Abstract
Companies are facing more and more regulations nowadays, including the General Data Protection Regulation (GDPR). They must then take appropriate technical and organisational measures related to GDPR and effectively implement them. In order to support this and the demonstration of compliance, a process assessment model based on the GDPR is proposed. This paper relates how the process model has been engineered, from semantic annotations based on the GDPR, to identification of rights and obligations for eliciting processes and describing their main components (purpose and outcomes). The support of additional document sources enabled to formulate process assessment indicators.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016)
Guarda, P., Kiyavitskaya, N., Zannone, N.: Using semantic annotation for mining privacy and security requirements from European Union directives. Technical report # DISI-08-011 (2008)
ISO/IEC: ISO/IEC 33004 Information Technology—Process assessment—Requirements for process reference, process assessment and maturity models (2015)
Robaldo, L., Sun, X.: Reified input/output logic: combining input/output logic and reification to represent norms coming from existing legislation. J. Logic Comput. 27(8), 2471–2503 (2017)
Paulk, M.C., Curtis, B., Chrissis, M.B., Weber, C.V.: The Capability Maturity Model for Software, Version 1.1 (No. CMU/SEI-93-TR-24): Software Engineering Institute (1993)
de Bruin, T., Rosemann, M., Freeze, R., Kulkarni, U.: Understanding the main phases of developing a maturity assessment model. In: 16th Australasian Conference on Information Systems (ACIS), Sydney (2005)
Becker, J., Knackstedt, R., Pöppelbuß, J.: Developing maturity models for IT management. Bus. Inf. Syst. Eng. 1(3), 213–222 (2009)
Pöppelbuß, J., Röglinger, M.: What makes a useful maturity model? A framework of general design principles for maturity models and its demonstration in business process management. In: ECIS 2011 (2011)
Tarhan, A., Turetken, O., Reijers, H.A.: Business process maturity models: a systematic literature review. Inf. Softw. Technol. 75, 122–134 (2016)
ISO/IEC: ISO/IEC 330xx Information Technology - Process Assessment (2013, 2017)
ISO/IEC: ISO/IEC 33002 Information Technology—Process assessment—Requirements for performing process assessment (2015)
ISO/IEC 15504-5: Information Technology – Process assessment – Part 5: An exemplar software life cycle process assessment model. International Organization for Standardization, Geneva (2012)
Cass, A., Völcker, C., Ouared, R., Dorling, A., Winzer, L., Carranza, J.M.: SPICE for SPACE trials, risk analysis, and process improvement. Softw. Process: Improv. Pract. 9(1), 13–21 (2004)
Automotive Spice ® (2015). http://www.automotivespice.com/fileadmin/software-download/Automotive_SPICE_PAM_30.pdf. Accessed 12 Apr 2019
Pries-Heje, J., Johansen, J.: SPI Manifesto. European System & Software Process Improvement and Innovation (2010)
von Wangenheim, G., Hauck, J.C.R., Zoucas, A., Salviano, C.F., McCaffery, F., Shull, F.: Creating software process capability/maturity models. IEEE Softw. 27(4), 92–94 (2010)
Stallinger, F., Plösch, R.: Towards methodological support for the engineering of process reference models for product software. In: Mitasiunas, A., Rout, T., O’Connor, R.V., Dorling, A. (eds.) SPICE 2014. CCIS, vol. 477, pp. 24–35. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13036-1_3
Barafort, B., Renault, A., Picard, M., Cortina, S.: A transformation process for building PRMs and PAMs based on a collection of requirements – example with ISO/IEC 20000. In: 8th International SPICE 2008 Conference, Nuremberg (2008)
Rifaut, A., Dubois, E.: Using goal-oriented requirements engineering for improving the quality of ISO/IEC 15504 based compliance assessment frameworks. In: 16th IEEE International Requirements Engineering, RE 2008 (2008)
Cortina, S., Picard, M., Valdés, O., Renault, A.: A challenging process models development: the ITIL v3 lifecycle processes. In: The International Conference SPICE, pp. 59–66 (2010)
Barafort, B., Shrestha, A., Cortina, S., Renault, A.: A software artefact to support and automate process assessment: a case study of the evolution of the TIPA® framework. In: Computer Standards & Interfaces, vol. 60 (2018)
Renault, S., Cortina, S., Valoggia, P.: Designing a process assessment model based on multiple sources - a procurement case. In: Larrucea, X., Santamaria, I., O’Connor, R.V., Messnarz, R. (eds.) EuroSPI 2018. CCIS, vol. 896, pp. 136–146. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-97925-0_11
Lepmets, M., Clarke, P., McCaffery, F., Dorling, A., Finnegan, A.: Development of MDevSPICE® - the medical device software process assessment framework. J. Softw.: Evol. Process 27, 565–572 (2015). (Special Issue - EuroSPI 2014)
Breaux, T.D., Vail, M.W., Antón, A.I.: Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: Proceedings of RE 2006, Washington, DC, USA, pp. 46–55. IEEE Computer Society Press, Los Alamitos (2006)
Bhatia, J., Breaux, T.D.: Semantic incompleteness in privacy policy goals. In: 2018 IEEE 26th International Requirements Engineering Conference (RE), pp. 159–169. IEEE (2018)
The Cabinet Office. ITIL Lifecycle Publication Suite. TSO Edition (2011)
Article 29 Data Protection Working Party. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. WP 248 rev.01 (2017)
Article 29 Data Protection Working Party. Guidelines on Personal data breach notification under Regulation 2016/679. WP250 rev.01 (2017)
Article 29 Data Protection Working Party. Guidelines on the right to “data portability”. WP242 rev.01 (2016)
Article 29 Data Protection Working Party. Guidelines on transparency under Regulation 2016/679. WP260 rev.01 (2017)
Article 29 Data Protection Working Party. Guidelines on consent under Regulation 2016/679. WP259 rev.01 (2017)
https://www.cnil.fr/en/media. Accessed 12 Apr 2019
https://cnpd.public.lu/en/professionnels/obligations.html. Accessed 12 Apr 2019
ISO/IEC TR 24774: Software and systems engineering – Life cycle management – Guidelines for process description. International Organization for Standardization, Geneva (2010)
ISO/IEC: ISO/IEC 33020 Information Technology—Process assessment—Process measurement framework for assessment of process capability (2015)
ISO/IEC: ISO/IEC 33001 Information Technology—Process assessment—Concepts and terminology (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Cortina, S., Valoggia, P., Barafort, B., Renault, A. (2019). Designing a Data Protection Process Assessment Model Based on the GDPR. In: Walker, A., O'Connor, R., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2019. Communications in Computer and Information Science, vol 1060. Springer, Cham. https://doi.org/10.1007/978-3-030-28005-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-28005-5_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-28004-8
Online ISBN: 978-3-030-28005-5
eBook Packages: Computer ScienceComputer Science (R0)