A Pattern Catalog for GDPR Compliant Data Protection Dominik Huth, 22.11.2017, PoEM Doctoral Consortium Chair of Software Engineering for Business Information Systems (sebis) Faculty of Informatics Technische Universität München wwwmatthes.in.tum.de
Digital Identities Health applications Social networks Search Engines Interests Diseases Education (or lack thereof) Travel destinations Shopping behavior Motion profile Habits Conditions Master data Contacts Interests Online behavior Pictures Online retailers Master data Interests Credit rating Credit cards Authorities Financial institutions Master data Transactions Credit rating Master data Tax records Criminal record Credit rating Car manufacturers Employer Master data Motion profile of car Telemetrics Mobility providers Payment information Location Motion profile Ratings Energy provider Master data Consumption profile Smart meters Master data Tax information Education Past employers 171122 Huth PoEM DC sebis 2
EU General Data Protection Regulation (GDPR) GDPR key elements New territorial scope, definitions, Extended rights for data subjects: transparency, portability, objection, notification of data breach, rectification, erasure, Principle of accountability, data protection by design and default Records of processing activities, data protection impact assessments Designation of Data Protection Officer, certification mechanisms Fines of up to 4% revenue for non-compliance How can compliance with the GDPR be practically supported in the organization, consisting of people, processes and IT systems? Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2017). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law and Security Review, (2017). (link) 171122 Huth PoEM DC sebis 3
Visions & Goals Questions & KPIs Principles & Standards Strategies & Projects Legal Aspects Security An Enterprise Architecture Model Business Architecture Business Capabilities Organization & Processes Business Services Applications & Databases Infrastructure Services Infrastructure Elements Buckl, S., Ernst, A. M., Lankes, J., & Matthes, F. (2008). Enterprise Architecture Management Pattern Catalog. Sebis, TU München, (February), 322. (link) 171122 Huth PoEM DC sebis 4
Privacy by Design LINDDUN Method Privacy Patterns (PRIPARE project) Privacy Engineering Legal advice (Situational) Method Engineering Existing work for GDPR compliance Business Capabilities Organization & Processes Business Services Applications & Databases Infrastructure Services Infrastructure Elements 171122 Huth PoEM DC sebis 5
Pattern-based theory building Pattern-Based Design Research Grounding theories Organized collection of reusable practice-proven solutions Guide & structure Design Theories select Solution design Observe & conceptualize Pattern Language Pattern candidates configure Theory Practice Configured design learn deviations Instantiated solution Observations Buckl, S., Matthes, F., Schneider, A. W., & Schweda, C. M. (2013). Pattern-Based Design Research An Iterative Research Method Balancing Rigor and Relevance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 7939 LNCS, pp. 73 87). (link) 171122 Huth PoEM DC sebis 6
Requirements Stakeholders Solutions Pattern-Based Design Research Legal Advice Privacy Standards & Frameworks Method Engineering Privacy Engineering Guide & structure RQ1 GDPR Pattern Catalog RQ5 select Solution design Observe & conceptualize configure Theory RQ2 RQ4 Practice RQ3 GDPR project (planned) learn deviations GDPR project (executed) Observations Buckl, S., Matthes, F., Schneider, A. W., & Schweda, C. M. (2013). Pattern-Based Design Research An Iterative Research Method Balancing Rigor and Relevance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 7939 LNCS, pp. 73 87). (link) 171122 Huth PoEM DC sebis 7
Research Question 1 RQ1: Which conceptual frameworks exist that can be instrumented to describe regulatory requirements and the design of possible solutions? Goal: Literature study to structure existing work Possibly synthesize the knowledge in new visualizations Questions: What are relevant areas to consider, additional to what was presented in the existing work section? Are the areas represented correctly or do you disagree? 171122 Huth PoEM DC sebis 8
Research Question 2 RQ2: What are the elementary requirements of the GDPR and how can they be modeled with the existing concepts? Goal: Cooperation with legal expert at the chair: Taxonomy of Requirements (rights, obligation, condition, ) Visual approach for the requirements? Questions Could Articles/Requirements be represented using Ontologies? Is there any process support? 171122 Huth PoEM DC sebis 9
Research Question 3 RQ3: How is GDPR compliance achieved in practice? Goal: What is the process of adapting to a new regulation? Interview data protection officers from industry partners (individual and in workshops) Structured questionnaires to larger audience as soon as structure has evolved Questions Do you know of existing studies about GDPR practice? 171122 Huth PoEM DC sebis 10
Research Question 4 RQ4: How effective are the solutions that were identified as patterns? Goal: Collect positive and negative experiences with single patterns Survey among industry partners / participants of the GDPR workshop Questions Does it make sense to try to judge about effectiveness of patterns? Is this possible when considering a range of solutions (technical, organizational, cultural, strategic)? 171122 Huth PoEM DC sebis 11
Research Question 5 RQ5: How are solution options interrelated with each other? Which solutions are independent, which require other actions, and which replace other solution options? Goal: Dependency model of the identified solution options 171122 Huth PoEM DC sebis 12
Requirements Stakeholders Solutions Pattern-Based Design Research Legal Advice Privacy Standards & Frameworks Method Engineering Privacy Engineering Guide & structure RQ1 GDPR Pattern Catalog RQ5 select Solution design Observe & conceptualize configure Theory RQ2 RQ4 Practice RQ3 GDPR project (planned) learn deviations GDPR project (executed) Observations Buckl, S., Matthes, F., Schneider, A. W., & Schweda, C. M. (2013). Pattern-Based Design Research An Iterative Research Method Balancing Rigor and Relevance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 7939 LNCS, pp. 73 87). (link) 171122 Huth PoEM DC sebis 13
Questions to the audience Is it too early, too late or just the right time to do this work? Are patterns a suitable tool to support the implementation of a new concept? How to structure the process of knowledge extraction from industry? 171122 Huth PoEM DC sebis 14
Dipl. Math.oec. Dominik Huth Technische Universität München Faculty of Informatics Chair of Software Engineering for Business Information Systems Boltzmannstraße 3 85748 Garching bei München Tel +49.89.289. 17128 Fax +49.89.289.17136 dominik.huth@tum.de wwwmatthes.in.tum.de