Socio-Technical Modelling for GDPR Principles: an Extension for the STS-ml

Abstract

Compliance with data protection regulations is vital for organizations and starts at the requirements level. The General Data Protection Regulation (GDPR) has been the European Union (EU) regulation on the topic since 2018. Organizations that operate within the territorial scope of the GDPR are expected to be compliant; otherwise, they can get high fines, and their reputation can be damaged. Thus, GDPR compliance sets challenges for the design of information systems that must be tackled starting from the requirements level.Given the difficulties of translating regulations and the drawbacks of natural language requirements, modeling languages can help requirements engineers analyze data protection. Socio-Technical Security modeling language (STS-ml) is a security modeling method that has been already extended for modeling privacy issues such as personal data, data controllers and processors, and specifying the legal basis for data processing. However, information critical for complying with GDPR principles still lacks modeling support. This article presents a proposal for extending the STS-ml to address GDPR principles. We show the need for modeling data protection requirements for each GDPR principle through a working privacy case and propose a set of five lightweight but meaningful extensions for the method. The extended language is intended to help requirements engineering practitioners with privacy requirements with little additional effort while preventing significant fines for EU organizations.