GDPR compliance via software evolution: Weaving security controls in software design

Research output: Contribution to journalArticlepeer-review

Abstract

Software should comply with international privacy laws, like the General Data Protection Regulation (GDPR). However, implementing appropriate technical controls is often an error-prone and time-consuming process. This is partly due to the limited knowledge of software engineers about privacy and security. This paper proposes SoCo, a semi-automated approach to support organizations in achieving software compliance with the GDPR data protection principles. To do so, SoCo supports engineers in identifying and integrating appropriate technical controls in sequence diagrams during the design phase. SoCo includes a technique to assist engineers to identify data processing activities in software applications modeled as sequence diagrams that may need to comply with the GDPR, a catalog of privacy and security controls that engineers can use to fix non-compliant activities, and a technique to implement such controls in the non-compliant sequence diagrams. Our evaluation results show that SoCo can help software engineers identify and design appropriate security controls to address GDPR violations and required moderate manual effort when applied to a substantive open-source application.
Original languageEnglish
Article number112144
JournalJournal of Systems and Software
Volume216
DOIs
Publication statusPublished - Oct 2024

Keywords

  • GDPR
  • Privacy and security
  • Software design
  • Software evolution
  • Data protection
  • Compliance

Fingerprint

Dive into the research topics of 'GDPR compliance via software evolution: Weaving security controls in software design'. Together they form a unique fingerprint.

Cite this