Preface [a: Visual Privacy Management]

Recent privacy scandals, such as Cambridge Analytica in 2018 or the Swedish data leakage in 2017, and the creation and enforcement of the new General Data Protection Regulation (GDPR) in Europe in 2018, have captured the attention of any entity that operates with data. The GDPR identifies European citizens as main stakeholders to be protected, creating powerful tools such as the consent mechanism and the right to be forgotten. Therefore, any organization that uses data of European citizens must adhere to the GDPR, otherwise heavy fines will be applied: up to 20 million euros, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. Private companies have already started to take actions in order to be compliant with the GDPR. But privacy is not only a concern for companies, Public Administrations (PAs), that constantly use data of citizens, must protect citizens’ data as well. Furthermore, dissimilar from private companies, citizens frequently have no option but to give their data to PAs in order to use essential public services. It is, therefore, a top priority for such organizations to give the feeling of protection and control of citizens’ data. Unfortunately, enforcing privacy requirements in PAs is no trivial task: PAs’ information systems are usually extremely complex, with legacy pieces of software that were developed when privacy was not a concern at all. Moreover, PA is a heterogeneous category that covers organizations with very different objectives, users, and market segment. Examples of PAs are hospitals, government bodies, and public companies; all of them with complex information systems that manage data of large quantities of citizens. The urgent need of public organizations is, therefore, to address privacy concerns being compliant with the GDPR and, in the meantime, to give the citizens the control of their data allowing them to specify privacy requirements. This book describes the outcome of a project called VisiOn, that lasted three years, and where four universities and seven companies collaborated to create a platform that can be used by PAs to design or to adapt their information following privacy laws and privacy requirements of citizens. We called it VisiOn Privacy Platform (VPP). The book is the result of the collective effort of all project participants that contributed to the success of VisiOn. Project participants acted as reviewers for book chapters, and each chapter was reviewed by at least two reviewers. The objective of this book is to provide readers a useful reference for the creation and validation of a software platform that enforces privacy in complex organizations such as PAs. This book is structured following the software engineering approach to the design of a complex software such as the VPP. Chapter 1 defines the conceptual framework we created to define privacy concepts. This chapter gives shape to privacy principles using European Union laws as a starting point. Moreover, the chapter describes the principle on which we based most of the platform, i.e., privacy by design and a type of agreement we created to specify a privacy contract between a citizen and the PA, called Privacy Level Agreement (PLA). Following that, in Chapter 2, requirements of the VPP are defined along with a method that we created and used for the elicitation, classification, prioritization, and validation of requirements for the VPP. Chapter 3 describes the software components that were developed for the platform, and compose the VPP and external software tools that were developed by the partners for the VisiOn project, and that we integrated into the platform in order to use their functionalities. In particular, the chapter describes the architec