TY - JOUR
T1 - GDPR compliance via software evolution: Weaving security controls in software design
AU - Ayala-Rivera, Vanessa
AU - Portillo-Dominguez, A. Omar
AU - Pasquale, Liliana
N1 - Publisher Copyright:
© 2024 The Author(s)
PY - 2024/10
Y1 - 2024/10
N2 - Software should comply with international privacy laws, like the General Data Protection Regulation (GDPR). However, implementing appropriate technical controls is often an error-prone and time-consuming process. This is partly due to the limited knowledge of software engineers about privacy and security. This paper proposes SoCo, a semi-automated approach to support organizations in achieving software compliance with the GDPR data protection principles. To do so, SoCo supports engineers in identifying and integrating appropriate technical controls in sequence diagrams during the design phase. SoCo includes a technique to assist engineers to identify data processing activities in software applications modeled as sequence diagrams that may need to comply with the GDPR, a catalog of privacy and security controls that engineers can use to fix non-compliant activities, and a technique to implement such controls in the non-compliant sequence diagrams. Our evaluation results show that SoCo can help software engineers identify and design appropriate security controls to address GDPR violations and required moderate manual effort when applied to a substantive open-source application.
AB - Software should comply with international privacy laws, like the General Data Protection Regulation (GDPR). However, implementing appropriate technical controls is often an error-prone and time-consuming process. This is partly due to the limited knowledge of software engineers about privacy and security. This paper proposes SoCo, a semi-automated approach to support organizations in achieving software compliance with the GDPR data protection principles. To do so, SoCo supports engineers in identifying and integrating appropriate technical controls in sequence diagrams during the design phase. SoCo includes a technique to assist engineers to identify data processing activities in software applications modeled as sequence diagrams that may need to comply with the GDPR, a catalog of privacy and security controls that engineers can use to fix non-compliant activities, and a technique to implement such controls in the non-compliant sequence diagrams. Our evaluation results show that SoCo can help software engineers identify and design appropriate security controls to address GDPR violations and required moderate manual effort when applied to a substantive open-source application.
KW - GDPR
KW - Privacy and security
KW - Software design
KW - Software evolution
KW - Data protection
KW - Compliance
UR - http://www.scopus.com/inward/record.url?scp=85197495577&partnerID=8YFLogxK
U2 - 10.1016/j.jss.2024.112144
DO - 10.1016/j.jss.2024.112144
M3 - Article
VL - 216
JO - Journal of Systems and Software
JF - Journal of Systems and Software
M1 - 112144
ER -