Privacy, Security, Legal and Technology Acceptance Requirements for a GDPR Compliance Platform

  • Aggeliki TsohouEmail author
  • Manos Magkos
  • Haralambos Mouratidis
  • George Chrysoloras
  • Luca Piras
  • Michalis Pavlidis
  • Julien Debussche
  • Marco Rotoloni
  • Beatriz Gallego-Nicasio Crespo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11980)


GDPR entered into force in May 2018 for enhancing user data protection. Even though GDPR leads towards a radical change with many advantages for the data subjects it turned out to be a significant challenge. Organizations need to make long and complex changes for the personal data processing activities to become GDPR compliant. Citizens as data subjects are empowered with new rights, which however they need to become aware of and understand. Finally, the role of data protection authorities changes as well as their expectations from organizations. GDPR compliance being a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of the Data govErnance For supportiNg gDpr (DEFeND) EU Project is to deliver such a platform. To succeed, the platform needs to satisfy legal and privacy requirements, be effective in supporting organizations in GDPR compliance, and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, we describe the process, within the DEFeND EU Project, for eliciting and analyzing requirements for such a complex platform, by involving stakeholders from the banking, energy, health and public administration sectors, and using advanced frameworks for privacy requirements and acceptance requirements. The paper also contributes by providing elicited privacy and acceptance requirements concerning a holistic platform for supporting GDPR compliance.


GDPR Compliance Software requirements Prioritisation 



This paper has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 787068.


  1. Blank, S.G.: Four Steps to the Epiphany: Successful Strategies for Products that Win, Palo (2007)Google Scholar
  2. Bryman, A.: Social Research Methods, 3rd edn, p. 2008. Oxford University Press, Oxford (2008)Google Scholar
  3. Cavoukian, A.: Privacy by Design. The 7 Foundational Principles, Implementation and Mapping of Fair Information Practices (2011).
  4. Davis, A., Dieste, O., Hickey, A., Juristo, N., Moreno, A.M.: Effectiveness of requirements elicitation techniques: empirical results derived from a systematic review. In: 14th IEEE International Requirements Engineering Conference (RE 2006), pp. 179–188. IEEE (2006)Google Scholar
  5. Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy re-quirements. Re-quirements Eng. 16(1), 3–32 (2011)CrossRefGoogle Scholar
  6. European Data Protection Board: First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities (2019).
  7. Faßbender, S., Heisel, M., Meis, R.: Problem-Based Security Requirements Elicitation and Refinement with PresSuRE. In: Holzinger, A., Cardoso, J., Cordeiro, J., Libourel, T., Maciaszek, L.A., van Sinderen, M. (eds.) ICSOFT 2014. CCIS, vol. 555, pp. 311–330. Springer, Cham (2015). Scholar
  8. Gartner: Forecast Analysis: Information Security, Worldwide, 1Q17 Update, August 2017 (2017).
  9. IAPP: 2018 Privacy Tech Vendor Report v.2.4e (2018).
  10. Juristo, N., Moreno, A.M., Dieste, O., Davis, A., Hickey, A.: Effectiveness of requirements elicitation techniques: empirical results derived from a systematic review. In: 14th IEEE International Requirements Engineering Conference (RE 2006) (RE), Minneapolis/St. Paul, Minnesota, USA, 2006, pp. 179–188 (2006)Google Scholar
  11. Kalloniatis, C., Belsis, P., Gritzalis, S.: A soft computing approach for privacy requirements engineering: the PriS framework. Appl. Soft Comput. 11(7), 4341–4348 (2011)CrossRefGoogle Scholar
  12. Kurtz, C., Semmann, M.: Privacy by Design to Comply with GDPR: A Review on Third-Party Data Processors (2018)Google Scholar
  13. Maguire, M.: Methods to support human-centred design. Int. J. Hum.-Comput. Stud. 55(4), 587–634 (2001)CrossRefGoogle Scholar
  14. Martin, Y.S., Kung, A.: Methods and tools for GDPR Compliance Through Privacy and Data Protection Engineering. In: 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 108–111. IEEE (2018)Google Scholar
  15. McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. ISJLP 4, 543 (2008)Google Scholar
  16. Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007)CrossRefGoogle Scholar
  17. Myers, M.D., Newman, M.: The qualitative interview in IS research: examining the craft. Inf. Organ. 17(1), 2–26 (2007)CrossRefGoogle Scholar
  18. Notario, N., et al.: PRIPARE: integrating privacy best practices into a privacy engineering methodology. In: 2015 IEEE Security and Privacy Workshop, pp. 151–158. IEEE, May 2015Google Scholar
  19. Piras, L.: Agon: a gamification-based framework for acceptance requirements. Ph.D. dissertation, University of Trento, 2018 (2018)Google Scholar
  20. Piras, L., Dellagiacoma, D., Perini, A., Susi, A., Giorgini, P., Mylopoulos, J.: Design thinking and acceptance requirements for designing gamified software. In: 13th IEEE International Conference on Research Challenges in Information Science (RCIS), IEEE, Bruxelles (BE), 2019 (2019)Google Scholar
  21. Piras, L., Giorgini, P., Mylopoulos, J.: Acceptance requirements and their gamification solutions. In: 24th IEEE International Requirements Engineering Conference (RE), 2016. IEEE, Beijing (2016)Google Scholar
  22. Piras, L., Paja, E., Giorgini, P., Mylopoulos, J.: Goal models for acceptance requirements analysis and gamification design. In: Mayr, H.C., Guizzardi, G., Ma, H., Pastor, O. (eds.) ER 2017. LNCS, vol. 10650, pp. 223–230. Springer, Cham (2017). Scholar
  23. Politou, E., Alepis, E., Patsakis, C.: Forgetting personal data and revoking consent under the GDPR: challenges and proposed solutions. J. Cybersecurity 4(1), tyy001 (2018)Google Scholar
  24. Priyadharshini, G., Shyamala, K.: Strategy and solution to comply with GDPR: guideline to comply major articles and save penalty from non-compliance. In: 2018 2nd International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), pp. 190–195. IEEE (2018)Google Scholar
  25. Pulse Survey: GDPR budgets top $10 million for 40% of surveyed companies, October 2017 (2017).
  26. Reuters, T.: Study finds organizations are not ready for GDPR compliance issues (2019). Accessed 5 Apr 2019
  27. TrustArc: GDPR Compliance Status. A Comparison of US, UK and EU Companies, July 2018 (2018)Google Scholar
  28. Tsohou, A., Kosta, E.: Enabling valid informed consent for location tracking through privacy awareness of users: a process theory. Comput. Law Secur. Rev. 33(4), 434–457 (2017)CrossRefGoogle Scholar
  29. WP29 Guidelines on Data Protection Impact Assessment. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (2017).

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Aggeliki Tsohou
    • 1
    Email author
  • Manos Magkos
    • 1
  • Haralambos Mouratidis
    • 2
  • George Chrysoloras
    • 3
  • Luca Piras
    • 2
  • Michalis Pavlidis
    • 2
  • Julien Debussche
    • 4
  • Marco Rotoloni
    • 5
  • Beatriz Gallego-Nicasio Crespo
    • 6
  1. 1.Ionian UniversityCorfuGreece
  2. 2.University of BrightonBrightonUK
  3. 3.University of the AegeanSamosGreece
  4. 4.Bird & BirdBrusselsBelgium
  5. 5.ABI LabRomeItaly
  6. 6.AtosMadridSpain

Personalised recommendations