Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform (original) (raw)

The challenges of implementing General Data Protection Law (GDPR)

STANDARDIZATION, PROTYPES AND QUALITY: A MEANS OF BALKAN COUNTRIES’ COLLABORATION, 2018

The vast majority and complexity of big data being processed by the companies, imposes a need for a common guideline among all the data stakeholders regarding the personal data controlling and processing. The European General Data Protection Regulation (GDPR) imposes more restrictions towards data handling and gives the data subjects more freedom on how to share their personal data. The complexity of such law, to be implemented towards all the companies which hold European citizen data has a lot of grey areas. In this article we will see what changes are needed between data subjects, data controllers and data processors to be fully GDPR compliant. The aim is to see how GDPR really fits with recent technology processes which are in continuous evolvement.

A Structured Approach to GDPR Compliance

2020

European General Data Protection Regulation (GDPR, EU 2016/679), adopted from the European Parliament, has profoundly changed the legislative approach to the protection of personal data by the European Union. The GDPR requires organizations to make profound changes. Organizations have to move from an approach based to the adoption of minimum-security measures, provided by the EU Directive of 1994, to a proactive approach based on accountability. Organizations have to adopt systems of verification and continuous improvement and adopt principles such as privacy by design and privacy by default. Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The adoption of GDPR, by an organization, raises the main question of how to audit the organization's adherence. This paper proposes a structured approach, based on business process modeling, to support compliance with the GDPR. We have come up with an approach that has to identify the mos...

The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements

2018 IEEE 26th International Requirements Engineering Conference (RE), 2018

The General Data Protection Regulation (GDPR) aims to protect personal data of EU residents and can impose severe sanctions for non-compliance. Organizations are currently implementing various measures to ensure their software systems fulfill GDPR obligations such as identifying a legal basis for data processing or enforcing data anonymization. However, as regulations are formulated vaguely, it is difficult for practitioners to extract and operationalize legal requirements from the GDPR. This paper aims to help organizations understand the data protection obligations imposed by the GDPR and identify measures to ensure compliance. To achieve this goal, we propose GuideMe, a 6-step systematic approach that supports elicitation of solution requirements that link GDPR data protection obligations with the privacy controls that fulfill these obligations and that should be implemented in an organization's software system. We illustrate and evaluate our approach using an example of a university information system. Our results demonstrate that the solution requirements elicited using our approach are aligned with the recommendations of privacy experts and are expressed correctly.

Design Challenges for GDPR Regtech

The Accountability Principle of the GDPR requires that an organisation can demonstrate compliance with the regulations. A survey of GDPR compliance software solutions shows significant gaps in their ability to demonstrate compliance. In contrast, RegTech has recently brought great success to financial compliance, resulting in reduced risk, cost saving and enhanced financial regulatory compliance. It is shown that many GDPR solutions lack interoperability features such as standard APIs, meta-data or reports and they are not supported by published methodologies or evidence to support their validity or even utility. A proof of concept prototype was explored using a regulator based self-assessment checklist to establish if RegTech best practice could improve the demonstration of GDPR compliance. The application of a RegTech approach provides opportunities for demonstrable and validated GDPR compliance, notwithstanding the risk reductions and cost savings that RegTech can deliver. This p...

The 'User-Centric' and 'Tailor-Made' Approach of the GDPR Through the Principles It Lays down

The Italian Law Journal, 2019

The European approach to online privacy and personal data concerns in the contemporary digital age appears to have embraced a 'user-centric' approach, inspired by values of 'personalism' and human dignity, regardless of the growing commercial value commonly given to personal data. These two sides of the same coin have been taken into account by the GDPR. On the one hand, it seems to outline a system of protection of data subjects that presents certain similarities and connections with consumer protection directives, especially as regards the transparency principle and the aim to provide individuals with 'effective' protection, enforceable rights and awareness-raising activities. On the other hand, a radical shift in the data protection policies of big online companies and many other service providers is required by the implementation of the set of mandatory principles and obligations stated by chapter IV of the GDPR, while the notice-and-consent paradigm is now quite remote. In particular, data minimisation, confidentiality, integrity, data protection by design and by default, as well as accountability and scalability principles require a model of approaching the new challenges brought about by data protection that should be 'contextual' and 'tailor-made'. This means that the appropriate measures to be adopted by controllers and processors must consider the specific circumstances of each individual case, in accordance with a proportionality and reasonableness test on the extent of risks to the rights and freedoms at stake. The new legal framework provided by the GDPR and Convention 108+ has weakened the role of national laws on personal data protection but has also posed the challenge of providing a uniform legal frame, at the European Union level, as well as of strengthening the harmonisation process among countries that are currently taking different approaches to data protection at a global level.