GDPR Compliance in the Design of the INFORM e-Learning Platform: a Case Study

The European Union General Data Protection Regulation (GDPR) governs personal data processing, aiming to ensure privacy in all systems handling such data. All systems that process personal data, including software systems are legally obliged to comply to all articles of the GDPR applicable to them. In this paper, the case study of an e-Learning software platform, namely the INFORM platform and its compliance to relevant articles of the GDPR is presented. The e-Learning platform was developed with the objective to host the educational material developed under the JUSTICE EU-funded project INFORM, targeting judiciary, court staff and legal practitioners, in order to provide free and open distance access to the content. In particular, the paper demonstrates the compliance of the platform with the articles and principles of: Data Minimisation, Lawfulness of Processing, Right to Erasure, Right of Access, Right to Data Portability, Right to Rectification and Security of Processing. By applying these articles, conformance to the provision for Data Protection by design is also achieved; the platform’s software development process integrates the articles of the GDPR early in the development steps, from the specification and design phases. We show how the design process progressed and demonstrate the corresponding functionality within the e-Learning platform. The paper extracts a list of lessons learned and conclusions on software GDPR compliance.

[1]  Constantinos Patsakis,et al.  Forgetting personal data and revoking consent under the GDPR: Challenges and proposed solutions , 2018, J. Cybersecur..

[2]  Dominik Huth,et al.  A Pattern Catalog for GDPR Compliant Data Protection , 2017, PoEM Doctoral Consortium.

[3]  J. Murphy The General Data Protection Regulation (GDPR) , 2018, Irish medical journal.

[4]  Marc Langheinrich,et al.  Privacy By Design , 2013, IEEE Pervasive Comput..

[5]  Pietro Ferrara,et al.  Static Analysis for GDPR Compliance , 2018, ITASEC.

[6]  Daniel Le Métayer,et al.  Privacy Architectures: Reasoning about Data Minimisation and Integrity , 2014, STM.

[7]  Jan Jürjens,et al.  Detecting Conflicts Between Data-Minimization and Security Requirements in Business Process Models , 2018, ECMFA.

[8]  Michael Carl Tschantz,et al.  Formal Methods for Privacy , 2009, FM.

[9]  Jan Jürjens,et al.  Model-based privacy and security analysis with CARiSMA , 2017, ESEC/SIGSOFT FSE.

[10]  Peter Schaar,et al.  Privacy by Design , 2010 .

[11]  Yves Pigneur,et al.  Privacy as a Tradeoff: Introducing the Notion of Privacy Calculus for Context-Aware Mobile Applications , 2014, 2014 47th Hawaii International Conference on System Sciences.

[12]  B. Prajapati Jigna,et al.  Performance Analysis of Content Management Systems- Joomla, Drupal and WordPress , 2011 .

[13]  Scott Confer,et al.  A Socialist Theory of Privacy in the Internet Age: An Interdisciplinary Analysis , 2017 .

[14]  Paolo Giorgini,et al.  Toward GDPR-Compliant Socio-Technical Systems: Modeling Language and Reasoning Framework , 2017, PoEM.

[15]  Anna-Sara Lind General Data Protection Regulation – final result , 2016 .

[16]  Georgia M. Kapitsaki,et al.  PrivacySafer: Privacy Adaptation for HTML5 Web Applications , 2017, WISE.

[17]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[18]  Antje Baer,et al.  E Learning Strategies For Delivering Knowledge In The Digital Age , 2016 .

[19]  Jaap-Henk Hoepman,et al.  PDF hosted at the Radboud Repository of the Radboud University Nijmegen , 2022 .

[20]  Francisco J. García-Peñalvo,et al.  Opening Learning Management Systems to Personal Learning Environments , 2011, J. Univers. Comput. Sci..

[21]  Jan Jürjens,et al.  From Secure Business Process Modeling to Design-Level Security Verification , 2017, 2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS).

[22]  Cecilia Mascolo,et al.  Don't kill my ads!: balancing privacy in an ad-supported mobile application market , 2012, HotMobile '12.