Transparent, explainable, and accountable AI for robotics

To create fair and accountable AI and robotics, we need precise regulation and better methods to certify, explain, and audit inscrutable systems

How to Develop a GDPR-Compliant Blockchain Solution for Cross-Organizational Workflow Management: Evidence from the German Asylum Procedure

Blockchain technology has the potential to resolve trust concerns in cross-organizational workflows and to reduce reliance on paper-based documents as trust anchors. Although these prospects are real, so is regulatory uncertainty. In particular, the reconciliation of blockchain with Europe’s General Data Protection Regulation (GDPR) is proving to be a significant challenge. We tackled this challenge with the German Federal Office for Migration and Refugees. Here, we explain how we used Action Research to guide the Federal Office in creating a GDPR-compliant blockchain solution for the German asylum procedure. Moreover, we explain the architecture of the Federal Office’s solution and present two design principles for developing GDPR-compliant blockchain solutions for cross-organizational workflow management

How Does GDPR Support Healthcare Transformation to 5P Medicine?

Health systems advance towards personalized, preventive, predictive, participative precision (5P) medicine, considering the individual's health status, contexts and conditions. This results in fully distributed, highly dynamic, highly complex business systems and processes with multiple, comprehensively cooperating actors from different specialty and policy domains, using their specific methodologies, terminologies, ontologies, knowledge and skills. Rules and regulations governing the business process as well as the organizational, legal and individual conditions, thereby controlling the behavior of the system, are called policies. Trust and confidence needed for running such system are strongly impacted by security and privacy concerns controlled by corresponding policies. The most comprehensive policy dealing with security and privacy requirements and principles in any business collecting, processing and sharing personal identifiable information (PII) is the recently implemented European General Data Protection Regulation (GDPR). This paper investigates how GDPR supports healthcare transformation and how this can be implemented based on international standards and specifications

Privacy Enhanced Secure Tropos: A Privacy Modeling Language for GDPR Compliance

Euroopa Liidu isikuandmete kaitse üldmäärusele (GDPR) vastavuse tagamine saab õiguslikult hädavajalikuks kõigis tarkvarasüsteemides, mis töötlevad ja haldavad isikuandmeid. Sellest tulenevalt tuleb GDPR vastavuse ja privaatsuse komponentidega arvestada arendusprotsessi varajastes etappides ning tarkvarainsenerid peaksid analüüsima mitte ainult süsteemi, vaid ka selle keskkonda. Käesolev uuring keskendub viimasel ajal tähepepanu pälvinud modelleerimiskeelele Privacy Enhanced Secure Tropos (PESTOS), mis põhineb Tropos metoodikal, hõlmates eesmärkide ja reeglite vaatenurka, mis aitab tarkvarainseneridel hinnata erinevaid Privacy-enhancing Technologies (PET-e) kandidaate, arendades samas privaatsustundlikke süsteeme, et need oleksid GDPR-iga kooskõlas.Kuigi GDPR artikli 5 lõikes 2 sätestatakse, et vastutuse põhimõtte kohaselt peavad organisatsioonid suutma näidata vastavust GDPR põhimõtetele (meie teadmiste kohaselt ei ole praegu veel ühtegi teist privaatsuse modelleerimise keelt, mis keskendub eelkõige GDPR nõuetele ja mis põhineb Security Risk-Aware Secure Tropos metoodikal), ei olnud saadaval ühtegi praktilist modelleerimise keelt, mis rahuldaks tööstus- ja ärivajadusi. See on Euroopa Liidu piirkonna avalikele asutustele ja erasektorile tõsine probleem, kuna GDPR toob vastutavatele ja volitatud töötlejatele kaasa väga tõsiseid trahve. Organisatsioonid ei oma piisavat kindlustunnet regulatsioonide täitmise osas ja tarkvarainseneridel puuduvad meetodid saamaks ülevaadet infosüsteemide muutmistaotlustest. Käesolevas lõputöös rakendatakse struktureeritud privaatsuse modelleerimise keelt, mida nimetatakse PESTOS-iks. Selle eesmärk on tagada kõrgetasemeline vastavus GDPR nõuetele kattes PET-e eesmärk-tegija-reegel perspektiivis hindamiseks ka lõimitud andmekaitse põhimõtted. GDPR 99-st artiklist 21 artiklit saab identifitseerida tehniliste nõudmistena, mile osas PESTOS suudab ettvõtetel aidata GDPR-ist tulenevaid kohustusi täita. Identiteedi- ja turvaekspertide seas läbiviidud uuring kinnitab, et kavandatud mudelil on piisav õigsus, täielikkus, tootlikkus ja kasutusmugavus.The European Union General Data Protection Regulation (GDPR) compliance is becoming a legal necessity for software systems that process and manage personal data. As a result of that fact, GDPR compliance and privacy components need to be considered from the early stages of the development process and software engineers should analyze not only the system but also its environment. Hereby with this study, Privacy Enhanced Secure Tropos (PESTOS) is emerging as a privacy modeling language based on Tropos methodology, which covers the goal and rule perspective, for helping software engineers by assessing candidate PETs, while designing privacy-aware systems, in order to make them compatible with GDPR. Although in Article 5(2) of the GDPR, the accountability principle requires organizations to show compliance with the principles of the GDPR, (To the best of our knowledge, currently there is no other privacy modeling language especially focuses on the GDPR compliance and enhanced based on Security Risk-Aware Secure Tropos methodology) there were not any practical social modeling languages supply the demand driven by industrial and commercial needs. This is a serious issue for public institutions and private sector in EU-zone because GDPR brings very serious charges for data controllers and data processors, therefore organizations do not feel themselves ready to face with those regulations and software engineers have a lack of methods for capturing change requests of the information systems. This paper applies a structured privacy modeling language that is called as PESTOS which has a goal-oriented solution domain that aims to bring a high compatibility with GDPR by covering Privacy by Design strategies for assessing proper privacy-enhancing technologies(PETs) in a respect of the goal-actor-rule perspective. Among the 99 articles of GDPR, 21 articles can be identified as technical level of requirements that PESTOS is able to transform them into GDPR goals needs to be fulfilled in order to support business assets. A survey conducted by identity and security experts validates that proposed model has a sufficient level of correctness, completeness, productivity and ease of use