a pattern catalog for gdpr compliant data protection · a pattern catalog for gdpr compliant data...
TRANSCRIPT
Chair of Software Engineering for Business Information Systems (sebis)
Faculty of Informatics
Technische Universität München
wwwmatthes.in.tum.de
A Pattern Catalog for GDPR Compliant Data ProtectionDominik Huth, 22.11.2017, PoEM Doctoral Consortium
• Master data
• Tax information
• Education
• Past employers• Master data
• Consumption
profile
• Smart meters…
• Payment
information
• Location
• Motion profile
• Ratings
Digital Identities
© sebis171122 Huth PoEM DC 2
Car manufacturers
• Master data
• Motion profile of
car
• Telemetrics
Mobility providers Energy provider
Employer
Social networks
• Master data
• Contacts
• Interests
• Online behavior
• Pictures
Health applications
• Motion profile
• Habits
• Conditions
Search Engines
• Interests
• Diseases
• Education (or lack
thereof)
• Travel destinations
• Shopping behavior
Online retailers
• Master data
• Interests
• Credit rating
• Credit cards
Authorities
• Master data
• Tax records
• Criminal record
• Credit rating
Financial institutions
• Master data
• Transactions
• Credit rating
EU General Data Protection Regulation (GDPR)
© sebis171122 Huth PoEM DC 3
GDPR key elements
• New territorial scope, definitions,…
• Extended rights for data subjects: transparency, portability,
objection, notification of data breach, rectification, erasure,…
• Principle of accountability, data protection by design and default
• Records of processing activities, data protection impact
assessments
• Designation of Data Protection Officer, certification mechanisms
• Fines of up to 4% revenue for non-compliance
Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2017). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law and Security Review, (2017). (link)
How can compliance with the GDPR be practically supported in the organization, consisting of people,
processes and IT systems?
An Enterprise Architecture Model
© sebis171122 Huth PoEM DC 4
Business Architecture
Str
ate
gie
s &
Pro
jects
Princip
les &
Sta
ndard
s
Business Capabilities
Organization & Processes
Business Services
Applications & Databases
Infrastructure Services
Infrastructure Elements
Vis
ions &
Goals
Questions &
KP
Is
Legal A
spects
Secu
rity
Buckl, S., Ernst, A. M., Lankes, J., & Matthes, F. (2008). Enterprise Architecture Management Pattern Catalog. Sebis, TU München, (February), 322. (link)
Existing work for GDPR compliance
© sebis171122 Huth PoEM DC 5
Business Capabilities
Organization & Processes
Business Services
Applications & Databases
Infrastructure Services
Infrastructure ElementsPrivacy b
y D
esig
n
Privacy E
ngin
eering
Privacy P
att
ern
s
(PR
IPA
RE
pro
ject)
(Situ
ational) M
eth
od E
ngin
eering
Legal advic
e
LIN
DD
UN
Meth
od
Pattern-Based Design Research
© sebis171122 Huth PoEM DC 6
Solution
design
Configured
design
Instantiated
solution
Buckl, S., Matthes, F., Schneider, A. W., & Schweda, C. M. (2013). Pattern-Based Design Research – An Iterative Research Method Balancing Rigor and Relevance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture
Notes in Bioinformatics) (Vol. 7939 LNCS, pp. 73–87). (link)
Observe & conceptualize
Practice
Organized collection of reusable
practice-proven solutionsGrounding theories
Observations
Patt
ern
-based
theo
ryb
uild
ing
Design Theories
Pattern Language
Pattern candidates
Theory
Guide & structure
select
configure
deviationslearn
Pattern-Based Design Research
© sebis171122 Huth PoEM DC 7
Solution design
GDPR project
(planned)
GDPR project
(executed)
Observe & conceptualize
Practice
Legal Advice
Privacy Standards & Frameworks
Method Engineering
Privacy Engineering
Observations
Theory
Guide & structure
select
configure
deviationslearn
Re
qu
ire
me
nts
Sta
ke
ho
lde
rs
So
lutio
ns
GDPR Pattern CatalogRQ1
RQ5
RQ4
RQ3
RQ2
Buckl, S., Matthes, F., Schneider, A. W., & Schweda, C. M. (2013). Pattern-Based Design Research – An Iterative Research Method Balancing Rigor and Relevance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture
Notes in Bioinformatics) (Vol. 7939 LNCS, pp. 73–87). (link)
Research Question 1
Goal:
• Literature study to structure existing work
• Possibly synthesize the knowledge in new visualizations
Questions:
• What are relevant areas to consider, additional to what was presented in the existing work section?
• Are the areas represented correctly or do you disagree?
© sebis171122 Huth PoEM DC 8
RQ1: Which conceptual frameworks exist that can be instrumented to describe regulatory requirements and the
design of possible solutions?
Research Question 2
Goal:
• Cooperation with legal expert at the chair: Taxonomy of Requirements (rights, obligation, condition,…)
• Visual approach for the requirements?
Questions
• Could Articles/Requirements be represented using Ontologies?
• Is there any process support?
© sebis171122 Huth PoEM DC 9
RQ2: What are the elementary requirements of the GDPR and how can they be modeled with the existing
concepts?
Research Question 3
Goal:
• What is the process of adapting to a new regulation?
• Interview data protection officers from industry partners (individual and in workshops)
• Structured questionnaires to larger audience as soon as structure has evolved
Questions
• Do you know of existing studies about GDPR practice?
© sebis171122 Huth PoEM DC 10
RQ3: How is GDPR compliance achieved in practice?
Research Question 4
Goal:
• Collect positive and negative experiences with single patterns
• Survey among industry partners / participants of the GDPR workshop
Questions
• Does it make sense to try to judge about effectiveness of patterns?
• Is this possible when considering a range of solutions (technical, organizational, cultural, strategic)?
© sebis171122 Huth PoEM DC 11
RQ4: How effective are the solutions that were identified as patterns?
Research Question 5
Goal:
• Dependency model of the identified solution options
© sebis171122 Huth PoEM DC 12
RQ5: How are solution options interrelated with each other? Which solutions are independent, which require
other actions, and which replace other solution options?
Pattern-Based Design Research
© sebis171122 Huth PoEM DC 13
Solution design
GDPR project
(planned)
GDPR project
(executed)
Observe & conceptualize
Practice
Legal Advice
Privacy Standards & Frameworks
Method Engineering
Privacy Engineering
Observations
Theory
Guide & structure
select
configure
deviationslearn
Re
qu
ire
me
nts
Sta
ke
ho
lde
rs
So
lutio
ns
GDPR Pattern CatalogRQ1
RQ5
RQ4
RQ3
RQ2
Buckl, S., Matthes, F., Schneider, A. W., & Schweda, C. M. (2013). Pattern-Based Design Research – An Iterative Research Method Balancing Rigor and Relevance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture
Notes in Bioinformatics) (Vol. 7939 LNCS, pp. 73–87). (link)
Questions to the audience
• Is it too early, too late or just the right time to do this work?
• Are patterns a suitable tool to support the implementation of a new concept?
• How to structure the process of knowledge extraction from industry?
© sebis171122 Huth PoEM DC 14
Technische Universität München
Faculty of Informatics
Chair of Software Engineering for Business
Information Systems
Boltzmannstraße 3
85748 Garching bei München
Tel +49.89.289.
Fax +49.89.289.17136
wwwmatthes.in.tum.de
Dominik Huth
Dipl. Math.oec.
17128