Abstract
We identify 74 generic, reusable technical requirements based on the GDPR that can be applied to software products which process personal data. The requirements can be traced to corresponding articles and recitals of the GDPR and fulfill the key principles of lawfulness and transparency. Therefore, we present an approach to requirements engineering with regard to developing legally compliant software that satisfies the principles of privacy by design, privacy by default as well as security by design.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
AK Technik der Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder: Das Standard-Datenschutzmodell - Eine Methode zur Datenschutzberatung und -prüfung auf der Basis einheitlicher Gewährleistungsziele. von der 95. Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder, April 2018. https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methode_V1.1.pdf, v. 1.1. Accessed 13 July 2018
Beckers, K., Faßbender, S., Küster, J.-C., Schmidt, H.: A pattern-based method for identifying and analyzing laws. In: Regnell, B., Damian, D. (eds.) REFSQ 2012. LNCS, vol. 7195, pp. 256–262. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28714-5_23
Boardman, R., Mullock, J., Mole, A.: Bird & bird & guide to the general data protection regulation, May 2017. https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird-bird-guide-to-the-general-data-protection-regulation.pdf?la=en. Accessed 13 July 2018
Bräunlich, K., Richter, P., Grimm, R., Roßnagel, A.: Verbindung von CC-Schutzprofilen mit der Methode rechtlicher IT-Gestaltung KORA. Datenschutz und Datensicherheit-DuD 35(2), 129–135 (2011)
Breaux, T.D.: Legal requirements acquisition for the specification of legally compliant information systems. Ph.D. thesis, North Carolina State University (2009). https://repository.lib.ncsu.edu/bitstream/handle/1840.16/3376/etd.pdf?sequence=1&isAllowed=y. Accessed 17 July 2018
Cesar, J., Debussche, J.: Novel EU legal requirements in big data security: big data-big security headaches. J. Intell. Prop. Info. Tech. Elec. Com. L. 8, 79–88 (2017)
Christian, T.: Security requirements reusability and the square methodology. Technical report, Carnegie-Mellon University, September 2010. http://www.dtic.mil/dtic/tr/fulltext/u2/a532572.pdf. Accessed 17 July 2018
Colesky, M., Hoepman, J.H., Hillen, C.: A critical analysis of privacy design strategies. In: Security and Privacy Workshops (SPW), pp. 33–40. IEEE (2016)
Compagna, L., El Khoury, P., Krausová, A.: How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns. Artif. Intell. Law 17(1), 1–30 (2009)
Danezis, G., Domingo-Ferrer, J., et al.: Privacy and data protection by design - from policy to engineering. Technical report, ENISA, December 2014. https://arxiv.org/ftp/arxiv/papers/1501/1501.03726.pdf. Accessed 13 July 2018
Diver, L., Schafer, B.: Opening the black box: petri nets and privacy by design. Int. Rev. Law Comput. Technol. 31(1), 68–90 (2017)
European Union: General Data Protection Regulation (GDPR): Articles (2018). https://gdpr-info.eu/. Accessed 13 July 2018
European Union: General Data Protection Regulation (GDPR): Recitals (2018). https://gdpr-info.eu/recitals/. Accessed 13 July 2018
Hammer, V., Roßnagel, A., Pordesch, U.: KORA: Konkretisierung rechtlicher Anforderungen zu technischen Gestaltungsvorschlägen für IuK-Systeme. provet (1992)
Hansen, M.: SDM-Bausteine, July 2018. https://www.datenschutzzentrum.de/sdm/bausteine/. Accessed 13 July 2018
Hoffmann, A., Hoffmann, H., Leimeister, J.M.: Anforderungen an software requirement pattern in der Entwicklung sozio-technischer Systeme. In: Lecture Notes in Informatics, pp. 379–393. Ges. für Informatik (2012). Accessed 17 July 2018
Hoffmann, A., Schulz, T., Hoffmann, H., Jandt, S., Roßnagel, A., Leimeister, J.: Towards the use of software requirement patterns for legal requirements. In: 2nd International Requirements Engineering Efficiency Workshop (REEW) 2012 at REFSQ 2012, Essen, Germany. SSRN Journal (SSRN Electronic Journal) (2012)
i-SCOOP: GDPR: legal grounds for lawful processing of personal data, July 2018. https://www.i-scoop.eu/gdpr/legal-grounds-lawful-processing-personal-data/. Accessed 13 July 2018
ico.: Guide to the General Data Protection Regulation (GDPR), March 2018. https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf, version 1.0.122. Accessed 13 July 2018
Jensen, J., Tøndel, I.A., Jaatun, M.G., Meland, P.H., Andresen, H.: Reusable security requirements for healthcare applications. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 380–385. IEEE (2009)
Kalloniatis, C., Mouratidis, H., Vassilis, M., Islam, S.: Towards the design of secure and privacy-oriented information systems in the cloud: identifying the major concepts. Comput. Stand. Interfaces 36(4), 759–775 (2014)
Otto, P.N., Antón, A.I.: Addressing legal requirements in requirements engineering. In: 15th IEEE International Requirements Engineering Conference, RE 2007, pp. 5–14. IEEE (2007)
Ringmann, S.D., Langweg, H.: Determining security requirements for cloud-supported routing of physical goods. In: 2017 IEEE Conference on Communications and Network Security (CNS), pp. 514–521. IEEE (2017)
Simić-Draws, D., Neumann, S., et al.: Holistic and law compatible IT security evaluation: integration of common criteria, ISO 27001/IT-Grundschutz and KORA. Int. J. Inf. Secur. Privacy 7(3), 16–35 (2013)
Toval, A., Olmos, A., Piattini, M.: Legal requirements reuse: a critical success factor for requirements quality and personal data protection. In: Proceedings IEEE Joint International Conference on Requirements Engineering, pp. 95–103 (2002)
Toval, A., Nicolás, J., Moros, B., García, F.: Requirements reuse for improving information systems security: a practitioner’s approach. Requirements Eng. 6(4), 205–219 (2002)
Velasco, J.L., Valencia-García, R., Fernández-Breis, J.T., Toval, A.: Modelling reusable security requirements based on an ontology framework. J. Res. Practice Inf. Technol. 41(2), 119 (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Ringmann, S.D., Langweg, H., Waldvogel, M. (2018). Requirements for Legally Compliant Software Based on the GDPR. In: Panetto, H., Debruyne, C., Proper, H., Ardagna, C., Roman, D., Meersman, R. (eds) On the Move to Meaningful Internet Systems. OTM 2018 Conferences. OTM 2018. Lecture Notes in Computer Science(), vol 11230. Springer, Cham. https://doi.org/10.1007/978-3-030-02671-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-02671-4_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02670-7
Online ISBN: 978-3-030-02671-4
eBook Packages: Computer ScienceComputer Science (R0)