Skip to main content
SpringerLink
Log in
Book cover

European Conference on Software Process Improvement

EuroSPI 2019: Systems, Software and Services Process Improvement pp 136–148Cite as

Designing a Data Protection Process Assessment Model Based on the GDPR

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1060))

Abstract

Companies are facing more and more regulations nowadays, including the General Data Protection Regulation (GDPR). They must then take appropriate technical and organisational measures related to GDPR and effectively implement them. In order to support this and the demonstration of compliance, a process assessment model based on the GDPR is proposed. This paper relates how the process model has been engineered, from semantic annotations based on the GDPR, to identification of rights and obligations for eliciting processes and describing their main components (purpose and outcomes). The support of additional document sources enabled to formulate process assessment indicators.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016)

    Google Scholar 

  2. Guarda, P., Kiyavitskaya, N., Zannone, N.: Using semantic annotation for mining privacy and security requirements from European Union directives. Technical report # DISI-08-011 (2008)

    Google Scholar 

  3. ISO/IEC: ISO/IEC 33004 Information Technology—Process assessment—Requirements for process reference, process assessment and maturity models (2015)

    Google Scholar 

  4. Robaldo, L., Sun, X.: Reified input/output logic: combining input/output logic and reification to represent norms coming from existing legislation. J. Logic Comput. 27(8), 2471–2503 (2017)

    Article  MathSciNet  Google Scholar 

  5. Paulk, M.C., Curtis, B., Chrissis, M.B., Weber, C.V.: The Capability Maturity Model for Software, Version 1.1 (No. CMU/SEI-93-TR-24): Software Engineering Institute (1993)

    Google Scholar 

  6. de Bruin, T., Rosemann, M., Freeze, R., Kulkarni, U.: Understanding the main phases of developing a maturity assessment model. In: 16th Australasian Conference on Information Systems (ACIS), Sydney (2005)

    Google Scholar 

  7. Becker, J., Knackstedt, R., Pöppelbuß, J.: Developing maturity models for IT management. Bus. Inf. Syst. Eng. 1(3), 213–222 (2009)

    Article  Google Scholar 

  8. Pöppelbuß, J., Röglinger, M.: What makes a useful maturity model? A framework of general design principles for maturity models and its demonstration in business process management. In: ECIS 2011 (2011)

    Google Scholar 

  9. Tarhan, A., Turetken, O., Reijers, H.A.: Business process maturity models: a systematic literature review. Inf. Softw. Technol. 75, 122–134 (2016)

    Article  Google Scholar 

  10. ISO/IEC: ISO/IEC 330xx Information Technology - Process Assessment (2013, 2017)

    Google Scholar 

  11. ISO/IEC: ISO/IEC 33002 Information Technology—Process assessment—Requirements for performing process assessment (2015)

    Google Scholar 

  12. ISO/IEC 15504-5: Information Technology – Process assessment – Part 5: An exemplar software life cycle process assessment model. International Organization for Standardization, Geneva (2012)

    Google Scholar 

  13. Cass, A., Völcker, C., Ouared, R., Dorling, A., Winzer, L., Carranza, J.M.: SPICE for SPACE trials, risk analysis, and process improvement. Softw. Process: Improv. Pract. 9(1), 13–21 (2004)

    Article  Google Scholar 

  14. Automotive Spice ® (2015). http://www.automotivespice.com/fileadmin/software-download/Automotive_SPICE_PAM_30.pdf. Accessed 12 Apr 2019

  15. Pries-Heje, J., Johansen, J.: SPI Manifesto. European System & Software Process Improvement and Innovation (2010)

    Google Scholar 

  16. von Wangenheim, G., Hauck, J.C.R., Zoucas, A., Salviano, C.F., McCaffery, F., Shull, F.: Creating software process capability/maturity models. IEEE Softw. 27(4), 92–94 (2010)

    Article  Google Scholar 

  17. Stallinger, F., Plösch, R.: Towards methodological support for the engineering of process reference models for product software. In: Mitasiunas, A., Rout, T., O’Connor, R.V., Dorling, A. (eds.) SPICE 2014. CCIS, vol. 477, pp. 24–35. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13036-1_3

    Chapter  Google Scholar 

  18. Barafort, B., Renault, A., Picard, M., Cortina, S.: A transformation process for building PRMs and PAMs based on a collection of requirements – example with ISO/IEC 20000. In: 8th International SPICE 2008 Conference, Nuremberg (2008)

