ConfIs: a tool for privacy and security analysis and conflict resolution for supporting GDPR compliance through privacy-by-design.

Privacy and security requirements, and their potential conflicts, are increasingly having more and more importance. It is becoming a necessary part to be considered, starting from the very early stages of requirements engineering, and in the entire software engineering cycle, for the design of any software system. In the last few years, this has been even more emphasized and required by the law. A relevant example is the case of the General Data Protection Regulation (GDPR), which requires organizations, and their software engineers, to enforce and guarantee privacy-by-design to make their platforms compliant with the regulation. In this context, complex activities related to privacy and security requirements elicitation, analysis, mapping and identification of potential conflicts, and the individuation of their resolution, become crucial. In the literature, there is not available a comprehensive requirement engineering oriented tool for supporting the requirements analyst. In this paper, we propose ConfIs, a tool for supporting the analyst in performing a process covering these phases in a systematic and interactive way. We present ConfIs and its process with a realistic example from DEFeND, an EU project aiming at supporting organizations in achieving GDPR compliance. In this context, we evaluated ConfIs by involving privacy/security requirements experts, which recognized our tool and method as supportive, concerning these complex activities

A Data Scope Management Service to Support Privacy by Design and GDPR Compliance

In order to empower user data protection and user rights, the European General Data Protection Regulation (GDPR) has been enforced. On the positive side, the user is obtaining advantages from GDPR. However, organisations are facing many difficulties in interpreting GDPR, and to properly applying it, and, in the meanwhile, due to their lack of compliance, many organisations are receiving huge fines from authorities. An important challenge is compliance with the Privacy by Design and by default (PbD) principles, which require that data protection is integrated into processing activities and business practices from the design stage. Recently, the European Data Protection Board (EDPB) released an official document with PbD guidelines, and there are various efforts to provide approaches to support these. However, organizations are still facing difficulties in identifying a flow for executing, in a coherent, linear and effective way, these activities, and a complete toolkit for supporting this. In this paper, we propose the design of such flow, and our comprehensive supporting toolkit, as part of the DEFeND EU Project platform. Within DEFeND, we identified candidate tools, fulfilling specific GDPR aspects, and integrated them in a comprehensive toolkit: the DEFeND Data Scope Management service (DSM). The aim of DSM is to support organizations for continuous GDPR compliance through model-based Privacy by Design analysis. Here, we present DSM, its design, flow, and a preliminary case study and evaluation performed with pilots from the healthcare, banking, public administration and energy sectors

DEFeND architecture: a privacy by design platform for GDPR compliance.

The advent of the European General Data Protection Regulation (GDPR) imposes organizations to cope with radical changes concerning user data protection paradigms. GDPR, by promoting a Privacy by Design approach, obliges organizations to drastically change their methods regarding user data acquisition, management, processing, as well as data breaches monitoring, notification and preparation of prevention plans. This enforces data subjects (e.g., citizens, customers) rights by enabling them to have more information regarding usage of their data, and to take decisions (e.g., revoking usage permissions). Moreover, organizations are required to trace precisely their activities on user data, enabling authorities to monitor and sanction more easily. Indeed, since GDPR has been introduced, authorities have heavily sanctioned companies found as not GDPR compliant. GDPR is difficult to apply also for its length, complexity, covering many aspects, and not providing details concerning technical and organizational security measures to apply. This calls for tools and methods able to support organizations in achieving GDPR compliance. From the industry and the literature, there are many tools and prototypes fulfilling specific/isolated GDPR aspects, however there is not a comprehensive platform able to support organizations in being compliant regarding all GDPR requirements. In this paper, we propose the design of an architecture for such a platform, able to reuse and integrate peculiarities of those heterogeneous tools, and to support organizations in achieving GDPR compliance. We describe the architecture, designed within the DEFeND EU project, and discuss challenges and preliminary benefits in applying it to the healthcare and energy domains

The development and validation of a scoring tool to predict the operative duration of elective laparoscopic cholecystectomy

Background: The ability to accurately predict operative duration has the potential to optimise theatre efficiency and utilisation, thus reducing costs and increasing staff and patient satisfaction. With laparoscopic cholecystectomy being one of the most commonly performed procedures worldwide, a tool to predict operative duration could be extremely beneficial to healthcare organisations. Methods: Data collected from the CholeS study on patients undergoing cholecystectomy in UK and Irish hospitals between 04/2014 and 05/2014 were used to study operative duration. A multivariable binary logistic regression model was produced in order to identify significant independent predictors of long (> 90 min) operations. The resulting model was converted to a risk score, which was subsequently validated on second cohort of patients using ROC curves. Results: After exclusions, data were available for 7227 patients in the derivation (CholeS) cohort. The median operative duration was 60 min (interquartile range 45–85), with 17.7% of operations lasting longer than 90 min. Ten factors were found to be significant independent predictors of operative durations > 90 min, including ASA, age, previous surgical admissions, BMI, gallbladder wall thickness and CBD diameter. A risk score was then produced from these factors, and applied to a cohort of 2405 patients from a tertiary centre for external validation. This returned an area under the ROC curve of 0.708 (SE = 0.013, p  90 min increasing more than eightfold from 5.1 to 41.8% in the extremes of the score. Conclusion: The scoring tool produced in this study was found to be significantly predictive of long operative durations on validation in an external cohort. As such, the tool may have the potential to enable organisations to better organise theatre lists and deliver greater efficiencies in care

A framework for privacy and security requirements analysis and conflict resolution for supporting GDPR compliance through privacy-by-design.

Requirements elicitation, analysis, and, above all, early detection of conflicts and resolution, are among the most important, strategic, complex and crucial activities for preventing software system failures, and reducing costs related to reengineering/fixing actions. This is especially important when critical Requirements Classes are involved, such as Privacy and Security Requirements. Recently, organisations have been heavily fined for lack of compliance with data protection regulations, such as the EU General Data Protection Regulation (GDPR). GDPR requires organisations to enforce privacy-by-design activities from the early stages and for the entire software engineering cycle. Accordingly, requirements engineers need methods and tools for systematically identifying privacy and security requirements, detecting and solving related conflicts. Existing techniques support requirements identification without detecting or mitigating conflicts. The framework and tool we propose in this paper, called ConfIs, fills this gap by supporting engineers and organisations in these complex activities, with its systematic and interactive process. We applied ConfIs to a realistic GDPR example from the DEFeND EU Project, and evaluated its supportiveness, with positive results, by involving privacy and security requirements experts (This research is an extension of the study conducted by ALKUBAISY, D., PIRAS, L., AL-OBEIDALLAH, M.G., COX, K. and MOURATIDIS, H. 2021. ConfIs: a tool for privacy and security analysis and conflict resolution for supporting GDPR compliance through privacy-by-design [https://doi.org/10.5220/0010406100800091])