GDPR: Use a Privacy Reference Model

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 15 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to design and improve your systems to meet the GDPR is not straightforward. But using a Privacy Reference Model will help.

Creating effective solutions for privacy problems can be done by creating a model of the problem situation. Within a model all elements that relate with the problem situation are brought together to study the various solutions. In general a systems consist of sub-systems, objects, functions, processes, activities and tasks. And the most complicated part to model in your system is of course humans. This accounts for human behavior and tasks that must be performed by humans.

When you create a model to solve your privacy problem this can be regarded as an architecture. But be warned: IT Architecture is a minefield. Architecture is not by definition high level and sometimes relevant details are of the utmost importance. It is not strange that the added value of architecture and IT architects within large companies and projects is under heavy pressure due to many privacy and security disasters.

Digital architectures (business, information, application and technical) have enormous impact on products we use daily. So it is the highest time to work on a better approach for privacy architectures. A good way to get started is to build your solution using an already proven model. For privacy a couple of good reference models exist. One is the OASIS Privacy Management Reference Model (PMRM). Unfortunately the OASIS PMRM model is not (yet) an open model, but using this model can save you valuable time and money.

Below a simple overview of this Privacy Reference Model:

Privacy Reference Model

The Privacy Management Reference Model and Methodology (PMRM) of the OASIS group can help you with:

  • Analysis the impact of new privacy use cases for your company.
  • Designing operational privacy management services.
  • Improving services that need to be compliant with the GDPR.
  • Determining use and requirements of security services from a privacy view point.
  • Gives input for developing a privacy solution architecture.

When developing a privacy architecture it makes sense to investigate if audit and control functions for privacy can be combined with security services and processes that are already in place.

This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!