GDPR discusses data protection by design and by default, remarking that it is essential to consider privacy from the beginning to address related issues successfully. GDPR  establishes  a  set  of  duties  imposed  on  the  data processors,  controllers  and  third  parties  which  are  aimed  at honoring the corresponding data subjects rights. In GDPR, risk is  explicitly  scoped  (Rec.  76)  with  regards  to  the rights  and freedoms  of  the  data  subject.  


Understanding privacy-related vulnerabilities and including privacy considerations in a continuous risk management process is difficult. On the one hand, knowledge related to vulnerabilities connected to privacy issues is not so commonplace. On the other hand, continuous evidence collection to support risk management is usually key, but most monitoring approaches focus on collecting evidences from the infrastructure or technical architectural components. However, privacy-related risks are usually detected by analyzing functional descriptions of the system (e.g. data flows). Connecting this functional level with the components of the architecture that are being monitored is not trivial. Recognizing the overlap between privacy and security is key to determining when existing security risk models may be applied to address privacy concerns.


PDP4E Risk Management tool enables engineers to analyze software development risks related to data protection and privacy. Our risk management tool allows to connect low-level vulnerabilities, threats and mitigation actions with the high-level concepts expressed in the GDPR. In this way, through the dashboards provided by the tool and using LINDDUN as the baseline for our threat analysis methodology, GDPR control becomes easier and the connection between the legal perspective and the point of view of engineers stronger. This risk management tool also enables continuous risk management process allowing to control the effective implementation of mitigation actions and enabling the possibility to control the effectivenes of these mitigation actions once they are implemented. A part from the knowledge base created in PDP4E in collaboration with the H2020 ENACT project, several other open data sources have been embedded in this tool, including CWE, CAPEC and  information extracted from CMS GDPR Enforcement Tracker. Our tool also provides and automated vulnerability detectors and a kanban view to improve the agility on managing risks.


Open source: GitHub – eclipse-researchlabs/pdp4e-rm-API

Training of the tool: 

For any Contact: