DEFeND DSM: A Data Scope Management Service for Model-Based Privacy by Design GDPR Compliance

The introduction of the European General Data Protection Regulation (GDPR) has brought significant benefits to citizens, but it has also created challenges for organisations, which are facing with difficulties interpreting it and properly applying it. An important challenge is compliance with the Privacy by Design and by default (PbD) principles, which require that data protection is integrated into processing activities and business practices from the design stage. Recently, the European Data Protection Board (EDPB) released an official document with PbD guidelines, and there are various efforts to provide approaches to support these. However, organizations are still facing difficulties in identifying a flow for executing, in a coherent, linear and effective way, these activities, and a complete toolkit for supporting this. In this paper, we: (i) identify the most important PbD activities and strategies, (ii) design a coherent, linear and effective flow for them, and (iii) describe our comprehensive supporting toolkit, as part of the DEFeND EU Project platform. Specifically, within DEFeND, we identified candidate tools, fulfilling specific GDPR aspects, and integrated them in a comprehensive toolkit: the DEFeND Data Scope Management service (DSM). The aim of DSM is to support organizations for continuous GDPR compliance through Model-Based Privacy by Design analysis. Here, we present important PbD activities and strategies individuated, then describe DSM, its design, flow, and a preliminary case study and evaluation performed with pilots from the healthcare, banking, public administration and energy sectors.

[1]  Haralambos Mouratidis,et al.  Secure Software Systems Engineering: The Secure Tropos Approach (Invited Paper) , 2011, J. Softw..

[2]  Stefanos Gritzalis,et al.  A soft computing approach for privacy requirements engineering: The PriS framework , 2011, Appl. Soft Comput..

[3]  Steve Blank The Four Steps to the Epiphany: Successful Strategies for Products that Win , 2013 .

[4]  Anna Romanou,et al.  The necessity of the implementation of Privacy by Design in sectors where data protection concerns arise , 2017, Comput. Law Secur. Rev..

[5]  Tilo Böhmann,et al.  Privacy by Design to Comply with GDPR: A Review on Third-Party Data Processors , 2018, AMCIS.

[6]  Martin Husák,et al.  GDPR Compliance in Cybersecurity Software: A Case Study of DPIA in Information Sharing Platform , 2019, ARES.

[7]  Haralambos Mouratidis,et al.  Privacy, Security, Legal and Technology Acceptance Requirements for a GDPR Compliance Platform , 2019, CyberICPS/SECPRE/SPOSE/ADIoT@ESORICS.

[8]  Martin C. Maguire,et al.  Methods to support human-centred design , 2001, Int. J. Hum. Comput. Stud..

[9]  Haralambos Mouratidis,et al.  Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform , 2020, Inf. Comput. Secur..

[10]  Konstantinos Demertzis,et al.  ADvoCATE: A Consent Management Platform for Personal Data Processing in the IoT Using Blockchain Technology , 2018, SecITC.

[11]  John Mylopoulos,et al.  Design Thinking and Acceptance Requirements for Designing Gamified Software , 2019, 2019 13th International Conference on Research Challenges in Information Science (RCIS).

[12]  Haralambos Mouratidis,et al.  DEFeND Architecture: A Privacy by Design Platform for GDPR Compliance , 2019, TrustBus.

[13]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[14]  Haralambos Mouratidis,et al.  Security Requirements Engineering for Cloud Computing: The Secure Tropos Approach , 2016, Domain-Specific Conceptual Modeling.