Regulatory Requirements Specification
Research output: Book/Report › Report › Research › peer-review
This report aims to ensure that the EnergyShield project is compliant with the new provisions enshrined in the EU General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS Directive). In particular, the focus is to establish the main legal requirements with regard to data protection and data security, and to show how some of these requirements have been technically implemented.
Both the GDPR and the NIS Directive introduced new and stricter regulatory rules that impact upon any business or organization that handles personal and sensitive data. In this report we examine how the EnergyShield project can provide a more transparent tool that embeds effectively these legal requirements in the architecture design of the toolkit. The new compliance challenge is how to operationalize these legal requirements in all software components in a way that affords meaningful protection of the relevant interests.
This report also provides general guidance and recommendations regarding the exploitation of the toolkit by potential companies, which will use and benefit from the outcome of this project. An important aspect of the GDPR refers to the encryption of data. Therefore, anonymization and pseudonymization techniques are considered and we showcase how the Homomorphic Encryption (HE) tool will be developed and implemented in the toolkit.
The ubiquitous and dynamic nature of the cloud allows data transfers through a supple distributed network of infrastructure and service providers. Therefore – even though the partners of the EnergyShield project are currently not making any data transfers outside the EU/EEA countries – service and infrastructure providers deploying the toolkit at a later stage must ensure that data transfers are compliant with the GDPR and the consent of data subjects. We review the avenues for making such international personal data transfers legally compliant with the GDPR and provide recommendations for the further exploitation of the toolkit. This is aimed at assisting the end-users of the toolkit in complying with the GDPR’s requirements on overseas data transfer.
This report also provides an overview of the data security standards that could serve to achieve an appropriate level of information security pursuant to the GDPR and NIS Directive provisions. The requirement to take ‘appropriate technical and organizational measures has been standardized and unified among the EU Member States. However, the GDPR provides only the basic requirements, without going into technical details. Therefore, in this report we highlight the key measures that the developers and potential users of the toolkit should take into consideration. These measures are based on different standards, guidelines, frameworks and good practices currently available.
Last but not least, risk management is addressed and a list of both generic and specific security risks are listed alongside with calculation of their minimum and maximum cost exposure based on impact and probability of occurrence.
Both the GDPR and the NIS Directive introduced new and stricter regulatory rules that impact upon any business or organization that handles personal and sensitive data. In this report we examine how the EnergyShield project can provide a more transparent tool that embeds effectively these legal requirements in the architecture design of the toolkit. The new compliance challenge is how to operationalize these legal requirements in all software components in a way that affords meaningful protection of the relevant interests.
This report also provides general guidance and recommendations regarding the exploitation of the toolkit by potential companies, which will use and benefit from the outcome of this project. An important aspect of the GDPR refers to the encryption of data. Therefore, anonymization and pseudonymization techniques are considered and we showcase how the Homomorphic Encryption (HE) tool will be developed and implemented in the toolkit.
The ubiquitous and dynamic nature of the cloud allows data transfers through a supple distributed network of infrastructure and service providers. Therefore – even though the partners of the EnergyShield project are currently not making any data transfers outside the EU/EEA countries – service and infrastructure providers deploying the toolkit at a later stage must ensure that data transfers are compliant with the GDPR and the consent of data subjects. We review the avenues for making such international personal data transfers legally compliant with the GDPR and provide recommendations for the further exploitation of the toolkit. This is aimed at assisting the end-users of the toolkit in complying with the GDPR’s requirements on overseas data transfer.
This report also provides an overview of the data security standards that could serve to achieve an appropriate level of information security pursuant to the GDPR and NIS Directive provisions. The requirement to take ‘appropriate technical and organizational measures has been standardized and unified among the EU Member States. However, the GDPR provides only the basic requirements, without going into technical details. Therefore, in this report we highlight the key measures that the developers and potential users of the toolkit should take into consideration. These measures are based on different standards, guidelines, frameworks and good practices currently available.
Last but not least, risk management is addressed and a list of both generic and specific security risks are listed alongside with calculation of their minimum and maximum cost exposure based on impact and probability of occurrence.
| Original language | English |
|---|
| Publisher | EnergyShield project (H2020) |
|---|---|
| Number of pages | 67 |
| Publication status | Published - 2019 |
ID: 232263620