Project Startup This project has received funding from

Project Start-up This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787068.

Project Start-up GDPR: CHALLENGES 7 KEY PRINCIPLES ACCOUNTABILITY RIGHTS OF INDIVIDUALS • Lawfulness, fairness and transparency • Contractual organization • Information • Purpose limitation • Privacy-by-design & Privacy-by-default • Access • Data minimization • Records of data processing activities • Rectification • Integrity and confidentiality • Privacy Impact Assessments • Erasure • Storage limitation • Data Protection Officer • Restriction • Accuracy • Portability • Accountability • Objection • Automated decision-making / profiling 2

Project Start-up DEVELOPING A GDPR PRIVACY PLAN CREATING A THIRD PARTY MANAGEMENT PROGRAM MANAGING PRIVACY COMPLAINTS AND INDIVIDUAL RIGHTS MANAGING PRIVACY INCIDENTS AND BREACH NOTIFICATION Conduct a comprehensive assessment of the organization readiness for GDPR and develop a plan of action to reach compliance Manage third party vendor risk and create policies, procedures and ongoing management to ensure third party compliance and implementation of necessary contractual arrangements Develop processes and policies to respond to requests made by individuals (right to information but also access, rectification, restriction, objection, erasure and portability rights) Review information security policies and breach handling incident response plans to comply with the strict formal reporting (notification) obligations IMPLEMENTING PRIVACY BY DESIGN/PRIVACY ENGINEERING DATA DE-IDENTIFICATION/ ANONYMIZATION MEETING REGULATORY REPORTING REQUIREMENTS ADDRESSING INTERNATIONAL DATA TRANSFERS Implement technical and organization measures to show that the origination has considered and integrated data compliance measures into data processing activities Assess and implement anonymization and pseudonymization techniques to fall outside the scope of the GDPR or comply with certain requirements Set up methods to review compliance activities and keep records for internal and external reporting to demonstrate compliance (e. g. privacy notices and records of privacy-related escalation handling activities) Map international data flows and manage mechanism to allow for transfer of data to non-EEA countries (BCRs, MCCs, Privacy Shield, etc. ) CREATING DATA INVENTORY AND MAPS Inventory of processing activities and data flows, classified by data type, purpose and responsibilities. CONDUCTING PRIVACY RISK ASSESSMENTS (PIAs/DPIAs) OBTAINING AND MANAGING USER CONTENT SELECTION OF APPROPRIATE SECURITY TECHNICAL AND ORGANISATIONAL MEASURES Design and implement processes to conduct and manage PIAs/DPIAs and risk assessments across the organization, based on legal and regulatory requirements Develop processes to comply with new content requirements: ‘a statement or a clear affirmative action’ from the data subject, must be ‘freely given, specific, informed and unambiguous’ Implement physical, technical, and administrative measures to keep personal data secure and confidential through adequate standard or certification 3

Project Start-up ORGANISATION START DATE 1 July 2018 DURATION 30 months GRANT AMOUNT EUR 2, 737, 300. 00 CALL TOPIC H 2020 -DS 08 -2017 Cybersecurity PPP: Privacy, Data Protection, Digital Identities 4

Project Start-up 1 Design and development of a successful, MARKET-ORIENTED, PLATFORM to support organizations towards GDPR compliance 2 7 Develop a MODULAR SOLUTION that covers different aspects of the GDPR DEPLOYMENT and VALIDATION of the DEFe. ND platform in real operational environments 3 AUTOMATED methods and techniques to elicit, map and ANALYZE DATA that organizations hold for individuals 4 Advanced modelling languages and methodologies for privacy-by-design and DATA PROTECTION management OBJECTIVES 6 Integrated ENCRYPTION AND ANONYMIZATION solutions for GDPR 5 Specification, management and enforcement of PERSONAL DATA CONSENT 5

Project Start-up DEFe. ND PARADIGM The Model-Driven Privacy Governance (MDPG) paradigm enables building (from an abstract to a concrete level) and analyzing privacy related models following a Privacy-by-Design approach that spans over two levels, the Planning Level and the Operational Level, and across three management areas, i. e. Data Scope, Data Process and Data Breach 6

