Developing an IT system that processes personal data requires a systematic and collaborative approach in defining the system requirements in general, and in particular, the privacy and data protection aspects because such systems need to be compliant with certain legal rules. In the EU, for example, processing personal data through any information system requires compliance with the General Data Protection Regulation (GDPR) and other applicable specific instruments that seek to protect the privacy of the data subjects and the security of the data. Personal data, according to Article 4 (1) of the GDPR, means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This definition is broad and covers several instances – in this respect, it becomes imperative to fulfil all the rules and principles of data processing as prescribed by the GDPR. In particular, the safeguards and measures that ensure that those requirements are implemented throughout the lifecycle of the data need to be baked into the system design. This concept is known as privacy or data protection by design and by default (P/DPbD)[1]. Over the years, several approaches and methodologies have been relied upon in identifying and specifying data protection requirements, as well as for implementing data protection by design and by default.
Approaches to requirements identification and specification
Privacy and data protection requirements emanate from several sources. These include regulatory, industrial and user/stakeholders’ needs. Apart from the GDPR, several other instruments of specific application impose privacy and data protection-related requirements. In addition, industrial standards are relevant for extracting requirements relating to privacy and data protection. System developers are thus expected to analyse the specific environment that their system will operate and identify specific regulations that apply to such environment to extract these requirements. In the smashHit project, for example, part of the tools developed in the project aims to address data subjects’ consent management within the automobile ecosystem, involving stakeholders such as data subjects, auto manufacturers, insurance, and others. Given the involvement of personal data, the project’s legal requirements stem from the GDPR and other relevant sources within this ecosystem.
Identifying privacy and data protection requirements require a systematic and multi-disciplinary approach. Generally, this involves several consultations with the relevant stakeholders to extract the needs of each stakeholder. In cases where there are defined project proposals, such documents provide valuable information and should be consulted during the requirements identification. For example, EU projects Grant Agreements contain various requirements, including privacy and data protection requirements. When the initial requirements are collected, there is also a need to analyse them thoroughly and collaboratively. Depending on the outcome, further consultations could be organised to agree on differences and obtain relevant feedback.
Translating data protection requirements into executable actions: the value of TOMs
Having defined the privacy and data protection requirements from multiple sources, the next step is to ensure that these requirements are executed in the system’s architectural design. Adopting a P/DPbD strategy is vital at this stage of the process. A key instrument in system development according to the principles of P/DPbD is the implementation of “appropriate technical and organisational measures which are designed to implement data-protection principles […] in an effective manner and to integrate the necessary safeguards into the processing in order to […] protect the rights of data subjects” (Art. 25 (1) GDPR).
To translate these privacy and data protection requirements into executable actions, smashHit utilised the Data Protection Management Process according to the Standard Data Protection Model (SDM)[2]. The SDM is a systematic approach to implement GDPR requirements in practice and has been acknowledged by the supervisory authorities. It uses “protection goals” to systematise the data protection requirements. This approach allows the project to identify specific technical and organisational measures (TOMs) or privacy-enhancing technologies (PET) to be implemented to mitigate the identified risks associated with the proposed data processing, or to keep the risks on an acceptable level. Concretely, the SDM first records the legal requirements of the GDPR and then assigns them to the following protection goals:
- Data Minimisation (Art. 5 para. 1 lit. c GDPR);
- Availability;
- Integrity (Art. 5 para. 1 lit. f GDPR, Art. 32 para. 1 lit. b GDPR);
- Confidentiality (Art. 5 para. 1 lit. f GDPR, Art. 32 para. 1 lit. b GDPR);
- Transparency (Art. 5 para. 1 lit. a GDPR);
- Unlinkability (Art. 5 para. 1 lit. b GDPR) and
- Intervenability [3].
Each protection goal has its scope and purpose. In addition, there is the protection goal of “Resilience” which aims at sufficient preparation of systems and processes for events that cause disruptions to regular processes. In addition, it is essential to note the impact of the system’s interaction with other external systems and point out the privacy implications and requirements for the external system. This is necessary for maintaining end-to-end protection. Furthermore, the technical and organisational measures to ensure data security must be well planned considering the system’s operational environment.
Finally, it is necessary to trace privacy and data protection requirements during the testing and implementation of the system. Establishing a feedback framework will assist in tracking how these requirements are executed. When the system is finally developed and running, a privacy or data protection audit becomes necessary to check the scope of implementation in operation. In the smashHit project, this is addressed by utilizing the Data Protection Management Cycle (DPM cycle) [4] which covers the whole process of data protection management including the evaluation of measures taken and the implementation of necessary improvements.
Conclusion
Projects like smashHit that involve the processing of personal data must endeavour to extract privacy and data protection requirements systematically and holistically. Data protection by design is a principle, set out in the GDPR, that promotes privacy and data protection compliance from the start. It is an alternative to bolting privacy considerations on as an after-thought or ignoring them altogether [5]. Adopting a P/DPbD approach like the SDM allows to identify all personal data sets and apply data protection principles through the selection of appropriate TOMs alongside the technical development of the system.
References
[1] A. Cavoukian, “Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices”, Information and Privacy Commissioner, Ontario, 2012. See also, Art. 25 of the GDPR.
[2] The Standard Data Protection Model, “A method for data protection advising and controlling on the basis of uniform protection goals”, Conference of the Independent Data Protection Supervisory Authorities of the Federation and the Länder, April 2020, Available at https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V2.0b.pdf.
[3] The Standard Data Protection Model (SDM), p. 25 et seqq. Note: Availability and intervenability are not explicitly named as principles relating to processing of personal data in the GDPR but can be derived from it.
[4] The Standard Data Protection Model (SDM), p. 52 et seq.
[5] ENISA, “Data Protection Engineering”, 2022, Available at https://www.enisa.europa.eu/publications/data-protection-engineering.