GDPR is said to be “risk-oriented” in that compliance requires analysis of potential risks and impacts to the data subjects. Risk management processes involve a proactive attitude since the onset of a project (rather than waiting until incidents have already happened and then reacting). This discipline has a long track of systematically dealing with security risks, and the same approaches can be extended to also deal with privacy and data protection.
The Risk Management tool provided by PDP4E will help engineers get involved in risk management, from a technical perspective. This will facilitate the integration of legal requirements with actual technical mitigation actions to be implemented by engineers during the software development process. As it is advised to document your risk assessment processes so that you can review its contents and reassess their treatment plans, the tool will also provide means for the continuous management of risks through monitoring the implementation status of mitigation actions.
The focus of the risk management methodology used will consider both privacy and security issues. The main user for this tool will be the engineer and it is being implemented taking usability into account and following an approach which is as transparent and non-intrusive for the engineer as possible.
- Model-driven Evidence-based Privacy Risk Control in Trustworthy Smart IoT Systems, September 2019. (Open access)
- Agile risk management for multi-cloud software development, December 2018.
- Methods and Tools for GDPR Compliance Through Privacy and Data Protection Engineering, April 2018. (Open access)
- MUSA Risk Management tool. PDP4E will build on top of existing solutions in the Risk Management market, providing end-users with the tools to identify and assess risks to the privacy and rights of data subjects.
- CNIL Privacy Impact Assessment. PDP4E will showcase how the results of a risk analysis can be integrated into Data Protection Impact Assessment as mandated by article 35 of the GDPR.