TY - GEN
T1 - A Model-based Conceptualization of Requirements for Compliance Checking of Data Processing against GDPR
AU - Amaral, Orlando
AU - Abualhaija, Sallam
AU - Sabetzadeh, Mehrdad
AU - Briand, Lionel
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021/9
Y1 - 2021/9
N2 - The General Data Protection Regulation (GDPR) has been recently introduced to harmonize the different data privacy laws across Europe. Whether inside the EU or outside, organizations have to comply with the GDPR as long as they handle personal data of EU residents. The organizations with whom personal data is shared are referred to as data controllers. When controllers subcontract certain services that involve processing personal data to service providers (also known as data processors), then a data processing agreement (DPA) has to be issued. This agreement regulates the relationship between the controllers and processors and also ensures the protection of individuals' personal data. Compliance with the GDPR is challenging for organizations since it is large and relies on complex legal concepts. In this paper, we draw on model-driven engineering to build a machine-analyzable conceptual model that characterizes DPA-related requirements in the GDPR. Further, we create a set of criteria for checking the compliance of a given DPA against the GDPR and discuss how our work in this paper can be adapted to develop an automated compliance checking solution.
AB - The General Data Protection Regulation (GDPR) has been recently introduced to harmonize the different data privacy laws across Europe. Whether inside the EU or outside, organizations have to comply with the GDPR as long as they handle personal data of EU residents. The organizations with whom personal data is shared are referred to as data controllers. When controllers subcontract certain services that involve processing personal data to service providers (also known as data processors), then a data processing agreement (DPA) has to be issued. This agreement regulates the relationship between the controllers and processors and also ensures the protection of individuals' personal data. Compliance with the GDPR is challenging for organizations since it is large and relies on complex legal concepts. In this paper, we draw on model-driven engineering to build a machine-analyzable conceptual model that characterizes DPA-related requirements in the GDPR. Further, we create a set of criteria for checking the compliance of a given DPA against the GDPR and discuss how our work in this paper can be adapted to develop an automated compliance checking solution.
KW - Conceptual Modeling
KW - Data Processing Agreements
KW - General Data Protection Regulation (GDPR)
KW - Qualitative Research
KW - Regulatory Compliance
UR - http://www.scopus.com/inward/record.url?scp=85118465415&partnerID=8YFLogxK
U2 - 10.1109/REW53955.2021.00009
DO - 10.1109/REW53955.2021.00009
M3 - Conference contribution
AN - SCOPUS:85118465415
T3 - Proceedings of the IEEE International Conference on Requirements Engineering
SP - 16
EP - 20
BT - Proceedings - 29th IEEE International Requirements Engineering Conference Workshops, REW 2021
A2 - Yue, Tao
A2 - Mirakhorli, Mehdi
PB - IEEE Computer Society
T2 - 29th IEEE International Requirements Engineering Conference Workshops, REW 2021
Y2 - 20 September 2021 through 24 September 2021
ER -