Abstract
The introduction of the European General Data Protection Regulation (GDPR) has brought significant benefits to citizens, but it has also created challenges for organisations, which are facing with difficulties interpreting it and properly applying it. An important challenge is compliance with the Privacy by Design and by default (PbD) principles, which require that data protection is integrated into processing activities and business practices from the design stage. Recently, the European Data Protection Board (EDPB) released an official document with PbD guidelines, and there are various efforts to provide approaches to support these. However, organizations are still facing difficulties in identifying a flow for executing, in a coherent, linear and effective way, these activities, and a complete toolkit for supporting this. In this paper, we: (i) identify the most important PbD activities and strategies, (ii) design a coherent, linear and effective flow for them, and (iii) describe our comprehensive supporting toolkit, as part of the DEFeND EU Project platform. Specifically, within DEFeND, we identified candidate tools, fulfilling specific GDPR aspects, and integrated them in a comprehensive toolkit: the DEFeND Data Scope Management service (DSM). The aim of DSM is to support organizations for continuous GDPR compliance through Model-Based Privacy by Design analysis. Here, we present important PbD activities and strategies individuated, then describe DSM, its design, flow, and a preliminary case study and evaluation performed with pilots from the healthcare, banking, public administration and energy sectors.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Blank, S.: The Four Steps to the Epiphany: Successful Strategies for Products that Win. Wiley, Hoboken (2007)
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfilment of privacy requirements. Requirements Eng. J. 16(1), 3–32 (2011)
The Forrester New Wave\(^{\rm TM}\). https://www.forrester.com/report/The%20Forrester%20New%20Wave%20GDPR%20And%20Privacy%20Management%20Software%20Q4%202018/-/E-RES142698
GDPR temperature tool. http://gdprtool.cyberwatching.eu/Pages/Home.aspx
Horák, M., Stupka, V., Husák, M.: GDPR compliance in cybersecurity software: a case study of DPIA in information sharing platform. In: 14th International Conference on Availability, Reliability and Security (2019)
Kalloniatis, C., Belsis, P., Gritzalis, S.: A soft computing approach for privacy requirements wngineering: the PriS framework. Appl. Soft Comput. 11(7), 4341–4348 (2011)
Kurtz, C., Semmann, M., et al.: Privacy by design to comply with GDPR: a review on third-party data processors. In: Americas Conference on Information Systems (2018)
Maguire, M.: Methods to support human-centred design. Int. J. Hum.-Comput. Studies 55(4), 587–634 (2001)
Mouratidis, H.: Secure software systems engineering: the secure Tropos approach. JSW 6(3), 331–339 (2011)
Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the secure Tropos approach. In: Karagiannis, D., Mayr, H., Mylopoulos, J. (eds.) Domain-Specific Conceptual Modeling, pp. 357–380. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39417-6_16
Piras, L., Dellagiacoma, D., Perini, A., Susi, A., Giorgini, P., Mylopoulos, J.: Design thinking and acceptance requirements for designing gamified software. In: 13th International Conference on Research Challenges in Information Science (RCIS). IEEE (2019)
Piras, L., et al.: DEFeND architecture: a privacy by design platform for GDPR compliance. In: Gritzalis, S., Weippl, E.R., Katsikas, S.K., Anderst-Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) TrustBus 2019. LNCS, vol. 11711, pp. 78–93. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27813-7_6
Privacy Tech Vendor Report. https://iapp.org/resources/article/2019-privacy-tech-vendor-report/
Rantos, K., Drosatos, G., Demertzis, K., Ilioudis, C., Papanikolaou, A., Kritsas, A.: ADvoCATE: a consent management platform for personal data processing in the iot using blockchain technology. In: Lanet, J.-L., Toma, C. (eds.) SECITC 2018. LNCS, vol. 11359, pp. 300–313. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12942-2_23
Romanou, A.: The necessity of the implementation of privacy by design in sectors where data protection concerns arise. Comput. Law Secur. Rev. 34(1), 99–110 (2018)
Tsohou, A., et al.: Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform. Inf. Comput. Secur. J. (2020)
Tsohou, A., et al.: Privacy, security, legal and technology acceptance requirements for a GDPR compliance platform. In: Katsikas, S., et al. (eds.) CyberICPS/SECPRE/SPOSE/ADIoT -2019. LNCS, vol. 11980, pp. 204–223. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42048-2_14
Acknowledgments
This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 787068.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Piras, L. et al. (2020). DEFeND DSM: A Data Scope Management Service for Model-Based Privacy by Design GDPR Compliance. In: Gritzalis, S., Weippl, E.R., Kotsis, G., Tjoa, A.M., Khalil, I. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2020. Lecture Notes in Computer Science(), vol 12395. Springer, Cham. https://doi.org/10.1007/978-3-030-58986-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-58986-8_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58985-1
Online ISBN: 978-3-030-58986-8
eBook Packages: Computer ScienceComputer Science (R0)