The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements

2018 IEEE 26th International Requirements Engineering Conference (RE) Pub Date : 2018-08-01 DOI:10.1109/RE.2018.00023

Vanessa Ayala-Rivera, L. Pasquale

{"title":"The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements","authors":"Vanessa Ayala-Rivera, L. Pasquale","doi":"10.1109/RE.2018.00023","DOIUrl":null,"url":null,"abstract":"The General Data Protection Regulation (GDPR) aims to protect personal data of EU residents and can impose severe sanctions for non-compliance. Organizations are currently implementing various measures to ensure their software systems fulfill GDPR obligations such as identifying a legal basis for data processing or enforcing data anonymization. However, as regulations are formulated vaguely, it is difficult for practitioners to extract and operationalize legal requirements from the GDPR. This paper aims to help organizations understand the data protection obligations imposed by the GDPR and identify measures to ensure compliance. To achieve this goal, we propose GuideMe, a 6-step systematic approach that supports elicitation of solution requirements that link GDPR data protection obligations with the privacy controls that fulfill these obligations and that should be implemented in an organization's software system. We illustrate and evaluate our approach using an example of a university information system. Our results demonstrate that the solution requirements elicited using our approach are aligned with the recommendations of privacy experts and are expressed correctly.","PeriodicalId":445032,"journal":{"name":"2018 IEEE 26th International Requirements Engineering Conference (RE)","volume":"56 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"59","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE 26th International Requirements Engineering Conference (RE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/RE.2018.00023","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 59

Abstract

The General Data Protection Regulation (GDPR) aims to protect personal data of EU residents and can impose severe sanctions for non-compliance. Organizations are currently implementing various measures to ensure their software systems fulfill GDPR obligations such as identifying a legal basis for data processing or enforcing data anonymization. However, as regulations are formulated vaguely, it is difficult for practitioners to extract and operationalize legal requirements from the GDPR. This paper aims to help organizations understand the data protection obligations imposed by the GDPR and identify measures to ensure compliance. To achieve this goal, we propose GuideMe, a 6-step systematic approach that supports elicitation of solution requirements that link GDPR data protection obligations with the privacy controls that fulfill these obligations and that should be implemented in an organization's software system. We illustrate and evaluate our approach using an example of a university information system. Our results demonstrate that the solution requirements elicited using our approach are aligned with the recommendations of privacy experts and are expressed correctly.

查看原文本刊更多论文

宽限期已经结束:实施GDPR要求的方法

《通用数据保护条例》(GDPR)旨在保护欧盟居民的个人数据，并可能对违规行为实施严厉制裁。组织目前正在实施各种措施，以确保其软件系统履行GDPR义务，例如确定数据处理或强制数据匿名化的法律依据。然而，由于法规的制定含糊不清，从业者很难从GDPR中提取和实施法律要求。本文旨在帮助组织了解GDPR所规定的数据保护义务，并确定确保合规性的措施。为了实现这一目标，我们提出了GuideMe，这是一个6步的系统方法，它支持引出解决方案需求，将GDPR数据保护义务与履行这些义务的隐私控制联系起来，并应在组织的软件系统中实施。我们用一个大学信息系统的例子来说明和评估我们的方法。我们的结果表明，使用我们的方法得出的解决方案需求与隐私专家的建议一致，并且表达正确。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 IEEE 26th International Requirements Engineering Conference (RE)

自引率

0.00%

发文量