Project proposal for DS-08-2017, August 2017; outline & partner composition.
Risk management is an important element in the GDPR. It is clearly stated that the responsibility of the controller includes “taking into account the nature … as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.” Hence, methods and tools that support effective risk assessment are needed, and specifically in systems where breaches are likely to be rated at ‘high’ or ‘very high’ risk levels. Here Impact Assessment (Article 35) applies and when using common methods for qualitative risk assessment, one will typically summarise risk levels in tables such as the one to the right. In order to mitigate (v)high risks, one will need specific and precise countermeasures, e.g. appropriate legal, procedural and technical measures according to the Principles in Article 5. With many risks originating from advanced and professional attackers, most systems will need strong and targeted safeguards. Hence, strong and effective privacy and security measures must be implemented by well-defined and strong mechanisms, i.e. also deploying cryptography and trusted hardware when necessary. The proposal targets strands ‘GDPR in practice’ and ‘secure ID’.
The underlying problem is that high security safeguards designed with low precision or ad-hock methods make little sense in systems of real-life complexity. With high complexity one can only demonstrate ‘appropriate’ strength and precision through the deployment of structured procedures supported by tools. These must support specification, design and implementation activities in a consistent and auditable manner. Traditionally the term ‘security assurance’ has been used about many such activities, but the accompanying methods are often assuming a water-fall type development and are not so compatible with current agile development methods. As there are many systems with ‘high’ risk levels and very few tools <Ref.> supporting the Certification in Article 42(5), the need for such tools is immediate. Specifically tools that aggregate technical (privacy by) design knowledge over time and links this to actual implementations will increase assurance levels significantly; and that is exactly what the PresTo project will deliver.
IF YOU ARE INTERESTED IN KNOWING MORE
ABOUT THIS PROJECT PLEASE
REGISTER AS FREE MEMBER OR LOGIN IF ALREADY REGISTERED