Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aggeliki Tsohou, Assistant Professor

Published byGregory Fox Modified over 6 years ago

Similar presentations

Presentation on theme: "Aggeliki Tsohou, Assistant Professor"— Presentation transcript:

1 Aggeliki Tsohou, Assistant Professor
Ionian University, Dept. of Informatics The Mediterranean Conference on Information Systems (MCIS 2018) 30th September 2018 This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No

2 Outline The General Data Protection Regulation (GDPR): overview and history Challenges of GDPR compliance The DEFeND project and how it addresses (some) of the challenges: Objectives Architecture and Components Management and Organization of work

3 The drivers of the GDPR regulation
Need for modernization: new or advanced online services and technologies compared to the era that previous regulation rules were introduced (e.g., social networks, location-based services, cloud computing, data processing and storage capabilities) Need to give to individuals back control over of their personal data Need to simplify the regulatory environment for business Unnecessary administrative requirements for businesses (e.g. notification to several data protection authorities) causing significant costs

4 Significant Milestones of the GDPR
In January 2012 EU proposes a reform of data protection rules to increase users' control of their data and to cut costs for businesses In March 2014 the European Parliament approves the proposal for the new regulation (first reading) In April 2016 the GDPR is announced In May 2016 the GDPR enters into force In May 2018 the GDPR applies

5 GDPR: Changes and Implications Compared to the 95/46/EC
Extension of data that fall under the categories of personal data and special categories of personal data Heavier responsibility and role for the data controllers and processors Appointment of Data Protection Officer Wider territorial scope Additional rights to the data subjects Differentiations on the role for the data protection authorities Privacy by default and personal data impact assessment as core principle for the design of information systems

6 GDPR: Changes and Implications Compared to the Previous Regulation
And of course…higher penalties! Up to EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher

7 (only some of the) Research Gaps and Opportunities
Obtaining data subjects’ consent Ensuring data subjects’ rights (e.g., right to erasure, right to data portability) Ensuring personal data control Designing and Implementing information systems that ensure privacy by design and by default Demonstrating compliance with GDPR Performing privacy impact assessment

8 Our Group’s Ongoing Research in Informed Consent and Privacy Awareness
Tsohou, A. and Kosta, E. (2017), Enabling valid informed consent for location tracking through privacy awareness of users: A process theory, Computer Law & Security Review: The International Journal of Technology Law and Practice, Vol. 33, No. 4, pp Soumelidou K. and Tsohou A. Effects of Privacy Policy Visualization on Users’ Information Privacy Awareness Level – The Case of Instagram, IT & People (under Review) Paspatis, I., Tsohou A. and Kokolakis S. (2017), Mobile Application Privacy Risks: Viber Users’ De-Anonymization Using Public Data, 11th Mediterranean Conference on Information Systems, Genova, Italy, September 2017 Paspatis, I., Tsohou A. and Kokolakis S. (2018), AppAware: A Model For Privacy Policy Visualization For Mobile Applications, 12th Mediterranean Conference on Information Systems, Corfu, Greece, September 2018

9

10 Lawfulness, fairness and transparency
GDPR: CHALLENGES 7 KEY PRINCIPLES ACCOUNTABILITY Contractual organization Privacy-by-design & Privacy-by-default Records of data processing activities Privacy Impact Assessments Data Protection Officer RIGHTS OF INDIVIDUALS Information Access Rectification Erasure Restriction Portability Objection Automated decision-making / profiling Lawfulness, fairness and transparency Purpose limitation Data minimization Integrity and confidentiality Storage limitation Accuracy Accountability

11 DEVELOPING A GDPR PRIVACY PLAN
Conduct a comprehensive assessment of the organization readiness for GDPR and develop a plan of action to reach compliance CREATING A THIRD PARTY MANAGEMENT PROGRAM Manage third party vendor risk and create policies, procedures and on-going management to ensure third party compliance and implementation of necessary contractual arrangements MANAGING PRIVACY COMPLAINTS AND INDIVIDUAL RIGHTS Develop processes and policies to respond to requests made by individuals (right to information but also access, rectification, restriction, objection, erasure and portability rights) MANAGING PRIVACY INCIDENTS AND BREACH NOTIFICATION Review information security policies and breach handling incident response plans to comply with the strict formal reporting (notification) obligations IMPLEMENTING PRIVACY BY DESIGN/PRIVACY ENGINEERING Implement technical and organization measures to show that the origination has considered and integrated data compliance measures into data processing activities DATA DE-IDENTIFICATION/ ANONYMIZATION Assess and implement anonymization and pseudonymization techniques to fall outside the scope of the GDPR or comply with certain requirements MEETING REGULATORY REPORTING REQUIREMENTS Set up methods to review compliance activities and keep records for internal and external reporting to demonstrate compliance (e.g. privacy notices and records of privacy-related escalation handling activities) ADDRESSING INTERNATIONAL DATA TRASNFERS Map international data flows and manage mechanism to allow for transfer of data to non-EEA countries (BCRs, MCCs, Privacy Shield, etc.) CREATING DATA INVENTORY AND MAPS Inventory of processing activities and data flows, classified by data type, purpose and responsibilities. CONDUCTING PRIVACY RISK ASSESSMENTS (PIAs/DPIAs) Design and implement processes to conduct and manage PIAs/DPIAs and risk assessments across the organization, based on legal and regulatory requirements OBTAINING AND MANAGING USER CONTENT Develop processes to comply with new content requirements: ‘a statement or a clear affirmative action’ from the data subject, must be ‘freely given, specific, informed and unambiguous’ Implement physical, technical, and administrative measures to keep personal data secure and confidential through adequate standard or certification SELECTION OF APPROPRIATE SECURITY TECHNICAL AND ORGANISATIONAL MEASURES

