Chair of Software Engineering for Business Information Systems (sebis)

Faculty of Informatics

Technische Universität München

wwwmatthes.in.tum.de

A Pattern Catalog for GDPR Compliant Data ProtectionDominik Huth, 22.11.2017, PoEM Doctoral Consortium

• Master data

• Tax information

• Education

• Past employers• Master data

• Consumption

profile

• Smart meters…

• Payment

information

• Location

• Motion profile

• Ratings

Digital Identities

© sebis171122 Huth PoEM DC 2

Car manufacturers

• Master data

• Motion profile of

car

• Telemetrics

Mobility providers Energy provider

Employer

Social networks

• Master data

• Contacts

• Interests

• Online behavior

• Pictures

Health applications

• Motion profile

• Habits

• Conditions

Search Engines

• Interests

• Diseases

• Education (or lack

thereof)

• Travel destinations

• Shopping behavior

Online retailers

• Master data

• Interests

• Credit rating

• Credit cards

Authorities

• Master data

• Tax records

• Criminal record

• Credit rating

Financial institutions

• Master data

• Transactions

• Credit rating

EU General Data Protection Regulation (GDPR)

© sebis171122 Huth PoEM DC 3

GDPR key elements

• New territorial scope, definitions,…

• Extended rights for data subjects: transparency, portability,

objection, notification of data breach, rectification, erasure,…

• Principle of accountability, data protection by design and default

• Records of processing activities, data protection impact

assessments

• Designation of Data Protection Officer, certification mechanisms

• Fines of up to 4% revenue for non-compliance

Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2017). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law and Security Review, (2017). (link)

How can compliance with the GDPR be practically supported in the organization, consisting of people,

processes and IT systems?

An Enterprise Architecture Model

© sebis171122 Huth PoEM DC 4

Business Architecture

Str

ate

gie

s &

Pro

jects

Princip

les &

Sta

ndard

s

Business Capabilities

Organization & Processes

Business Services

Applications & Databases

Infrastructure Services

Infrastructure Elements

Vis

ions &

Goals

Questions &

KP

Is

Legal A

spects

Secu

rity

Buckl, S., Ernst, A. M., Lankes, J., & Matthes, F. (2008). Enterprise Architecture Management Pattern Catalog. Sebis, TU München, (February), 322. (link)

Existing work for GDPR compliance

© sebis171122 Huth PoEM DC 5

Business Capabilities

Organization & Processes

Business Services

Applications & Databases

Infrastructure Services

Infrastructure ElementsPrivacy b

y D

esig

n

Privacy E

ngin

eering

Privacy P

att

ern

s

(PR

IPA

RE

pro

ject)

(Situ

ational) M

eth

od E

ngin

eering

Legal advic

e

LIN

DD

UN

Meth

od

Pattern-Based Design Research

© sebis171122 Huth PoEM DC 6

Solution

design

Configured

design

Instantiated

solution

Buckl, S., Matthes, F., Schneider, A. W., & Schweda, C. M. (2013). Pattern-Based Design Research – An Iterative Research Method Balancing Rigor and Relevance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture

Notes in Bioinformatics) (Vol. 7939 LNCS, pp. 73–87). (link)

Observe & conceptualize

Practice

Organized collection of reusable

practice-proven solutionsGrounding theories

Observations

Patt

ern

-based

theo

ryb

uild

ing

Design Theories

Pattern Language

Pattern candidates

Theory

Guide & structure

select

configure

deviationslearn

Pattern-Based Design Research

© sebis171122 Huth PoEM DC 7

Solution design

GDPR project

(planned)

GDPR project

(executed)

Observe & conceptualize

Practice

Legal Advice

Privacy Standards & Frameworks

Method Engineering

Privacy Engineering

Observations

Theory

Guide & structure

select

configure

deviationslearn

Re

qu

ire

me

nts

Sta

ke

ho

lde

rs

So

lutio

ns

GDPR Pattern CatalogRQ1

RQ5

RQ4

RQ3

RQ2

Buckl, S., Matthes, F., Schneider, A. W., & Schweda, C. M. (2013). Pattern-Based Design Research – An Iterative Research Method Balancing Rigor and Relevance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture

Notes in Bioinformatics) (Vol. 7939 LNCS, pp. 73–87). (link)

Research Question 1

Goal:

• Literature study to structure existing work

• Possibly synthesize the knowledge in new visualizations

Questions:

• What are relevant areas to consider, additional to what was presented in the existing work section?

• Are the areas represented correctly or do you disagree?

© sebis171122 Huth PoEM DC 8

RQ1: Which conceptual frameworks exist that can be instrumented to describe regulatory requirements and the

design of possible solutions?

Research Question 2

Goal:

• Cooperation with legal expert at the chair: Taxonomy of Requirements (rights, obligation, condition,…)

• Visual approach for the requirements?

Questions

• Could Articles/Requirements be represented using Ontologies?

• Is there any process support?

© sebis171122 Huth PoEM DC 9

RQ2: What are the elementary requirements of the GDPR and how can they be modeled with the existing

concepts?

Research Question 3

Goal:

• What is the process of adapting to a new regulation?

• Interview data protection officers from industry partners (individual and in workshops)

• Structured questionnaires to larger audience as soon as structure has evolved

Questions

• Do you know of existing studies about GDPR practice?

© sebis171122 Huth PoEM DC 10

RQ3: How is GDPR compliance achieved in practice?

Research Question 4

Goal:

• Collect positive and negative experiences with single patterns

• Survey among industry partners / participants of the GDPR workshop

Questions

• Does it make sense to try to judge about effectiveness of patterns?

• Is this possible when considering a range of solutions (technical, organizational, cultural, strategic)?

© sebis171122 Huth PoEM DC 11

RQ4: How effective are the solutions that were identified as patterns?

Research Question 5

Goal:

• Dependency model of the identified solution options

© sebis171122 Huth PoEM DC 12

RQ5: How are solution options interrelated with each other? Which solutions are independent, which require

other actions, and which replace other solution options?

Pattern-Based Design Research

© sebis171122 Huth PoEM DC 13

Solution design

GDPR project

(planned)

GDPR project

(executed)

Observe & conceptualize

Practice

Legal Advice

Privacy Standards & Frameworks

Method Engineering

Privacy Engineering

Observations

Theory

Guide & structure

select

configure

deviationslearn

Re

qu

ire

me

nts

Sta

ke

ho

lde

rs

So

lutio

ns

GDPR Pattern CatalogRQ1

RQ5

RQ4

RQ3

RQ2

Buckl, S., Matthes, F., Schneider, A. W., & Schweda, C. M. (2013). Pattern-Based Design Research – An Iterative Research Method Balancing Rigor and Relevance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture

Notes in Bioinformatics) (Vol. 7939 LNCS, pp. 73–87). (link)

Questions to the audience

• Is it too early, too late or just the right time to do this work?

• Are patterns a suitable tool to support the implementation of a new concept?

• How to structure the process of knowledge extraction from industry?

© sebis171122 Huth PoEM DC 14

Technische Universität München

Faculty of Informatics

Chair of Software Engineering for Business

Information Systems

Boltzmannstraße 3

85748 Garching bei München

Tel +49.89.289.

Fax +49.89.289.17136

wwwmatthes.in.tum.de

Dominik Huth

Dipl. Math.oec.

17128

dominik.huth@tum.de