Abstract
The advent of the European General Data Protection Regulation (GDPR) imposes organizations to cope with radical changes concerning user data protection paradigms. GDPR, by promoting a Privacy by Design approach, obliges organizations to drastically change their methods regarding user data acquisition, management, processing, as well as data breaches monitoring, notification and preparation of prevention plans. This enforces data subjects (e.g., citizens, customers) rights by enabling them to have more information regarding usage of their data, and to take decisions (e.g., revoking usage permissions). Moreover, organizations are required to trace precisely their activities on user data, enabling authorities to monitor and sanction more easily. Indeed, since GDPR has been introduced, authorities have heavily sanctioned companies found as not GDPR compliant. GDPR is difficult to apply also for its length, complexity, covering many aspects, and not providing details concerning technical and organizational security measures to apply. This calls for tools and methods able to support organizations in achieving GDPR compliance. From the industry and the literature, there are many tools and prototypes fulfilling specific/isolated GDPR aspects, however there is not a comprehensive platform able to support organizations in being compliant regarding all GDPR requirements. In this paper, we propose the design of an architecture for such a platform, able to reuse and integrate peculiarities of those heterogeneous tools, and to support organizations in achieving GDPR compliance. We describe the architecture, designed within the DEFeND EU project, and discuss challenges and preliminary benefits in applying it to the healthcare and energy domains.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
DEFeND is a EU H2020 project: https://www.defendproject.eu/.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
References
The Forrester New Wave\(^{{\rm TM}}\). https://www.forrester.com/report/The%20Forrester%20New%20Wave%20GDPR%20And%20Privacy%20Management%20Software%20Q4%202018/-/E-RES142698
Privacy Tech Vendor Report. https://iapp.org/resources/article/2018-privacy-tech-vendor-report/
Regulation 2016/679 and Directive 95/46/EC (GDPR) of the EU on the processing of personal data and on the free movement of such data (2016). https://publications.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en
Capistrano, E.P.S., Chen, J.V.: Information privacy policies: the effects of policy characteristics and online experience. Comput. Stand. Interfaces 42, 24–31 (2015)
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. J. 16, 3–32 (2011)
Faßbender, S., Heisel, M., Meis, R.: Problem-based security requirements elicitation and refinement with pressure (2015)
Garcia: PRIPARE privacy by design methodology handbook. Technical report (2015)
Kalloniatis, C., Belsis, P., Gritzalis, S.: A soft computing approach for privacy requirements engineering: the PRiS framework. Appl. Soft Comput. 11, 4341–4348 (2011)
Mayer, N., Dubois, E., Matulevicius, R., Heymans, P.: Towards a measurement framework for security risk management
McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. ISJLP 4, 543 (2008)
Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the secure tropos approach. In: Karagiannis, D., Mayr, H., Mylopoulos, J. (eds.) Domain-Specific Conceptual Modeling, pp. 357–380. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39417-6_16
Pavlidis, M., Mouratidis, H., Gonzalez-Perez, C., Kalloniatis, C.: Addressing privacy and trust issues in cultural heritage modelling. In: Lambrinoudakis, C., Gabillon, A. (eds.) CRiSIS 2015. LNCS, vol. 9572, pp. 3–16. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31811-0_1
Pavlidis, M., Mouratidis, H., Islam, S.: Modelling security using trust based concepts. Int. J. Secure Softw. Eng. (IJSSE) 3, 36–53 (2012)
Piras, L., Dellagiacoma, D., Perini, A., Susi, A., Giorgini, P., Mylopoulos, J.: Design thinking and acceptance requirements for designing gamified software. In: 13th International Conference on Research Challenges in Information Science (RCIS). IEEE (2019)
Tsohou, A., Kosta, E.: Enabling valid informed consent for location tracking through privacy awareness of users: a process theory. Comput. Law Secur. Rev. 33, 434–457 (2017)
Zheng, J., Gao, D.W., Lin, L.: Smart meters in smart grid: an overview. In: 2013 IEEE Green Technologies Conference (GreenTech) (2013)
Acknowledgments
This work was partially supported by the DEFeND EU project, funded from the European Unions Horizon 2020 research and innovation programme under grant agreement No 787068.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Piras, L. et al. (2019). DEFeND Architecture: A Privacy by Design Platform for GDPR Compliance. In: Gritzalis, S., Weippl, E., Katsikas, S., Anderst-Kotsis, G., Tjoa, A., Khalil, I. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2019. Lecture Notes in Computer Science(), vol 11711. Springer, Cham. https://doi.org/10.1007/978-3-030-27813-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-27813-7_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-27812-0
Online ISBN: 978-3-030-27813-7
eBook Packages: Computer ScienceComputer Science (R0)