The General Data Protection Regulation (GDPR) was created for regulating how organizations that collect personal data process and protect it. In cases of digital handling of personal data, GDPR compliance must be proven by analyzing the actions that a system applies in order to gather, process and safeguard the data. We advocate that compliance must be considered in the design phase of the system, by analyzing the dependencies between system entities (e.g. personal data, users etc.) and the processes enacted upon them. Then, it is possible to generate a series of data reports that can be assessed by regulators who inspect the system for GDPR compliance. However, there can not be a universal methodology that covers all application domains and systems. To show proof of concept, we apply the methodology to a remote patient monitoring service that runs in the cloud.
