Abstract
GDPR entered into force in May 2018 for enhancing user data protection. Even though GDPR leads towards a radical change with many advantages for the data subjects it turned out to be a significant challenge. Organizations need to make long and complex changes for the personal data processing activities to become GDPR compliant. Citizens as data subjects are empowered with new rights, which however they need to become aware of and understand. Finally, the role of data protection authorities changes as well as their expectations from organizations. GDPR compliance being a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of the Data govErnance For supportiNg gDpr (DEFeND) EU Project is to deliver such a platform. To succeed, the platform needs to satisfy legal and privacy requirements, be effective in supporting organizations in GDPR compliance, and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, we describe the process, within the DEFeND EU Project, for eliciting and analyzing requirements for such a complex platform, by involving stakeholders from the banking, energy, health and public administration sectors, and using advanced frameworks for privacy requirements and acceptance requirements. The paper also contributes by providing elicited privacy and acceptance requirements concerning a holistic platform for supporting GDPR compliance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
IEEE Guide for Software Requirements Specifications, IEEE Std 830-1984.
- 2.
References
Blank, S.G.: Four Steps to the Epiphany: Successful Strategies for Products that Win, Palo (2007)
Bryman, A.: Social Research Methods, 3rd edn, p. 2008. Oxford University Press, Oxford (2008)
Cavoukian, A.: Privacy by Design. The 7 Foundational Principles, Implementation and Mapping of Fair Information Practices (2011). https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf
Davis, A., Dieste, O., Hickey, A., Juristo, N., Moreno, A.M.: Effectiveness of requirements elicitation techniques: empirical results derived from a systematic review. In: 14th IEEE International Requirements Engineering Conference (RE 2006), pp. 179–188. IEEE (2006)
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy re-quirements. Re-quirements Eng. 16(1), 3–32 (2011)
European Data Protection Board: First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities (2019). https://edpb.europa.eu/sites/edpb/files/files/file1/19_2019_edpb_written_report_to_libe_en.pdf
Faßbender, S., Heisel, M., Meis, R.: Problem-Based Security Requirements Elicitation and Refinement with PresSuRE. In: Holzinger, A., Cardoso, J., Cordeiro, J., Libourel, T., Maciaszek, L.A., van Sinderen, M. (eds.) ICSOFT 2014. CCIS, vol. 555, pp. 311–330. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25579-8_18
Gartner: Forecast Analysis: Information Security, Worldwide, 1Q17 Update, August 2017 (2017). https://www.gartner.com/en/documents/3889055
IAPP: 2018 Privacy Tech Vendor Report v.2.4e (2018). https://iapp.org/resources/article/2018-privacy-tech-vendor-report/
ISACA: GDPR The End of the Beginning (2019). http://www.isaca.org/Knowledge-Center/Documents/2018-GDPR-Readiness-Survey-Report.pdf
Juristo, N., Moreno, A.M., Dieste, O., Davis, A., Hickey, A.: Effectiveness of requirements elicitation techniques: empirical results derived from a systematic review. In: 14th IEEE International Requirements Engineering Conference (RE 2006) (RE), Minneapolis/St. Paul, Minnesota, USA, 2006, pp. 179–188 (2006)
Kalloniatis, C., Belsis, P., Gritzalis, S.: A soft computing approach for privacy requirements engineering: the PriS framework. Appl. Soft Comput. 11(7), 4341–4348 (2011)
Kurtz, C., Semmann, M.: Privacy by Design to Comply with GDPR: A Review on Third-Party Data Processors (2018)
Maguire, M.: Methods to support human-centred design. Int. J. Hum.-Comput. Stud. 55(4), 587–634 (2001)
Martin, Y.S., Kung, A.: Methods and tools for GDPR Compliance Through Privacy and Data Protection Engineering. In: 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 108–111. IEEE (2018)
McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. ISJLP 4, 543 (2008)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007)
Myers, M.D., Newman, M.: The qualitative interview in IS research: examining the craft. Inf. Organ. 17(1), 2–26 (2007)
Notario, N., et al.: PRIPARE: integrating privacy best practices into a privacy engineering methodology. In: 2015 IEEE Security and Privacy Workshop, pp. 151–158. IEEE, May 2015
Piras, L.: Agon: a gamification-based framework for acceptance requirements. Ph.D. dissertation, University of Trento, 2018 (2018)
Piras, L., Dellagiacoma, D., Perini, A., Susi, A., Giorgini, P., Mylopoulos, J.: Design thinking and acceptance requirements for designing gamified software. In: 13th IEEE International Conference on Research Challenges in Information Science (RCIS), IEEE, Bruxelles (BE), 2019 (2019)
Piras, L., Giorgini, P., Mylopoulos, J.: Acceptance requirements and their gamification solutions. In: 24th IEEE International Requirements Engineering Conference (RE), 2016. IEEE, Beijing (2016)
Piras, L., Paja, E., Giorgini, P., Mylopoulos, J.: Goal models for acceptance requirements analysis and gamification design. In: Mayr, H.C., Guizzardi, G., Ma, H., Pastor, O. (eds.) ER 2017. LNCS, vol. 10650, pp. 223–230. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69904-2_18
Politou, E., Alepis, E., Patsakis, C.: Forgetting personal data and revoking consent under the GDPR: challenges and proposed solutions. J. Cybersecurity 4(1), tyy001 (2018)
Priyadharshini, G., Shyamala, K.: Strategy and solution to comply with GDPR: guideline to comply major articles and save penalty from non-compliance. In: 2018 2nd International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), pp. 190–195. IEEE (2018)
Pulse Survey: GDPR budgets top $10 million for 40% of surveyed companies, October 2017 (2017). https://www.pwc.com/us/en/services/consulting/library/general-data-protection-regulation-gdpr-budgets.html
Reuters, T.: Study finds organizations are not ready for GDPR compliance issues (2019). https://legal.thomsonreuters.com/en/insights/articles/study-finds-organizations-not-ready-gdpr-compliance-issues. Accessed 5 Apr 2019
TrustArc: GDPR Compliance Status. A Comparison of US, UK and EU Companies, July 2018 (2018)
Tsohou, A., Kosta, E.: Enabling valid informed consent for location tracking through privacy awareness of users: a process theory. Comput. Law Secur. Rev. 33(4), 434–457 (2017)
WP29 Guidelines on Data Protection Impact Assessment. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (2017). https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236
Acknowledgments
This paper has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 787068.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Tsohou, A. et al. (2020). Privacy, Security, Legal and Technology Acceptance Requirements for a GDPR Compliance Platform. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE SPOSE ADIoT 2019 2019 2019 2019. Lecture Notes in Computer Science(), vol 11980. Springer, Cham. https://doi.org/10.1007/978-3-030-42048-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-42048-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42047-5
Online ISBN: 978-3-030-42048-2
eBook Packages: Computer ScienceComputer Science (R0)