Privacy and Data Protection should be addressed “by design”, that is since the onset of a project rather than as an afterthought. Organizations must be aware of all kinds of personal data they are dealing with, the data subjects affected, the processing operations they undergo, etc. This knowledge is critical to be able to honour data subject rights (e.g. right of access, right to be forgotten, data portability), to carry out data protection impact assessments, etc. Appropriate software and system models can be leveraged and enriched with metadata that signals who, where and how processes personal data.

A privacy and data protection by design (PDPbD) framework is specified and developed in PDP4E. Several model-driven engineering techniques and platforms like Papyrus are leveraged in order to support non-savvy privacy engineers to conduct typical systems and software design activities. Our approach for PDPbD combines three views at different levels of abstraction: data-oriented, process-oriented, and architecture models are consistently developed and enriched to ensure a three-fold goal.

  • First, the design models shall be in conformity with the requirements integrating the specificities of GDPR and the typical privacy concerns. For the conformity to be truly ensured, personal data should be accurately and early identified. This means, for instance, properly labelling which database fields store personal data, which functions carry out data processing operations, and in which realms they are deployed.
  • Secondly, the design phase should provide confidence about the effectiveness of privacy controls elicited during the risk assessment phase.
  • Last but not least, the PDPbD framework should implement algorithms and techniques to facilitate the application of strategies for data protection.


Scientific outcomes

Related projects

  • PDP4E will build on top of the experience generate by project partners in their participation in the Eclipse Papyrus¬†