Project Name: Bridging the security, privacy and data protection gap for smaller enterprises in Europe
Description
Over 25 million European SMEs/MEs, central within EU enterprise policy, face multiple challenges related to personal data protection; ranging from awareness to a clear and practical roadmap to compliance, the most prominent one is the fact that, unlike larger enterprises, SMEs/MEs lack access to enterprise-grade cybersecurity technology and capacity-building for compliance, making them increasingly often victims of costly data breaches. Although, according to studies, small and micro-businesses declare openness to invest in regulatory compliance, including for consultants and technology, millions of European SMEs/MEs still fail to comply with GDPR while their managers are confused about basic data security concepts, like data stewardship, encryption and secure communication. This presents a clear gap between cybersecurity- and privacy-related spending and its actual effect on personal data protection compliance. The SENTINEL project aspires to bridge this gap by boosting SMEs/MEs capabilities in this domain through innovation at a cost-effective level. SENTINEL will integrate tried-and-tested modular cybersecurity technologies with fresh, ambitious ones, such as a novel Identity Management System for human-centric data portability, enabling a unified “European Data Space” and an end-to-end digital personal data protection compliance self-assessment framework for SMEs, into a unified digital architecture. The data from these modules will then undergo disruptive Intelligence for Compliance through SENTINEL’s digital core, featuring tailor made recommendations, policy drafting & enforcement for compliance and a ‘one-stop-shop’ incident response centre. Combined with a well-researched methodology for application, an open knowledge-sharing hub and a wide-reaching plan for experimentation, SENTINEL will catalyse the adoption of market-leading security tech among SMEs/MEs and help safeguard their and their customers’ assets. SENTINEL's main offerings can be summarised as follows: (a) SME training and education on fundamental concepts of data protection and privacy (why do we need this, how is the subjects' privacy affected by SMEs' data processing activities, what needs to be done); (b) evidence-based GDPR compliance, by providing a one-to-one link between privacy requirements, measures & controls, cyber assets, configurations and real-time monitoring; and (c) cutting costs through automation through the provision of GDPR compliance check, data protection impact assessment, tailor-made recommendations for GDPR compliance and policies, as well as real-time monitoring for cybersecurity and privacy compliance.
Reason for applying to HSbooster.eu services
First and foremost, we would appreciate consultation and guidance from experts to prepare the ground towards certifying SENTINEL as a holistic service for ensuring GDPR compliance and Personal data protection. At the moment (M14 of the project), the majority of individual services comprising the SENTINEL Most Viable Product (MVP) are designed and operate under specific standards (e.g., the GDPR Compliance Self-assessment follows the ISO/IEC 33000 Family standard), nevertheless, we envision SENTINEL to become a holistic certified service for ensuring GDPR compliance and personal data protection.
In addition, we would like to receive advice on how to engage with relevant standardisation bodies (those identified by the consortium and others possibly suggested by the HSBooster experts), identify opportunities for influencing processes and outcomes of standardisation and propose new items to relevant technical committees and working groups.
Main Standardisation Interests
One of SENTINEL's main objectives is the collaboration with standardisation bodies to ensure that all SENTINEL solutions, products and services are aligned and harmonised with regulations and EU standards (Obj. 5). SENTINEL's ambition is to uptake more than six (6) standards from several data pricacy- and compliance-related technologies. The General Data Protection Regulation (GDPR) establishes rights to individuals regarding the handling of their personal data. However, such rights “suffer from the absence of technical tools and standards that make the exercise of their rights simple and not overly burdensome” (see European Commission (2020): A European strategy for data. COM(2020) 66 final, p.10). To underline this statement, the Commission focuses on the right to data portability which has "practical limitation". Thus, a key activity within the project is exploring and enhancing the portability right for individuals under Article 20 of the GDPR, giving them more control over who can access and use machine-generated data. One of the main innovations delivered by SENTINEL is the Identity Management System (IdMS), which is based on the "MyData" paradigm (Nordic model) for data portability and aspires to provide a practical and ethical way for SMEs/MEs to manage and process personal information in a GDPR-compliant manner EU-wide. Therefore, one of the main goals of the project towards this direction is to facilitate standardisation and governance for data portability. This can be achieved through the definition of standardised technological terminologies and practices (e.g., standardised APIs) for the purpose of allowing the free flow of data under individuals' control.
Another objective of SENTINEL related to standardisation is linked with the production of a standardised security, privacy and personal data protection organisational policy for SMEs/MEs, as an outcome of the GDPR self-assessment, SME profiling and tailor-made recommendations provided by the SENTINEL platform. This policy is both human-readable, unified and enforceable.
Although the majority of individual services offered by SENTINEL follow specific standards (e.g. the GDPR Compliance Self-assessment follows the ISO/IEC 33000 Family standard), the consortium would like to explore whether the entire set of services offered by the SENTINEL platform can be certified. It should be noted that the SENTINEL platform at this point aims to raise awareness to and train SMEs/MEs about GDPR compliance, obligations, measures to be taken, etc, through its set of services and not comprise a means of assuring (or certifying) compliance, similarly to a certification organisation. However, the latter is an important part towards commercialisation of the SENTINEL platform at the end of the project.
SENTINEL Work Plan includes a task (T7.4) dedicated to standardisation activities towards ensuring contribution to existing standards and providing relevant feedback to the standardisation bodies and organisations. Within this task, the consortium also aims to organise representation activities in the standardisation communities and boards.