A4 Refereed article in a conference publication
The General Data Protection Regulation: Requirements, Architectures, and Constraints
Authors: Kalle Hjerppe, Jukka Ruohonen, Ville Leppänen
Editors: Daniela E. Damian, Anna Perini, Seok-Won Lee
Conference name: IEEE International Requirements Engineering Conference
Publication year: 2019
Journal: International Requirements Engineering Conference. Proceedings
Book title : Proceedings of 27th IEEE International Requirements Engineering Conference, RE 2019
Series title: International Requirements Engineering Conference. Proceedings
Number in series: 27
First page : 265
Last page: 275
Number of pages: 11
ISBN: 978-1-7281-3913-5
ISSN: 1090-705X
DOI: https://doi.org/10.1109/RE.2019.00036
Web address : https://ieeexplore.ieee.org/document/8920529
Self-archived copy’s web address: https://arxiv.org/abs/1907.07498
The General Data Protection Regulation (GDPR) in the European Union is the
most famous recently enacted privacy regulation. Despite of the regulation's
legal, political, and technological ramifications, relatively little research
has been carried out for better understanding the GDPR's practical implications
for requirements engineering and software architectures. Building on a grounded
theory approach with close ties to the Finnish software industry, this paper
contributes to the sealing of this gap in previous research. Three questions
are asked and answered in the context of software development organizations.
First, the paper elaborates nine practical constraints under which many small
and medium-sized enterprises (SMEs) often operate when implementing solutions
that address the new regulatory demands. Second, the paper elicits nine
regulatory requirements from the GDPR for software architectures. Third, the
paper presents an implementation for a software architecture that complies both
with the requirements elicited and the constraints elaborated.