The General Data Protection Regulation: Requirements, Architectures, and Constraints

The General Data Protection Regulation (GDPR) in the European Union is the most famous recently enacted privacy regulation. Despite of the regulation's legal, political, and technological ramifications, relatively little research has been carried out for better understanding the GDPR's practical implications for requirements engineering and software architectures. Building on a grounded theory approach with close ties to the Finnish software industry, this paper contributes to the sealing of this gap in previous research. Three questions are asked and answered in the context of software development organizations. First, the paper elaborates nine practical constraints under which many small and medium-sized enterprises (SMEs) often operate when implementing solutions that address the new regulatory demands. Second, the paper elicits nine regulatory requirements from the GDPR for software architectures. Third, the paper presents an implementation for a software architecture that complies both with the requirements elicited and the constraints elaborated.

[1]  Martin Brodin A Framework for GDPR Compliance for Small- and Medium-Sized Enterprises , 2019, European Journal for Security Research.

[2]  Jennifer Cobbe,et al.  The Security Implications of Data Subject Rights , 2019, IEEE Security & Privacy.

[3]  Vijay Chidambaram,et al.  How Design, Architecture, and Operation of Modern Systems Conflict with GDPR , 2019, ArXiv.

[4]  Thorsten Holz,et al.  We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy , 2019, NDSS.

[5]  Karuna Pande Joshi,et al.  An Integrated Knowledge Graph to Automate GDPR and PCI DSS Compliance , 2018, 2018 IEEE International Conference on Big Data (Big Data).

[6]  Marcel Waldvogel,et al.  Requirements for Legally Compliant Software Based on the GDPR , 2018, OTM Conferences.

[7]  Jens Lambrecht,et al.  A privacy-aware distributed software architecture for automation services in compliance with GDPR , 2018, 2018 IEEE 23rd International Conference on Emerging Technologies and Factory Automation (ETFA).

[8]  Jukka Ruohonen,et al.  Surveying Secure Software Development Practices in Finland , 2018, ARES.

[9]  Liliana Pasquale,et al.  The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements , 2018, 2018 IEEE 26th International Requirements Engineering Conference (RE).

[10]  Georgia M. Kapitsaki,et al.  Linked USDL Privacy: Describing Privacy Policies for Services , 2018, 2018 IEEE International Conference on Web Services (ICWS).

[11]  Sandra Wachter,et al.  Normative challenges of identification in the Internet of Things: Privacy, profiling, discrimination, and the GDPR , 2018, Comput. Law Secur. Rev..

[12]  Eran Toch,et al.  Privacy by designers: software developers’ privacy mindset , 2017, Empirical Software Engineering.

[13]  Riccardo Scandariato,et al.  Privacy Compliance Via Model Transformations , 2018, 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[14]  Søren Debois,et al.  On Purpose and by Necessity: Compliance Under the GDPR , 2018, Financial Cryptography.

[15]  Michael Veale,et al.  When data protection by design and data subject rights clash , 2018 .

[16]  Jouni Markkula,et al.  EU General Data Protection Regulation: Changes and implications for personal data collecting companies , 2017, Comput. Law Secur. Rev..

[17]  Alaa Altorbaq,et al.  Data subject rights in the cloud: A grounded study on data protection assurance in the light of GDPR , 2017, 2017 12th International Conference for Internet Technology and Secured Transactions (ICITST).

[18]  Mike Hintze,et al.  Viewing the GDPR through a De-Identification Lens: A Tool for Compliance, Clarification, and Consistency , 2017 .

[19]  Maleknaz Nayebi,et al.  The Vision: Requirements Engineering in Society , 2017, 2017 IEEE 25th International Requirements Engineering Conference (RE).

[20]  Jukka Riekki,et al.  Privacy as a Service: Protecting the Individual in Healthcare Data Processing , 2016, Computer.

[21]  José F. Ruiz,et al.  Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[22]  Guido Boella,et al.  Argumentation-Based Legal Requirements Engineering: The Role of Legal Interpretation in Requirements Acquisition , 2016, 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW).

[23]  Paul Ralph,et al.  Grounded Theory in Software Engineering Research: A Critical Review and Guidelines , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[24]  Casper Lassenius,et al.  Perceived causes of software project failures - An analysis of their relationships , 2014, Inf. Softw. Technol..

[25]  Eduardo B. Fernández,et al.  Enterprise security pattern: A model-driven architecture instance , 2014, Comput. Stand. Interfaces.

[26]  Tomi Mikkonen Perceptions of controllers on EU data protection reform: A Finnish perspective , 2014, Comput. Law Secur. Rev..

[27]  John Mylopoulos,et al.  Arguing regulatory compliance of software requirements , 2013, Data Knowl. Eng..

[28]  Travis D. Breaux,et al.  Assessing regulatory change through legal requirements coverage modeling , 2013, 2013 21st IEEE International Requirements Engineering Conference (RE).

[29]  Robert S. Hanmer,et al.  The Twin Peaks of Requirements and Architecture , 2013 .

[30]  Bashar Nuseibeh,et al.  Characterizing Architecturally Significant Requirements , 2013, IEEE Software.

[31]  Sandra Olislaegers Early Lessons Learned in the ENDORSE Project: Legal Challenges and Possibilities in Developing Data Protection Compliance Software , 2011, PrimeLife.

[32]  Anna Bobkowska,et al.  On efficient collaboration between lawyers and software engineers when transforming legal regulations to law-related requirements , 2010, 2010 2nd International Conference on Information Technology, (2010 ICIT).

[33]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[34]  Mike Cohn,et al.  User Stories Applied: For Agile Software Development , 2004 .

[35]  Robert C. Martin Agile Software Development, Principles, Patterns, and Practices , 2002 .

[36]  Barry W. Boehm,et al.  Verifying and Validating Software Requirements and Design Specifications , 1989, IEEE Software.