Abstract
Since May 2018, private and public companies handling personal data must comply with the General Data Protection Regulation (GDPR). While many regulations are highly prescriptive in telling regulated entities and individuals what to do and how to do it, GDPR only sets up data protection principles that must be respected to protect the rights and the freedom of the data subjects. Thus, complying with GDPR supposes that companies handling personal data must prove that appropriate technical and organizational measures are defined and effectively implemented to protect privacy of natural persons. This paper describes a privacy evaluation mechanism combining a generic process assessment framework (i.e. TIPA) with a GDPR-based process assessment model. It describes the experimentation project that permit to verify both the correctness and completeness of the GDPR Process Model, and the utility of performing a privacy evaluation. Eventually, the paper presents the benefits perceived by the Data Protection Officers of the companies where the process-based privacy evaluations were experimented.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In its recital 74, the GDPR states that: “[…] the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.”.
References
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016)
Cortina, S., Renault, A., Picard, M.: TIPA process assessments: a means to improve business value of IT services. Int. J. Strat. Inf. Technol. App. (IJSITA) 4(4), 1–18 (2013). https://doi.org/10.4018/ijsita.2013100101
Barafort, B., et al.: ITSM Process Assessment Supporting ITIL: Using TIPA to Assess and Improve your Processes with ISO 15504 and Prepare for ISO 20000 Certification, vol. 217. Van Haren, Zaltbommel (ISBN: 9789087535643) (2009)
Cortina, S., Valoggia, P., Barafort, B., Renault, A.: Designing a data protection process assessment model based on the GDPR. In: Walker, A., O’Connor, R.V., Messnarz, R. (eds.) EuroSPI 2019. CCIS, vol. 1060, pp. 136–148. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-28005-5_11
Efroni, Z.: Location data as contractual counter-performance: a consumer perspective on recent EU legislation. In: Finck, M., Lamping, M., Moscon, V., Richter, H. (eds.) Smart Urban Mobility. MSIPCL, vol. 29, pp. 257–283. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-662-61920-9_13
Cottrill, C.D.: MaaS surveillance: privacy considerations in mobility as a service. Transp. Res. Part A Policy Pract. 131, 50–57 (2020). https://doi.org/10.1016/j.tra.2019.09.026
Engström, E., Storey, M.-A., Runeson, P., Höst, M., Baldassarre, M.T.: How software engineering research aligns with design science: a review. Empir. Softw. Eng. 25(4), 2630–2660 (2020). https://doi.org/10.1007/s10664-020-09818-7
Hevner, A., March, S., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75–105 (2004). https://doi.org/10.2307/25148625
May, P.J.: Regulatory regimes and accountability. Regulat. Govern. 1(1), 8–26 (2007). https://doi.org/10.1111/j.1748-5991.2007.00002.x
Decker, Ch.: Goals-Based and Rules-Based Approaches to Regulation. SSRN scholarly Paper, ID 3717739, Social Science Research Network, 1 May 2018
CNPD: Accreditation requirements for General Data Protection Regulation (Regulation (EU) 2016/679) Certified Assurance Report based Processing Activities (‘GDPR CARPA’) certification scheme, Draft Updates, 30 July 2019
Yaqoob, I., et al.: Blockchain for Digital Twins: Recent Advances and Future Research Challenges. IEEE Netw. (2020). https://doi.org/10.1109/MNET.001.1900661.
The Standard Data Protection Model: A method for Data Protection advising and controlling on the basis of uniform protection goals. Version 2.0b, Adopted by the 99. Conference of the Independent Data Protection Supervisory Authorities of the Federation and the Länder on the 17. April 2020, https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V2.0b.pdf
Hoepman, J.-H.: Privacy design strategies. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abbou El Kalam, A., Sans, T. (eds.) SEC 2014. IAICT, vol. 428, pp. 446–459. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55415-5_38
Spiekermann, S., Cranor, L.F.: Engineering privacy. IEEE Trans. Softw. Eng. 35(1), 67–82 (2009). https://doi.org/10.1109/TSE.2008.88
ISO/IEC: ISO/IEC 330xx Information Technology - Process Assessment (2013, 2017)
Colesky, M., et al.: A critical analysis of privacy design strategies. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 33–40 (2016). https://doi.org/10.1109/SPW.2016.23
CNIL – PIA (https://www.cnil.fr/fr/outil-pia-telechargez-et-installez-le-logiciel-de-la-cnil)
Ferra, F., Wagner, I., Boiten, E., Hadlington, L., Psychoula, I., Snape, R.: Challenges in assessing privacy impact: tales from the front lines. Secur. Priv. 3, e101 (2020). https://doi.org/10.1002/spy2.101
Alshammari, M., Simpson, A.C.: Towards an Effective PIA−Based Risk Analysis: An Approach for Analysing Potential Privacy Risks (2018)
EDPB: Opinion 3/2010 on the principle of accountability (2010). Adopted on 13 July 2010
Hashmi, M., Governatori, G., Lam, H.P., Wynn, M.T.: Are we done with business compliance process: state of the art and challenges ahead. Knwol. Inf. Syst. 57, 79–133 (2018)
ISO/IEC: ISO/IEC 33004 Information Technology — Process assessment — Requirements for process reference, process assessment and maturity models (2015)
Barafort, B., Renault, A., Picard, M., Cortina, S.: A Transformation Process for Building PRMs and PAMs based on a Collection of Requirements – Example with ISO/IEC 20000. In: 8th International SPICE 2008 Conference, Nuremberg (2008)
Pries-Heje, J., Johansen, J.: Spi manifesto. European System & Software Process Improvement and Innovation (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Cortina, S., Picard, M., Renault, S., Valoggia, P. (2021). Towards a Process-Based Approach to Compliance with GDPR. In: Yilmaz, M., Clarke, P., Messnarz, R., Reiner, M. (eds) Systems, Software and Services Process Improvement. EuroSPI 2021. Communications in Computer and Information Science, vol 1442. Springer, Cham. https://doi.org/10.1007/978-3-030-85521-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-85521-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-85520-8
Online ISBN: 978-3-030-85521-5
eBook Packages: Computer ScienceComputer Science (R0)