Organizers: Antonio Kung, Trialog, Alejandra Ruiz Lopez, Tecnalia, Yod Samuel Martín, Universidad Politécnica de Madrid
Privacy is a hot topic: every day we learn of new personal data breaches and corporate scandals about organizations that misbehave with their users' data. The public is becoming more and more sensitive regarding these topics, countries are enforcing a new batch of data protection laws (GDPR in EU, CCPA in California and others in many US States, LGPD in Brazil, etc.) and organizations are facing a wave of fines and lawsuits.
But privacy is not just a matter of lawyers or managers; quite the contrary, it also concerns the engineers who develop systems, products and services. That's why the PDP4E (Privacy and Data Protection for Engineering) project is aiming to put engineers in the loop, integrating privacy and personal data protection into engineering practice by extending existing methods and tools currently applied by mainstream engineering practice with features dealing with privacy and data protection. In particular, PDP4E is reusing a set of open source tools (most of them part of the Eclipse ecosystem e.g. Papyrus, OpenCert), and introducing features from state-of-the-art privacy and data protection research, aligning them with mainstream software and systems engineering practice.
- PDP4E addresses the translation of privacy issues into operational work items and activities for a development project, trying to address questions such as:
- How do privacy laws (e.g. GDPR) translate into backlog items?
- Are the rights of the users being appropriately addressed?
- What happens if a user wants to enforce their rights (e.g. access, portability), shall I slit open my databases and reveal the results of my witty algorithms?
- How can we exploit data which has not been acquired from the data subject?
- How do we know if a system meets GDPR requirements?
- What are the specific threats faced by a system that possibly involves many service providers?
- How do we know if we are facing unknown privacy risks or threats?
- What technical measures can be applied in each case to address them?
- Which are the best choices?
- How do we track evidence that we are abiding by such requirements? And how does all this relate to the industry standards?
The talk will also present the use of OpenCert as a tool for Privacy Assurance. Privacy assurance addresses the demonstration of compliance with privacy and data protection law, and the observance of the privacy principles of accountability and transparency through the systematic capture of evidences, their association to requirements and artefacts, traceability to the law and industry standards (GDPR and ISO), and argumentation of compliance derived from those evidences. The use of this tool will also be demonstrated with respect to the application of risk management and privacy impact assessment in different industrial scenarios.
This session is complemented by the talk about Privacy and Data Protection implications for researchers at the Open Source Research Agora session during the same community day.