Data protection software engineering techniques: Practical research into the demands of the GDPR

Abstract

Personal data is processed frequently and for important and not-so-important purposes in the connected software systems of the internet age. The European Union (EU) has recognized the importance of personal data and commits to protecting the fundamental rights to privacy and to data protection. Data protection can be summarized as the concept that requires those processing personal data to process it lawfully, fairly, and transparently. The General Data Protection Regulation (GDPR) is the main source of the concrete personal data processing rules in the EU. Among other things, the rights provided in the GDPR have implications to software systems and their development. This dissertation studies the nuances of these requirements and their implementation, in order to improve the understanding of the regulation and its implications, and develops novel software engineering techniques, in order to improve the state-of-the-art of data protection engineering. The exploratory research approach employs a variety of methods across five independent publications with qualitative and quantitative elements, and provides design science contributions. The four research questions explore the technical requirements of the GDPR, how meeting of its requirements can be improved, specifically via static analysis of software source code, and how the different industry stakeholders align on data protection. The concrete contributions include requirements engineering analysis, static analysis methods for personal data flows and composable privacy policies, an analysis of GDPR enforcement actions, and thematic analysis of device sharing data protection strategies. This dissertation claims that (a) software engineering as an art ought to raise the standard of data protection in an interdisciplinary undertaking, (b) there are improvements available in software architecture, static analysis, and ecosystem collaboration, (c) information about personal data processing can be embedded into software at the source code level with a reasonable effort, which ought to be considered as the GDPR “state-of-the-art” protection measures, and (d) the results altogether can be viewed as an actionable road map for improved data protection across software engineering in general.