Project Start-up DEFe. ND PLATFORM toward GDPR compliance DATA SCOPE MANAGEMENT (DSM) PLANNING LEVEL DATA PROCESS MANAGEMENT (DPM) Identify data, assets ART. 4 Organisational information establishments ART. 4 Identify accountability ART. 5 Data flows ART. 4 Data Protection Impact Assessment (DPIA) ART. 35 OPERATIONAL LEVEL Data transparency, lawfulness, minimisation Data access rights ART. 15 Personal data consent ART. 6, 7, 8, 13, 14 Security and privacy specification ART. 24 Security and Privacy Technologies ART. 32 Privacy Data Consent Monitoring and Notification ART. 23 ART. 19 Privacy by Design ART. 25 Data Breach Plan Specification ART. 34 Data breach ART. 23, Detection, Notification 33, 34, 36 and Response ART. 4, 25 Security and Privacy Threats DATA BREACH MANAGEMENT (DBM) 7

DATA PROCESS MANAGEMENT (DPM) DATA SCOPE MANAGEMENT (DSM) DEFe. ND ARCHITECTURE DATA ASSESSMENT COMPONENT (DAC) Organisation Data Collection DATA PRIVACY ANALYSIS COMPONENT (DPAC) Data Minimisation Analysis DPIA Analysis Data Privacy Model Privacy by Design/Default PRIVACY SPECIFICATION COMPONENT (PSC) Security/Privacy Technologies Data Access Rights Analysis Consent Analysis DATA BREACH MANAGEMENT (DBM) Assessment Translator Data Assessment Model Project Start-up Threat Analysis PRIVACY IMPLEMENTATION AND MONITORING COMPONENT (PIMC) Security/Privacy Specification Model Privacy Data Consent Monitoring Notification Privacy Data Consent (PDC) Model Privacy Technologies Runtime DATA BREACH COMPONENT (DBC) Data Breach Modelling and Analysis Data breach Detection and Response Data Breach Model 8

Project Start-up GDPR DASHBOARD DATA CONTROLLER-PROCESSOR Data Assessment Model Consent Preferences Privacy Data Consent Model Breach Notification Data Scope Management Service (DSM) Data Process Management Service (DPM) Data Breach Management Service (DSM) Data Assessment Component (DAC) Data Privacy Analysis Component (DPAC) Privacy Specification Component (PSC) GDPR Readiness Report GDPR Planning Service Privacy Implementation and Monitoring Component (PIMC) GDPR Reporting Service Data Breach Component (DBC) dash. Board GDPR Authorities Report Security/Privacy Specification Model SUPERVISORY AUTHORITIES Back. End Organisational Information DATA SUBJECT 9

WP 6: DISSEMINATION AND EXPLOITATION WP 1: PROJECT, QUALITY AND COMPLIANCE MANAGEMENT T 6. 1: Dissemination and public communication T 1. 1: Project Management T 6. 2: Exploitation, Business and Commercialization T 2. 2: Quality and Innovation Management T 6. 3: Training and Awareness T 2. 3: Compliance and Ethics Management T 6. 4: Projects and stakeholders networking T 1. 4: Technical Management T 1. 5: Security Advisory Board WP 5: PILOTS PREPARATION AND EXECCUTION WORK PLAN WP 2: REQUIREMENTS AND ARCHITECTURE T 5. 1: Pilots’ preparations T 2. 1: Requirements and Specifications T 5. 2: Pilots’ execution and evaluation T 2. 2: Privacy and Compliance Requirements T 5. 3: Pilots’ final demonstration T 2. 3: Platform Architecture T 2. 4: Definition of pilots’ scenarios WP 4: INTEGRATION, DEPLOYMENT AND TESTING WP 3: DEVELOPMENT OF PLATFORMS SERVICES T 4. 1: Services’ integration T 3. 1: Data Scope Management T 4. 2: Security and Legal Compliance Audit T 3. 2: Data Process Management T 4. 3: Platform Testing and Refinement T 3. 3: Data Breach Management T 4. 4: Dashboard 10

Project Start-up DEFe. ND PILOTS DEFe. ND platform will be tested in operational environment (TRL 7) for two different types of scenarios across four sectors, focusing on the GDPR compliance process for end-users and on the GDPR implications for external stakeholders. ENERGY SECTOR (PRIVATE) BANKING SECTOR (PRIVATE) GP (France) ABILab (Italy) HEALTH CARE (PUBLIC) Fundacion Para la Investigacion Biomedica Hospital Infantil Universitario Niño Jesus (Spain) PUBLIC ADMINISTRATION (PUBLIC) PESHTERA MUNICIPALITY (Bulgaria) 11

THANK YOU Contacts Coordinator: Beatriz Gallego-Nicasio Crespo, Atos, beatriz. gallego-nicasio@atos. net Technical Manager: Prof. Haralambos (Haris) Mouratidis, Uo. B, H. Mouratidis@brighton. ac. uk Communication: info@defendproject. eu | Project website: www. defendproject. eu This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 787068.