12 ORGANISATION START DATE 1 July 2018 DURATION 30 months GRANT AMOUNT
EUR 2,737,300.00 CALL TOPIC H2020-DS Cybersecurity PPP: Privacy, Data Protection, Digital Identities

13 Design and development of a successful, MARKET-ORIENTED, PLATFORM to support organizations towards GDPR compliance 1 Develop a MODULAR SOLUTION that covers different aspects of the GDPR 2 DEPLOYMENT and VALIDATION of the DEFeND platform in real operational environments 7 AUTOMATED methods and techniques to elicit, map and ANALYZE DATA that organizations hold for individuals 3 Integrated ENCRYPTION AND ANONYMIZATION solutions for GDPR 6 OBJECTIVES Advanced modelling languages and methodologies for privacy-by-design and DATA PROTECTION management 4 Specification, management and enforcement of PERSONAL DATA CONSENT 5

14 DEFeND PARADIGM The Model-Driven Privacy Governance (MDPG) paradigm enables building (from an abstract to a concrete level) and analyzing privacy related models following a Privacy-by-Design approach that spans over two levels, the Planning Level and the Operational Level, and across three management areas, i.e. Data Scope, Data Process and Data Breach

15 DEFeND PLATFORM toward GDPR compliance DATA BREACH MANAGEMENT (DBM)
DATA SCOPE MANAGEMENT (DSM) DATA PROCESS MANAGEMENT (DPM) DATA BREACH MANAGEMENT (DBM) Identify data, assets ART. 4 Data access rights ART. 15 Data Breach Plan Specification ART. 34 Organisational information establishments ART. 4 PLANNING LEVEL Personal data consent ART. 6, 7, 8, 13,14 Identify accountability ART. 5 Security and privacy specification Data flows ART. 24 ART. 4 Data Protection Impact Assessment (DPIA) ART. 32 ART. 35 Security and Privacy Technologies ART. 23, 33, 34, 36 Data transparency, lawfulness, minimisation Data breach Detection, Notification and Response OPERATIONAL LEVEL ART. 4, 25 ART. 19 Security and Privacy Threats Privacy Data Consent Monitoring and Notification ART. 23 Privacy by Design ART. 25

16 DEFeND ARCHITECTURE PRIVACY SPECIFICATION COMPONENT (PSC)
DATA ASSESSMENT COMPONENT (DAC) DATA PRIVACY ANALYSIS COMPONENT (DPAC) Organisation Data Collection DPIA Analysis Data Minimisation Analysis DATA SCOPE MANAGEMENT (DSM) Assessment Translator Data Assessment Model Data Privacy Model Threat Analysis Privacy by Design/Default PRIVACY SPECIFICATION COMPONENT (PSC) PRIVACY IMPLEMENTATION AND MONITORING COMPONENT (PIMC) Security/Privacy Technologies Data Access Rights Analysis Consent Analysis DATA PROCESS MANAGEMENT (DPM) Security/Privacy Specification Model Privacy Technologies Runtime Privacy Data Consent Monitoring Notification Privacy Data Consent (PDC) Model DATA BREACH COMPONENT (DBC) Data Breach Model DATA BREACH MANAGEMENT (DBM) Data Breach Modelling and Analysis Data breach Detection and Response

17 GDPR DASHBOARD dashBoard BackEnd DATA CONTROLLER-PROCESSOR
DATA SUBJECT SUPERVISORY AUTHORITIES Organisational Information Security/Privacy Specification Model Consent Preferences GDPR Authorities Report Privacy Data Consent Model GDPR Report Data Assessment Model GDPR Readiness Report Privacy Data Consent Model Breach Notification Data Scope Management Service (DSM) Data Process Management Service (DPM) Data Breach Management Service (DSM) GDPR Planning Service GDPR Reporting Service dashBoard Data Assessment Component (DAC) Data Privacy Analysis Component (DPAC) Privacy Specification Component (PSC) Privacy Implementation and Monitoring Component (PIMC) Data Breach Component (DBC) BackEnd

