GDPR discusses data protection by design and by default, remarking that it is essential to consider privacy from the beginning to address related issues successfully. GDPR establishes a set of duties imposed on the data processors, controllers and third parties which are aimed at honoring the corresponding data subjects rights. In GDPR, risk is explicitly scoped (Rec. 76) with regards to the rights and freedoms of the data subject.
WHY RISK MANAGEMENT?
Understanding privacy-related vulnerabilities and including privacy considerations in a continuous risk management process is difficult. On the one hand, knowledge related to vulnerabilities connected to privacy issues is not so commonplace. On the other hand, continuous evidence collection to support risk management is usually key, but most monitoring approaches focus on collecting evidences from the infrastructure or technical architectural components. However, privacy-related risks are usually detected by analyzing functional descriptions of the system (e.g. data flows). Connecting this functional level with the components of the architecture that are being monitored is not trivial. Recognizing the overlap between privacy and security is key to determining when existing security risk models may be applied to address privacy concerns.
RISK MANAGEMENT TOOL
PDP4E Risk Management tool enables engineers to analyze software development risks related to data protection and privacy. Our risk management tool allows to connect low-level vulnerabilities, threats and mitigation actions with the high-level concepts expressed in the GDPR. In this way, through the dashboards provided by the tool and using LINDDUN as the baseline for our threat analysis methodology, GDPR control becomes easier and the connection between the legal perspective and the point of view of engineers stronger. This risk management tool also enables continuous risk management process allowing to control the effective implementation of mitigation actions and enabling the possibility to control the effectivenes of these mitigation actions once they are implemented. A part from the knowledge base created in PDP4E in collaboration with the H2020 ENACT project, several other open data sources have been embedded in this tool, including CWE, CAPEC and information extracted from CMS GDPR Enforcement Tracker. Our tool also provides and automated vulnerability detectors and a kanban view to improve the agility on managing risks.
WHERE TO FIND THE TOOL?
Open source: GitHub – eclipse-researchlabs/pdp4e-rm-API
Training of the tool: https://www.youtube.com/watch?v=tM4HUBaugbE&t=3s
For any Contact: firstname.lastname@example.org