Advertisement

Integrating Data Protection into the Software Life Cycle

  • Ralf KneuperEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11915)

Abstract

Data protection has become increasingly important in recent years, partly due to the EU General Data Protection Regulation (GDPR) and similar legislations in other countries, but also because of various privacy scandals which led to bad press for the affected companies. Since most of the processing of the relevant personal data is performed by software, data protection needs to be addressed in the development of software. This paper therefore investigates how to incorporate data protection in the software life cycle. Based on a simple default life cycle model, the main questions to ask and issues to address in the various phases are summarized. These questions and issues are independent of the exact life cycle model used, whether plan-driven, agile or some hybrid, and can therefore easily be mapped to some other model. Not surprisingly, data protection mainly affects the analysis and design of software systems (“privacy by design”) when the data to be processed and stored as well as the form of processing and the protection mechanisms to be used are defined. Nevertheless, to some extent the entire life cycle down to withdrawal is affected.

Keywords

Data protection Software life cycle Data protection by design Privacy 

References

  1. 1.
    Cavoukian, A.: Privacy by design. The 7 foundational principles. Technical report, Information and Privacy Commissioner of Ontario (2011). https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf
  2. 2.
    Cavoukian, A., Taylor, S., Abrams, M.E.: Privacy by design: essential for organizational accountability and strong business practices. Ident. Inf. Soc. 3(2), 405–413 (2010).  https://doi.org/10.1007/s12394-010-0053-zCrossRefGoogle Scholar
  3. 3.
    Danezis, G., et al.: Privacy and data protection by design–from policy to engineering. Technical report, ENISA, December 2014.  https://doi.org/10.2824/38623
  4. 4.
    Datatilsynet: Software development with data protection by design and by default (2017). https://www.datatilsynet.no/en/about-privacy/virksomhetenes-plikter/innebygd-personvern/data-protection-by-design-and-by-default/
  5. 5.
    Drozd, O.: Privacy pattern catalogue: a tool for integrating privacy principles of ISO/IEC 29100 into the software development process. In: Aspinall, D., Camenisch, J., Hansen, M., Fischer-Hübner, S., Raab, C. (eds.) Privacy and Identity 2015. IAICT, vol. 476, pp. 129–140. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-41763-9_9CrossRefGoogle Scholar
  6. 6.
    Dwork, C.: Differential privacy: a survey of results. In: Agrawal, M., Du, D., Duan, Z., Li, A. (eds.) TAMC 2008. LNCS, vol. 4978, pp. 1–19. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-79228-4_1CrossRefGoogle Scholar
  7. 7.
    Englehardt, S., Acar, G., Narayanan, A.: Website operators are in the dark about privacy violations by third-party scripts, January 2018. https://freedom-to-tinker.com/2018/01/12/website-operators-are-in-the-dark-about-privacy-violations-by-third-party-scripts/
  8. 8.
    Interactive Advertising Bureau (IAB Europe): IAB Europe and IAB Tech Lab release cross-industry Transparency & Consent Framework for adoption, April 2018. https://www.iabeurope.eu/all-news/press-releases/iab-europe-and-iab-tech-lab-release-cross-industry-transparency-consent-framework-for-adoption/
  9. 9.
    Kühlung, J., Buchner, B. (eds.): Datenschutz-Grundverordnung/BDSG. Kommentar. C.H. Beck, 2. edn. (2018)Google Scholar
  10. 10.
    Kneuper, R.: Software Processes and Life Cycle Models. An Introduction to Modelling, Using and Managing Agile, Plan-Driven and Hybrid Processes. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-98845-0_3CrossRefGoogle Scholar
  11. 11.
    Lindsey, N.: Popular Android apps are sharing personal data with Facebook without user consent, January 2019. https://www.cpomagazine.com/data-privacy/popular-android-apps-are-sharing-personal-data-with-facebook-without-user-consent/
  12. 12.
    Office for Civil Rights (OCR): Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (2012). https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
  13. 13.
    Reid, G.: How to navigate the software development life cycle under the GDPR (2017). https://iapp.org/news/a/how-to-navigate-the-software-development-life-cycle-under-the-gdpr/. International Association of Privacy Professionals (IAPP)
  14. 14.
    Santala, A.: What should software engineers know about GDPR? (2017). https://www.infoq.com/articles/gdpr-for-software-devs/
  15. 15.
    Simon, K., Moucha, C.: Sicherheit und Datenschutz im Lebenszyklus von Informationssystemen. DuD Datenschutz und Datensicherheit 43(2), 97–101 (2019)CrossRefGoogle Scholar
  16. 16.
    Sweeney, L.: \(k\)-Anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzzyness Knowl.-Based Syst. 10(5), 557–570 (2002)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.IUBH University of Applied Sciences—Distance LearningBad ReichenhallGermany

Personalised recommendations