    Google Scholar 

  19. Rifaut, A., Dubois, E.: Using goal-oriented requirements engineering for improving the quality of ISO/IEC 15504 based compliance assessment frameworks. In: 16th IEEE International Requirements Engineering, RE 2008 (2008)

    Google Scholar 

  20. Cortina, S., Picard, M., Valdés, O., Renault, A.: A challenging process models development: the ITIL v3 lifecycle processes. In: The International Conference SPICE, pp. 59–66 (2010)

    Google Scholar 

  21. Barafort, B., Shrestha, A., Cortina, S., Renault, A.: A software artefact to support and automate process assessment: a case study of the evolution of the TIPA® framework. In: Computer Standards & Interfaces, vol. 60 (2018)

    Google Scholar 

  22. Renault, S., Cortina, S., Valoggia, P.: Designing a process assessment model based on multiple sources - a procurement case. In: Larrucea, X., Santamaria, I., O’Connor, R.V., Messnarz, R. (eds.) EuroSPI 2018. CCIS, vol. 896, pp. 136–146. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-97925-0_11

    Chapter  Google Scholar 

  23. Lepmets, M., Clarke, P., McCaffery, F., Dorling, A., Finnegan, A.: Development of MDevSPICE® - the medical device software process assessment framework. J. Softw.: Evol. Process 27, 565–572 (2015). (Special Issue - EuroSPI 2014)

    Google Scholar 

  24. Breaux, T.D., Vail, M.W., Antón, A.I.: Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: Proceedings of RE 2006, Washington, DC, USA, pp. 46–55. IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  25. Bhatia, J., Breaux, T.D.: Semantic incompleteness in privacy policy goals. In: 2018 IEEE 26th International Requirements Engineering Conference (RE), pp. 159–169. IEEE (2018)

    Google Scholar 

  26. The Cabinet Office. ITIL Lifecycle Publication Suite. TSO Edition (2011)

    Google Scholar 

  27. Article 29 Data Protection Working Party. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. WP 248 rev.01 (2017)

    Google Scholar 

  28. Article 29 Data Protection Working Party. Guidelines on Personal data breach notification under Regulation 2016/679. WP250 rev.01 (2017)

    Google Scholar 

  29. Article 29 Data Protection Working Party. Guidelines on the right to “data portability”. WP242 rev.01 (2016)

    Google Scholar 

  30. Article 29 Data Protection Working Party. Guidelines on transparency under Regulation 2016/679. WP260 rev.01 (2017)

    Google Scholar 

  31. Article 29 Data Protection Working Party. Guidelines on consent under Regulation 2016/679. WP259 rev.01 (2017)

    Google Scholar 

  32. https://www.cnil.fr/en/media. Accessed 12 Apr 2019

  33. https://cnpd.public.lu/en/professionnels/obligations.html. Accessed 12 Apr 2019

  34. ISO/IEC TR 24774: Software and systems engineering – Life cycle management – Guidelines for process description. International Organization for Standardization, Geneva (2010)

    Google Scholar 

  35. ISO/IEC: ISO/IEC 33020 Information Technology—Process assessment—Process measurement framework for assessment of process capability (2015)

    Google Scholar 

  36. ISO/IEC: ISO/IEC 33001 Information Technology—Process assessment—Concepts and terminology (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Luxembourg Institute of Science and Technology, Esch-sur-Alzette, Luxembourg

    Stéphane Cortina, Philippe Valoggia, Béatrix Barafort & Alain Renault

Authors
  1. Stéphane Cortina
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Philippe Valoggia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Béatrix Barafort
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Alain Renault
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Béatrix Barafort .

Editor information

Editors and Affiliations

  1. Lorit Consultancy, Edinburgh, UK

    Alastair Walker

  2. School of Computing, Dublin City University, Dublin, Ireland

    Rory V. O'Connor

  3. I.S.C.N. GesmbH, Graz, Austria

    Richard Messnarz

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cortina, S., Valoggia, P., Barafort, B., Renault, A. (2019). Designing a Data Protection Process Assessment Model Based on the GDPR. In: Walker, A., O'Connor, R., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2019. Communications in Computer and Information Science, vol 1060. Springer, Cham. https://doi.org/10.1007/978-3-030-28005-5_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-28005-5_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-28004-8

  • Online ISBN: 978-3-030-28005-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation