PDP4E is an innovation action that intends to endow software and system engineers with methods and software tools to systematically apply data protection principles in the projects they carry out and have the products they create comply with the General Data Protection Regulation (GDPR), thus bringing the principles of Privacy and Data Protection (PDP1) to practice. For that aim, PDP4E will introduce well-known, state-of-the-art data protection methods and techniques into the everyday activities and mainstream tools usually applied by engineers in their habitual work.
Rather than creating a set of tools from scratch, PDP4E will integrate privacy and data protection engineering functionalities into existent, mainstream software tools that are already in use by engineers, thus leveraging the project efforts and ensuring a seamless adoption of its results by their intended users (the systems and software engineers). More specifically, PDP4E will introduce data protection functions into a set of open-source tools which are (or will be) part of the Eclipse ecosystem, and which deal with the disciplines of risk management, requirements engineering, model-driven design, and assurance. Likewise, PDP4E will integrate data protection methods into mainstream, existent software and systems engineering methodologies and process models. The release of open-source versions of the software tools created in PDP4E will also facilitate their adoption and their flexible adaptation to different scenarios —something that will be supported as well by the use of model-driven engineering principles and other tool features. Indeed, PDP4E itself will demonstrate the applicability of the results to two innovative application domains (smart grid and fintech) which face specific challenges when dealing with data protection issues, and whose industries are currently served by the consortium partners. Further, PDP4E will set up an ecosystem of research and practice to boost the adoption of data protection practices in software and systems engineering, providing not only the open-source PDP4E methods and tools, but also accompanying training material, a body of knowledge for this emerging field, and a meeting point to serve as reference for the whole community. All in all, the application of PDP4E methods and tools will ease the engineering of GDPRcompliant products, which shall lead to a widespread creation of products, systems and services that better protect the privacy and personal data of EU citizens.
Introduce features to support privacy by design and data protection into existent mainstream software and system engineering tools.
In order to ensure that privacy by design and data protection are effectively enforced in systems development, those aspects shall be included in the tools engineers use every day, rather than forcing them to learn to use tools that are alien to them. Thus, PDP4E will innovate in evolving previously existent mainstream system engineering tools which cover the main disciplines of the SDLC, viz. risk management (MUSA DST), requirements management (Papyrus 4 Req), design and modelling (Papyrus) and assurance (OpenCert); and introducing data protection enabling functionalities to these tools which assist in dealing with e.g. data protection impact assessments, data protection principles, data subjects’ rights, obligations of controllers and processors, accountability, etc.
The resulting software toolset will allow engineers to seamlessly use the same tools they are already familiar with, in order to create systems that comply with GDPR.
Integrate privacy by design and data protection activities within existent mainstream software and system engineering methods.
Likewise, the successful adoption of privacy and data protection activities by engineers, entails their integration within the workflows they usually follow, rather than being considered as unconnected activities.
Thus, PDP4E will innovate in adapting data protection methods previously formulated by the partners (LINDDUN, PRIPARE, PROPAN, UML4PF), integrating the current work on standards and methods (e.g. OASIS PMRM, ISO 29134, ISO 27550), and aligning them with mainstream methods of SDLC and specializing them to operationalize GDPR compliance (foreground) . The tasks and concepts defined by such methods will be supported by the functions provided by the toolset developed in the objective O1).
Empower engineers overall to leverage the existent knowhow on data protection; even if they are not savy in the field.
Despite the important role privacy and data protection experts will keep, engineers will not be able to properly apply data protection methods in their daily work unless they are have a readily available body of knowledge with the wisdom amassed by data protection community of practice and research, and which is represented in terms compatible with their mind-set.
Thus, PDP4E will deliver with their methods and tools a set of knowledge bases (operational data protection requirements; data protection risks, threats and solutions; privacy patterns; assurance reference frameworks) which distil the existing knowledge in the field, providing engineers with guidance and supporting them with knowledge at hand they can use during the engineering activities. Such knowledge bases will be integrated within the toolset, and can be updated according the developments in the state of the art.
Spread the adoption of data protection practice in time and space, by promoting the adaptation of the tools and methods to the mainstream needs of engineers
PDP4E will release most of its outcomes through open licenses; in particular, an open-source version of the software toolset will be released under the EPL (Eclipse Public License) and published and hosted by the Eclipse Foundation. To promote adaptation, an MDE approach will be followed to provide adaptability, flexibility and interoperability of the tools developed. PDP4E toolset will also adopt standard interchange formats, well-defined and documented APIs, and a modular architecture that fosters reusability and integration.
Foster the broadest practice of privacy and data protection engineering, by advancing the existent
communities of practice of privacy engineering (IPEN) and bridging them to mainstream development
PDP4E will involve different stakeholders since the earliest stages, both to capture requirements and to validate the project results, so as to ensure that the results respond to the widest range of engineers. On the one hand, the wide community of developers hosted by Eclipse will be targeted to address their needs; on the other hand, market constraints of two specific application domains will be tackled. Besides, PDP4E will nurture the existent privacy engineering community, by raising the activities of the Internet Privacy Engineering Network (IPEN), which it aims to advance for the creation of an Alliance for Privacy and Data Protection Engineering beyond the project lifetime. PDP4E will also contribute with its results to standardization activities.
Demonstrate readiness for mainstream practice of the methods and tools produced, by having engineers apply them for GDPR compliance in pilot developments for the fintech and smart grid domains
In order to validate the outcomes of PDP4E, they will be applied by software and system engineers to introduce data protection issues in the SDLC activities of products they are creating. Such products are not ad hoc developments for PDP4E, but exist outside the project in real development scenarios, where the engineers will employ our methods and tools to deal with data protection aspects. Two demonstration pilots will be tackled, led by project partners: one dealing with fintech applications and services, and the other with big data on smart grid, both areas with intensive, novel use of personal data which poses specific problems, and with relevant sectoral-regulation. These pilots will be used both to capture the user needs for the project and to validate the intermediate and final results (and get feedback in the first case).