Vistos

Vistos totais

23

No Slideshare

0

De incorporações

0

Número de incorporações

0

Ações

Baixados

0

Compartilhados

0

Comentários

0

Curtir

0

×