The grace period has ended: An approach to operationalize GDPR requirements

Vanessa Ayala-Rivera; Liliana Pasquale

doi:10.1109/RE.2018.00023

The grace period has ended: An approach to operationalize GDPR requirements

Vanessa Ayala-Rivera
, Liliana Pasquale

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The General Data Protection Regulation (GDPR) aims to protect personal data of EU residents and can impose severe sanctions for non-compliance. Organizations are currently implementing various measures to ensure their software systems fulfill GDPR obligations such as identifying a legal basis for data processing or enforcing data anonymization. However, as regulations are formulated vaguely, it is difficult for practitioners to extract and operationalize legal requirements from the GDPR. This paper aims to help organizations understand the data protection obligations imposed by the GDPR and identify measures to ensure compliance. To achieve this goal, we propose GuideMe, a 6-step systematic approach that supports elicitation of solution requirements that link GDPR data protection obligations with the privacy controls that fulfill these obligations and that should be implemented in an organization's software system. We illustrate and evaluate our approach using an example of a university information system. Our results demonstrate that the solution requirements elicited using our approach are aligned with the recommendations of privacy experts and are expressed correctly.

Original language	English
Title of host publication	Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018
Editors	Daniel Amyot, Walid Maalej, Guenther Ruhe
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	136-146
Number of pages	11
ISBN (Electronic)	9781538674185
DOIs	https://doi.org/10.1109/RE.2018.00023
Publication status	Published - 12 Oct 2018
Externally published	Yes
Event	26th IEEE International Requirements Engineering Conference, RE 2018 - Banff, Canada Duration: 20 Aug 2018 → 24 Aug 2018

Publication series

Name	Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018

Conference

Conference	26th IEEE International Requirements Engineering Conference, RE 2018
Country/Territory	Canada
City	Banff
Period	20/08/18 → 24/08/18

Keywords

Compliance
GDPR
Privacy
Requirements

Access to Document

10.1109/RE.2018.00023

Cite this

Ayala-Rivera, V., & Pasquale, L. (2018). The grace period has ended: An approach to operationalize GDPR requirements. In D. Amyot, W. Maalej, & G. Ruhe (Eds.), Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018 (pp. 136-146). Article 8491130 (Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/RE.2018.00023

Ayala-Rivera, Vanessa ; Pasquale, Liliana. / The grace period has ended : An approach to operationalize GDPR requirements. Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018. editor / Daniel Amyot ; Walid Maalej ; Guenther Ruhe. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 136-146 (Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018).

@inproceedings{125a4469e97d4aebabd05adaeef5e59c,

title = "The grace period has ended: An approach to operationalize GDPR requirements",

abstract = "The General Data Protection Regulation (GDPR) aims to protect personal data of EU residents and can impose severe sanctions for non-compliance. Organizations are currently implementing various measures to ensure their software systems fulfill GDPR obligations such as identifying a legal basis for data processing or enforcing data anonymization. However, as regulations are formulated vaguely, it is difficult for practitioners to extract and operationalize legal requirements from the GDPR. This paper aims to help organizations understand the data protection obligations imposed by the GDPR and identify measures to ensure compliance. To achieve this goal, we propose GuideMe, a 6-step systematic approach that supports elicitation of solution requirements that link GDPR data protection obligations with the privacy controls that fulfill these obligations and that should be implemented in an organization's software system. We illustrate and evaluate our approach using an example of a university information system. Our results demonstrate that the solution requirements elicited using our approach are aligned with the recommendations of privacy experts and are expressed correctly.",

keywords = "Compliance, GDPR, Privacy, Requirements",

author = "Vanessa Ayala-Rivera and Liliana Pasquale",

note = "Publisher Copyright: {\textcopyright} 2018 IEEE.; 26th IEEE International Requirements Engineering Conference, RE 2018 ; Conference date: 20-08-2018 Through 24-08-2018",

year = "2018",

month = oct,

day = "12",

doi = "10.1109/RE.2018.00023",

language = "English",

series = "Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "136--146",

editor = "Daniel Amyot and Walid Maalej and Guenther Ruhe",

booktitle = "Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018",

address = "United States",

}

Ayala-Rivera, V & Pasquale, L 2018, The grace period has ended: An approach to operationalize GDPR requirements. in D Amyot, W Maalej & G Ruhe (eds), Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018., 8491130, Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018, Institute of Electrical and Electronics Engineers Inc., pp. 136-146, 26th IEEE International Requirements Engineering Conference, RE 2018, Banff, Canada, 20/08/18. https://doi.org/10.1109/RE.2018.00023

The grace period has ended: An approach to operationalize GDPR requirements. / Ayala-Rivera, Vanessa; Pasquale, Liliana.
Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018. ed. / Daniel Amyot; Walid Maalej; Guenther Ruhe. Institute of Electrical and Electronics Engineers Inc., 2018. p. 136-146 8491130 (Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - The grace period has ended

T2 - 26th IEEE International Requirements Engineering Conference, RE 2018

AU - Ayala-Rivera, Vanessa

AU - Pasquale, Liliana

PY - 2018/10/12

Y1 - 2018/10/12

N2 - The General Data Protection Regulation (GDPR) aims to protect personal data of EU residents and can impose severe sanctions for non-compliance. Organizations are currently implementing various measures to ensure their software systems fulfill GDPR obligations such as identifying a legal basis for data processing or enforcing data anonymization. However, as regulations are formulated vaguely, it is difficult for practitioners to extract and operationalize legal requirements from the GDPR. This paper aims to help organizations understand the data protection obligations imposed by the GDPR and identify measures to ensure compliance. To achieve this goal, we propose GuideMe, a 6-step systematic approach that supports elicitation of solution requirements that link GDPR data protection obligations with the privacy controls that fulfill these obligations and that should be implemented in an organization's software system. We illustrate and evaluate our approach using an example of a university information system. Our results demonstrate that the solution requirements elicited using our approach are aligned with the recommendations of privacy experts and are expressed correctly.

AB - The General Data Protection Regulation (GDPR) aims to protect personal data of EU residents and can impose severe sanctions for non-compliance. Organizations are currently implementing various measures to ensure their software systems fulfill GDPR obligations such as identifying a legal basis for data processing or enforcing data anonymization. However, as regulations are formulated vaguely, it is difficult for practitioners to extract and operationalize legal requirements from the GDPR. This paper aims to help organizations understand the data protection obligations imposed by the GDPR and identify measures to ensure compliance. To achieve this goal, we propose GuideMe, a 6-step systematic approach that supports elicitation of solution requirements that link GDPR data protection obligations with the privacy controls that fulfill these obligations and that should be implemented in an organization's software system. We illustrate and evaluate our approach using an example of a university information system. Our results demonstrate that the solution requirements elicited using our approach are aligned with the recommendations of privacy experts and are expressed correctly.

KW - Compliance

KW - GDPR

KW - Privacy

KW - Requirements

UR - https://www.scopus.com/pages/publications/85056855104

U2 - 10.1109/RE.2018.00023

DO - 10.1109/RE.2018.00023

M3 - Conference contribution

AN - SCOPUS:85056855104

T3 - Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018

SP - 136

EP - 146

BT - Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018

A2 - Amyot, Daniel

A2 - Maalej, Walid

A2 - Ruhe, Guenther

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 20 August 2018 through 24 August 2018

ER -

Ayala-Rivera V, Pasquale L. The grace period has ended: An approach to operationalize GDPR requirements. In Amyot D, Maalej W, Ruhe G, editors, Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 136-146. 8491130. (Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018). doi: 10.1109/RE.2018.00023

The grace period has ended: An approach to operationalize GDPR requirements

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this