In May-June 2018, European citizens received many e-mails telling them that data controllers respect the GDPR, the European regulation for personal data privacy requirements. That means systems and software engineers have now to code their applications, if used in the EU, in accordance with the law specifications.
The way GDPR settles to handle privacy protection is to address it proactively throughout the entire systems development cycle, through a process usually called “Privacy and Data Protection by Design” (PbD). Whereas regulation often only provides abstract guidance which means software engineers struggle with translating its goals into development specifics, PDP4E1 will help innovate new ways for PbD to be built into the development of new applications and help to comply with the GDPR and other technical requirements. Thus, PDP4E will support developers and engineers in the introduction of privacy and data protection in their products, by providing a set of methods and tools that seamlessly integrate privacy and data protection issues in the usual software/systems engineering flow. A consortium gathering much data expertise
Since the earliest stages, both to capture requirements and to ensure that the results respond to the widest range of engineers, the consortium involves different associates as academics, industry partners, or leading contributors of several open source projects. Several partners are also Eclipse members, as the CEA – through its institute CEA List2. Eclipse is a foundation providing its community of individuals and organizations, among them a wide community of developers, with a mature, scalable and commercially friendly environment for open source software collaboration and innovation. The needs of Eclipse developers will be targeted. Meanwhile, the existent privacy engineering community, involved in the activities of the Internet Privacy Engineering Network (IPEN) will advance for the creation of an Alliance for Privacy and Data Protection Engineering beyond the project lifetime.
A seamlessly integration of PbD
Privacy through “Privacy and Data Protection by Design” will be better adopted if included in the tools engineers often use when designing (as for instance existent mainstream system engineering tools, which cover risk management (MUSA DST), requirements management (Papyrus 4 Req), design and modelling (Papyrus) or evince assurance (OpenCert) rather than pushing them to use new tools which may result unsuited to them.
Additionally, this seamlessly integration will:
- Leverage the existent knowhow on data protection, even if developers are not savvy in the field;
- Spread the adoption of data protection practice in time and space, by promoting the adaptation of the tools and methods to the mainstream needs of engineers;
- Demonstrate readiness for mainstream practice of the methods and tools produced with pilot developments for the Fintech and Smart Grid domains.
1 PDP4E stands for “Privacy and Data Protection for Engineers”.
2 List, a technology research institute of the CEA, is committed to technological innovation in digital systems. Its R&D activities - driven by major economic, societal and industrial challenges - encompass four main themes: factory of the future, cyber-physical systems, artificial intelligence and digital health.
What tools for developers?
Adopting PETs
Among others, with PDP4E, engineers will design considering soft-(transparency) and hard-(minimization) PETs. Standing for ‘Privacy Enhancing Technologies’, PETs protect personal data and ensure the users of technology that their information is confidential, that the management of data protection is a priority to the organizations who withhold responsibility for any personal identifiable information. For example, PETs can be communication anonymizers, obfuscation, enhanced privacy ID (EPID), shared bogus online accounts, etc.
- PDP4E will create methods and tools that support engineers in observing rights of the data subject, through the application of different software and systems engineering disciplines;
- Requirements engineering introduces privacy and data protection requirements since the inception of the project, allowing developers to consider them as a first-class category of requirements;
- Risk management introduces data protection impact assessment throughout the development lifecycle, including the elicitation of risks, evaluation of their impact, and determination of preventative or corrective measures;
- Model-driven design and verification conducts system modeling with purpose specification; analysis of system models against data protection principles (e.g. minimization), and transformation into formal frameworks (when possible) to verify compliance;
- Assurance allows providing arguments, formal claims and evidence that transparently demonstrate compliance that are useful for certification.
Finally yet importantly, PDP4E will also contribute with its results to standardization activities.
Scheme of PDP4E approach. © PDP4E
About PDP4E
Running from May 2018 to January 2021, PDP4E is an H2020 Innovative Action bringing together, under the coordination of a SME named Trialog, 8 partners from 4 European countries. Granted with 3 M € from the EU, the project will integrate privacy and data protection engineering functionalities into existent, mainstream software tools that are already in use by engineers. The aim is to ensure that projects they carry out comply with the General Data Protection Regulation (GDPR).