Privacy and Data Protection, Ethics, Social and Security Framework Analysis within the Energy Sector

Published in Privacy by


Today, technologies make many aspects of our lives interconnected and interdependent. In this scenario, the development of new technological solutions should consist not only in the analysis of the best technical components, but also in the understanding of the ethics, regulatory, and security contexts in which the solution will be implemented. By adhering to this dual approach, researchers can prove that technological progress occurs in harmony with other instances of human life.

What has been described above is the approach adopted by the PHOENIX project, a HORIZON 2020 EU Funded project, whose main objective is to develop a cyber-shield able to protect the electrical smart grid infrastructure from cyber threats. This infrastructure is considered critical by the European Union, and therefore merits a system such as the one designed in PHOENIX that early detects and avoids (or, in the worst-case scenario, mitigate) threats or attacks directed at it.

At CyberEthics Lab., we have translated this new research approach into the following 4-step– methodology applicable in all sectors.

  1. Creation of a clear picture of the conceptual framework in which the IT solution will be placed and with which the solution should find a way to dialogue in harmony.
  2. Further analysis aimed at the identification (i.e. the logical deduction from the conceptual framework) of the compliance requirements for the final design of the IT solution.
  3. Juxtaposition of the requirements identified with potential concerns/threats which might originated from their non-compliance, alongside with guidelines and policies aiming at avoiding (or at least mitigating) the occurrence of the identified threats/concerns.
  4. Definition of a checklist composed of the translation in technical language of the “conceptual” requirements, plus the relevant concerns/threats and policies, alongside the most apt technical components. The latter is a valuable tool, to be shared between technical teams and auditors, for monitoring the appropriate evolution of the technology implementation, enacting the compliance assessment, and reporting tests and evidences for qualifying the delivered artefact.

In the PHOENIX case specifically, the ideas behind the method described above have been included in deliverable D4.1 – PRESS Analysis Framework (a public deliverable and that will be published on the project’s website). Therein, after having clarified the specific sector in which the project is conducting its research activities and defined the ethics requirements (i.e. D10.1, D10.6, D10.8) as well as from the general privacy policies and guidelines (i.e. D1.1 and D1.3), the analysis carried out shows three “pillars” (privacy and data protection, ethics and social concerns, and security elements). For each of them, the document describes (i) the relevant conceptual framework, (ii) the methodology for assessing the technology according to pre-defined requirements derived from the framework analysed, (iii) potential concerns able to impact the requirements identified. The final chapter of the document provides the PHOENIX project with a practical set of compliance rules and governance policies (a sort of practical “handbook”) designed to properly apply ethics, legal, and social principles during the research activity for each requirement identified and described in the three pillars. These compliance rules and governance policies will be then implemented throughout a DevSecOps (1)DevSecOps is the acronym for development, security, and operationsprocess occurring across the entire project lifecycle. In accordance with the definition of the DevSecOps process, which aims to embed security practices from the inception of technological solutions, the technical requirements will be made into a checklist. This last is to be used during the test and assessment, and should provide evidence of the delivered artefact’s compliance to the PRESS Framework.

The process overview and the outcomes of the PRESS Framework are illustrated in the following figure.


As can be seen, the PHOENIX project has been a means for us to develop a unified method allows developers to  that incorporates ethics requirements, privacy guidelines and recommendations, and results from multidimensional risk assessments. Hence, the name PRESS, an acronym deriving from the key words PRivacy, Ethics, Security and Societal. We believe that the advantage of a similar framework is to ensure data protection thanks to omni-comprehensive guidelines for the implementation phase of technological solutions. Such solutions would thus be able to utilise the best technical components while adhering to the appropriate and proportional the compliance requirements identified.

To achieve such a result in other domains, it is indispensable for professionals with different backgrounds (legal, ethicists, technical etc.) to work closely together and to find common ground for describing phenomena and requirements and identifying ethics and legal concerns. This kind of cooperation, which finds fertile ground in EU-funded research projects, can provoke a shift in the DevSecOps mindset: from legal and regulatory nuisance, compliance activities can come to define better technologies and provide them a greater chance of adoption and long-term use.



PHOENIX project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 832989


1 DevSecOps is the acronym for development, security, and operations

Service involved

Assessment of technology impact on privacy
We help our clients and partners to achieve their business goals while addressing ethics, privacy and cybersecurity concerns in a manner that prevents conflicts, sanctions and loss of money derived by the lack of ethical and legal compliance to national and European applicable regulations. All information technologies must respect human fundamental rights and ensure the rights of people in relation to the protection of their private life, personal data and freedom. The new EU General Data Protection Regulation (GDPR) that replaced the Data Protection Directive in all EU member states on May 2018 introduces many new obligations for companies and a comprehensive set of rights for data subjects, including the right to an effective judicial remedy against a controller or a processor and the right to compensation. Therefore, in addition to being at the receiving end of an enforcement action, data controllers and processors may be subject to court proceedings and have to pay compensation to data subjects for their infringements of the GDPR. Our approach to help our clients to avoid this kind of issues consists of a holistic service composed by the following main components: providing a Data Protection Officer to drive the organization’s legal compliance action; mapping the data processed by the organisation to measure its impact on the ethical principles and legal framework; assessing the cybersecurity mechanisms used by the organisation technologies; conducting an impact assessment for all data processing mechanisms identifying ethical, legal and security risks; making recommendations for the implementation of the organisational and technical means to be compliant with the legal framework while ensuring data confidentiality (preserving authorized restrictions on information access and disclosure, including personal privacy and proprietary information protection), integrity (assurance that data is not modified or deleted in an unauthorized and undetected manner), availability (ensuring there’s timely and reliable access to and use of information) and accountability (supporting non‐repudiation, deterrence, fault isolation, intrusion detection and prevention, and after‐action recovery and legal action).
Responsible Research & Innovation
We love discovering and staying on top of new research to continuously advance our knowledge and to transform it into responsible innovation, taking into account effects and potential impacts on ethics, privacy and data protection. We help national and international partners to handle ethical, legal and cybersecurity concerns on both the research process and the project outcomes, through the legal support for the involvement of human beings in the research activity, the analysis of the national and regional legal framework applicable to the implementing technology and the recommendations for the secure and compliant development of technology. We are a multidisciplinary team that promotes the inclusion of legal and ethical concerns in the design of the technology, researching and producing new knowledge and best practices towards making a conscious and transparent adoption of technology.