ReCRED’s ultimate goal is to promote the user’s personal mobile device to the role of a unified authentication and authorization proxy towards the digital world. ReCRED adopts an incrementally deployable strategy in two complementary directions: extensibility in the type and nature of supported stakeholders and services (from local access control to online service access), as well as flexibility and extensibility in the set of supported authentication and access control techniques; from widely established and traditional ones to emerging authentication and authorization protocols as well as cryptographically advanced attribute-based access control approaches. Simplicity, usability, and users privacy is accomplished by: i) hiding inside the device all the complexity involved in the aggregation and management of multiple digital identifiers and access control attribute credentials, as well as the relevant interaction with the network infrastructure and with identity consolidation services; ii) integrating in the device support for widespread identity management standards and their necessary extensions; and iii) controlling the exposure of user credentials to third party service providers. ReCRED addresses key security and privacy issues such as resilience to device loss, theft and impersonation, via a combination of: i) local user-to-device and remote device-to-service secure authentication mechanisms; ii) multi-factor authentication mechanisms based on behavioral and physiological user signatures not bound to the device; iii) usable identity management and privacy awareness tools; iv) usable tools that offer the ability for complex reasoning of authorization policies through advanced learning techniques. ReCRED’s viability will be assessed via four large-scale realistic pilots in real-world operational environments. The pilots will demonstrate the integration of the developed components and their suitability for end-users, so as to show their TRL7 readiness.

The goal of BPR4GDPR is to provide a holistic framework able to support end-to-end GDPR-compliant intra- and inter-organisational ICT-enabled processes at various scales, while also being generic enough, fulfilling operational requirements covering diverse application domains. To this end, proposed solutions will have a strong semantic foundation and cover the full process lifecycle addressing major challenges and priorities posed by the regulation, including requirements interpretation, broad territorial scope, accountability, security means enforcement, data subject’s rights and consent, unified data view and processing actions inventory, privacy by design, etc. The starting point will be process models, either automatically discovered through organisation logs or manually specified, formally expressed through a Compliance Metamodel, a comprehensive process modelling technology able to capture advanced privacy provisions. Thereupon, a highly expressive policy framework will guide the automatic verification of these models regarding GDPR requirements, and their subsequent transformation, so that they are rendered inherently privacy-aware before being deployed for execution. Subsequently, the consistent execution of GDPR-compliant processes will be ensured by a comprehensive set of tools able to support all diverging requirements that may arise from GDPR, related to data handling, data subjects’ involvement, various PETs, etc., so that even organisations with currently no such infrastructure in place can readily have such mechanisms. Finally, process mining will be extensively used for the ex post analysis of processes, in order to ensure that specified policies are indeed enforced. However, apart from verifying compliance, such techniques will offer the added value of automatically improving process models over time towards optimised fulfillment of both legal and business requirements. Deployed on the Cloud, BPR4GDPR will provide for Compliance-as-a-Service (CaaS)