Advertisement

Using an Enterprise Architecture Model for GDPR Compliance Principles

  • Gaëlle Blanco-Lainé
  • Jean-Sébastien SottetEmail author
  • Sophie Dupuy-Chessa
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 369)

Abstract

Nowadays, all enterprises must take into account the legal frameworks at all levels of their organization. Over the past two years, the focus has been on the GDPR. This regulation on data and their processing activities impacts on the vision of the enterprise information system. In order to identify these impacts, it is necessary to define an approach to conciliate regulatory and business points of view. Our proposal is to use an enterprise architecture modeling approach to integrate regulatory concerns. This article describes a high-level Archimate model for implementing a GDPR compliance approach.

Keywords

GDPR Architecture enterprise Regulation and compliance Privacy Model 

References

  1. 1.
    Gozman, D., Currie, W.: Managing governance, risk, and compliance for post-crisis regulatory change: a model of is capabilities for financial organizations. In: 2015 48th Hawaii International Conference on System Sciences, pp. 4661–4670. IEEE (2015)Google Scholar
  2. 2.
  3. 3.
    Ayala-Rivera, V., Pasquale, L.: The grace period has ended: an approach to operationalize GDPR requirements. In: 2018 IEEE 26th International Requirements Engineering Conference (RE), pp. 136–146. IEEE (2018)Google Scholar
  4. 4.
    Data Protection Commission - Ireland: Self-assessment checklist (2019). https://www.dataprotection.ie/en/organisations/self-assessment-checklist
  5. 5.
  6. 6.
    Agostinelli, S., Maggi, F.M., Marrella, A., Sapio, F.: Achieving GDPR compliance of BPMN process models. In: Cappiello, C., Ruiz, M. (eds.) CAiSE 2019, vol. 350, pp. 10–22. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-21297-1_2CrossRefGoogle Scholar
  7. 7.
    Colesky, M., Hoepman, J.H., Hillen, C.: A critical analysis of privacy design strategies. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 33–40. IEEE (2016)Google Scholar
  8. 8.
    Palmirani, M., Martoni, M., Rossi, A., Bartolini, C., Robaldo, L.: Legal ontology for modelling GDPR concepts and norms. In: JURIX, pp. 91–100 (2018)Google Scholar
  9. 9.
    Gordon, T.F., Governatori, G., Rotolo, A.: Rules and norms: requirements for rule interchange languages in the legal domain. In: Governatori, G., Hall, J., Paschke, A. (eds.) RuleML 2009. LNCS, vol. 5858, pp. 282–296. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04985-9_26CrossRefGoogle Scholar
  10. 10.
    Sunkle, S., Kholkar, D., Kulkarni, V.: Explanation of proofs of regulatory (non-)compliance using semantic vocabularies. In: Bassiliades, N., Gottlob, G., Sadri, F., Paschke, A., Roman, D. (eds.) RuleML 2015. LNCS, vol. 9202, pp. 388–403. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-21542-6_25CrossRefGoogle Scholar
  11. 11.
    Agarwal, S., Steyskal, S., Antunovic, F., Kirrane, S.: Legislative compliance assessment: framework, model and GDPR instantiation. In: Medina, M., Mitrakas, A., Rannenberg, K., Schweighofer, E., Tsouroulas, N. (eds.) APF 2018. LNCS, vol. 11079, pp. 131–149. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-02547-2_8CrossRefGoogle Scholar
  12. 12.
    Tom, J., Sing, E., Matulevičius, R.: Conceptual representation of the GDPR: model and application directions. In: Zdravkovic, J., Grabis, J., Nurcan, S., Stirna, J. (eds.) BIR 2018. LNBIP, vol. 330, pp. 18–28. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-99951-7_2CrossRefGoogle Scholar
  13. 13.
    Torre, D., Soltana, G., Sabetzadeh, M., Briand, L., Auffinger, Y., Goes, P.: Using models to enable compliance checking against the GDPR: an experience report. In: To appear in the Proceedings of the IEEE/ACM 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS 19). ACM/IEEE (2019)Google Scholar
  14. 14.
    Bommel, P.V., Buitenhuis, P., Hoppenbrouwers, S., Proper, E.: Architecture principles-a regulative perspective on enterprise architecture. Enterprise Modelling and Information Systems Architectures-Concepts and Applications (2007)Google Scholar
  15. 15.
    Cleven, A., Winter, R.: Regulatory compliance in information systems research – literature analysis and research agenda. In: Halpin, T., et al. (eds.) BPMDS/EMMSAD -2009. LNBIP, vol. 29, pp. 174–186. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01862-6_15CrossRefGoogle Scholar
  16. 16.
    Timm, F., Sandkuhl, K.: A reference enterprise architecture for holistic compliance management in the financial sector (2018)Google Scholar
  17. 17.
    Lagerström, R., Saat, J., Franke, U., Aier, S., Ekstedt, M.: Enterprise meta modeling methods – combining a stakeholder-oriented and a causality-based approach. In: Halpin, T., et al. (eds.) BPMDS/EMMSAD -2009. LNBIP, vol. 29, pp. 381–393. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01862-6_31CrossRefGoogle Scholar
  18. 18.
    Ghanavati, S., Amyot, D., Rifaut, A.: Legal goal-oriented requirement language (legal GRL) for modeling regulations. In: Proceedings of the 6th International Workshop on Modeling in Software Engineering, pp. 1–6. ACM (2014)Google Scholar
  19. 19.
    ISO: ISO/IEC 27001 - information technology - security techniques - information security management systems - requirements. Standard, International Organization for Standardization, Geneva, CH, March 2013Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Gaëlle Blanco-Lainé
    • 1
  • Jean-Sébastien Sottet
    • 2
    Email author
  • Sophie Dupuy-Chessa
    • 3
  1. 1.Univ. Grenoble Alpes, IUT2GrenobleFrance
  2. 2.LIST, 5, Avenue des Hauts-FourneauxEsch-Sur-AlzetteLuxembourg
  3. 3.Univ. Grenoble Alpes, CNRS, Grenoble INP, LIGGrenobleFrance

Personalised recommendations