Engineers get a helping hand with GDPR compliance tools
The GDPR has had an impact on everyone, from service users to providers and even software engineers. For the latter, however, privacy engineering is a rather new concept that could easily be considered as abstract or of secondary importance. But that would be a mistake. From smart grids to big data, connected vehicles and banking, privacy engineering can never be discarded. “Engineers need four types of tools,” says Antonio Kung, co-founder of Trialog and coordinator of the PDP4E (Methods and tools for GDPR compliance through Privacy and Data Protection Engineering) project. “The first type focuses on privacy risk management, which helps engineers identify, assess and deal with privacy risks from a technical perspective. The second relates to the elicitation of privacy-related requirements, which would help engineers turn privacy constraints into tangible requirements. But that’s not all. They also need a privacy and data protection by design (PDPbD) framework, as well as an assurance case ensuring that design decisions taken to ensure privacy and mitigate associated risks can be audited and assessed for GDPR compliance.” PDP4E provides these four tools with one goal in mind: enabling the widespread creation of products, systems and services that better protect the privacy and personal data of EU citizens. To do so, it leverages model-based engineering. “The project leverages models – or processable representations of systems. These models have been developed by privacy experts and can therefore be reused by engineers. Moreover, a model can be used to explain a privacy capability,” Kung explains. Concretely, the project team has been working hard to integrate privacy by design and data protection with existent, mainstream software and system engineering methods. And for those tools that do not exist or are being developed, they provide open-source software that will guide a more privacy-aware development process. “We assume the existence of two open communities for our ecosystem: an open model community for privacy, and an open source community for privacy engineering tools (within the Eclipse open source community). The open model community can share both privacy protection and privacy engineering models.”
From connected vehicles to smart grids
The solutions are being tested in the two innovative fields of connected vehicles and big data for smart grids. For engineers eyeing cooperation between autonomous vehicles, the compromises it entails for the privacy of drivers cannot be ignored. The purpose of PDP4E in this case will be to demonstrate how such compromises can be dealt with from a privacy by design perspective. Meanwhile, the case of big data in smart grids poses critical challenges in terms of privacy and data protection which the project is aiming to assess. “A major problem in connected vehicles relates to location data, while data sharing in smart grids raises concerns related to de-identification (the algorithms needed to prevent smart metering from exposing users’ life patterns and devices in use). At the end of the day, both use cases involve complex ecosystems involving multiple organisations. This shows that privacy protection models must also include organisational models,” Kung notes. By the time the project ends, Kung and the PDP4E project partners hope to help nurture the privacy engineering community, and even foster the creation of an Alliance for Privacy and Data Protection Engineering. Their contribution to standardisation activities – notably their involvement in the development of the ISO 31700 standard (privacy by design for consumer goods and services) – certainly makes them well equipped to do so.
Keywords
PDP4E, GDPR, compliance, engineers, open source, smart grid, connected vehicle
