The General Data Protection Regulation (GDPR) entered into force on the 25th of May 2018 and provides for increased data protection standards across the EU. Its scope of application is not limited to EU-based companies, but extends to organisations located outside the EU, if they offer goods or services to, or monitor the behaviour of EU data subjects. Moreover, the GDPR imposes legal safeguards for the transfer of personal data outside of the European Union, in case where data protection standards of a third country are not deemed as ”essentially equivalent”. The GDPR adds an additional layer to the existing legal European framework, where privacy and data protection are both recognised as fundamental rights in Article7 and 8 of the Charter of Fundamental Rights of the European Union.
GDPR establishes the accountability and transparency principles, which entail that organizations show in an accessible and comprehensible way how they are processing personal data and that they demonstrate they are appropriately implementing all the requirements posed by GDPR.
An Assurance Case is a set of auditable claims, arguments, and evidence created to support the claim that a defined system/service will satisfy particular given requirements. Assurance Cases have a previously successful track record to exchange information between various system stakeholders such as suppliers and acquirers, and between the operator and regulator, where the knowledge (related to e.g. the safety and security of the system) is communicated in a clear and defendable way. Assurance methods and tools are being used in PDP4E to demonstrate that compliance, through the recording of evidences that demonstrates that the processes determined by GDPR (or by ancillary standards and regulations) have been carried out and by adding argumentations which support that line.
WHY ASSURANCE?
Assurance is the set of planned and systematic activities to justify confidence that a system conforms to its requirements (e.g., privacy requirements). It can verify that you are compliant with a specic standard, law, regulation, guidelines and reference frameworks in general. Assurance supports some of the privacy principles mentioned before, more specically, “accountability” and “transparency”.
The OpenCert tool integrates solutions for assurance and certification management of Cyber-Physical Systems (CPS). It has been applied to safety and security-critical industrial markets, such as aerospace, space, railway, manufacturing, energy and health. Argumentation and evidences are used to explicitly show the rationale behind the properties verification.
OpenCert supports the assurance activities allowing the modelling of privacy standards and regulations into reference frameworks, defining equivalences between those reference frameworks, creation of assurance cases and evidence models. Being a generic tool, OpenCert was used for addressing the particular requirements of the GDPR to follow the assurance method. Privacy assurance can be defined as the process of the systematic gathering, quantifying, and usage of information to judge the effectiveness of the actions done to comply with the privacy standards.
ASSURANCE TOOL
OpenCert is an integrated and holistic solution for assurance and certification management of Cyber-Physical Systems (CPS) spanning the largest safety and security-critical industrial markets, such as aerospace, space, railway, manufacturing, energy and health. The ultimate aim is to lower certification costs in face of rapidly changing product features and market needs.
The current features of OpenCert include the management of information from standards and regulations, the management of assurance projects, architecture-driven assurance, assurance case management, and compliance management. For architecture-driven assurance, OpenCert is linked with the Papyrus and CHESS Eclipse projects, and with the EPF project for compliance management.
The main functional blocks from OpenCert that will be used in the context pf PDP4E project are:
Reference Framework Management: Functionality related to the management of standards information as well as any other information derived from them, such as interpretations about intents, mapping between standards, etc.
- Assurance Project Lifecycle Management: This functionality factorizes aspects such as the creation of assurance projects.
- Assurance Case Management: This group manages argumentation information in a modular fashion. It also includes mechanisms to support compositional safety assurance, and assurance patterns management.
- Evidence Management: This module manages the full life cycle of evidences and evidence chains. This includes evidence traceability management.
- Assurance Reporting: This functionality is related with the reporting and compliance levers measurement.
WHERE TO FIND THE TOOL?
Open source: https://www.eclipse.org/opencert/
Contact: alejandra.ruiz@tecnalia.com