18 WORK PLAN WP6: DISSEMINATION AND EXPLOITATION
T6.1: Dissemination and public communication T6.2: Exploitation, Business and Commercialization T6.3: Training and Awareness T6.4: Projects and stakeholders networking WP6: DISSEMINATION AND EXPLOITATION T1.1: Project Management T2.2: Quality and Innovation Management T2.3: Compliance and Ethics Management T1.4: Technical Management T1.5: Security Advisory Board WP1: PROJECT, QUALITY AND COMPLIANCE MANAGEMENT WORK PLAN T5.1: Pilots’ preparations T5.2: Pilots’ execution and evaluation T5.3: Pilots’ final demonstration WP5: PILOTS PREPARATION AND EXECCUTION T2.1: Requirements and Specifications T2.2: Privacy and Compliance Requirements T2.3: Platform Architecture T2.4: Definition of pilots’ scenarios WP2: REQUIREMENTS AND ARCHITECTURE T4.1: Services’ integration T4.2: Security and Legal Compliance Audit T4.3: Platform Testing and Refinement WP4: INTEGRATION, DEPLOYMENT AND TESTING T3.1: Data Scope Management T3.2: Data Process Management T3.3: Data Breach Management T4.4: Dashboard WP3: DEVELOPMENT OF PLATFORMS SERVICES

19 DEFeND PILOTS DEFeND platform will be tested in operational environment (TRL 7) for two different types of scenarios across four sectors, focusing on the GDPR compliance process for end-users and on the GDPR implications for external stakeholders. ENERGY SECTOR (PRIVATE) GP (France) BANKING SECTOR (PRIVATE) ABILab (Italy) HEALTH CARE (PUBLIC) Fundacion Para la Investigacion Biomedica Hospital Infantil Universitario Niño Jesus (Spain) PUBLIC ADMINISTRATION (PUBLIC) PESHTERA MUNICIPALITY (Bulgaria)

20 DEFeND: PARTNERS AND CONTACTS
UNIVERSITY OF BRIGHTON Haris Mouratidis Prof of Software Systems Engineering computing engineering & mathematics BUSINESS-E Claudio Girlanda Competence Center Applications Manager ATOS Pedro Soria Rodriguez Head of Market FIB Andrés G. Castillo Sanz Head of Innovation Department IONIAN UNIVERSITY Aggeliki Tsohou Assistant Professor PESHTERA MUNICIPALITY Georgi Simeonov Project Manager Nikolay Zaychev Mayor 11

21 DEFeND: PARTNERS AND CONTACTS
Romano STASI General Manager Teresa Spada Responsible for the Institutional Projects Marco Crabu In House Consultant Marco Rotoloni Research Analyst ABI LAB Luis Miguel Serra da Costa Campos CEO Francisco Correia Loureiro Director, Security Solutions Luis Miguel Landeiro Ribeiro CTO PDM Benoit Van Asbroeck Partner Julien Debussche Associate Jasmien César Associate BIRD & BIRD Filip Gluszak President Papa Niamadio Project Manager GRIDPOCKET 12

22 DEFeND: PROJECT CONTACTS
Coordinator: Beatriz Gallego-Nicasio Crespo, Atos, COORDINATOR Technical Manager: Prof. Haralambos (Haris) Mouratidis, UoB, TECHNICAL MANAGER Communication: COMMUNICATION Project website: WEBSITE 13

23 THANK YOU Contacts Coordinator: Beatriz Gallego-Nicasio Crespo, Atos,
Technical Manager: Prof. Haralambos (Haris) Mouratidis, UoB, Communication: | Project website: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No

Download ppt "Aggeliki Tsohou, Assistant Professor"

Similar presentations

Security Controls – What Works

Security Controls – What Works
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Key Points for a Privacy Programme for Multinationals Steve Coope.

Key Points for a Privacy Programme for Multinationals Steve Coope.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)
Preparing for a data protection audit 28 September 2017

Preparing for a data protection audit 28 September 2017
Overview General Data Protection Regulation (GDPR)

Overview General Data Protection Regulation (GDPR)
THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,

THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,
Understanding EU GDPR from an Office 365 perspective

Understanding EU GDPR from an Office 365 perspective
opensky Data Systems UK, Ireland, France, Middle-East Formed: 2004

opensky Data Systems UK, Ireland, France, Middle-East Formed: 2004
Microsoft 365 Get help with regulatory compliance

Microsoft 365 Get help with regulatory compliance
WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.

WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
Operationele blik op GDPR

Operationele blik op GDPR
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

Similar presentations

Ads by Google