Understanding the Implementation of Technical Measures in the Process of Data Privacy Compliance: A Qualitative StudyShow others and affiliations
2022 (English)In: ESEM '22: Proceedings of the 16th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement / [ed] Madeiral F., Lassenius C., Conte T., Mannisto T., IEEE Computer Society, 2022, p. 261-271Conference paper, Published paper (Refereed)
Abstract [en]
Background: Modern privacy regulations, such as the General Data Protection Regulation (GDPR), address privacy in software systems in a technologically agnostic way by mentioning general "technical measures"for data privacy compliance rather than dictating how these should be implemented. An understanding of the concept of technical measures and how exactly these can be handled in practice, however, is not trivial due to its interdisciplinary nature and the necessary technical-legal interactions. Aims: We aim to investigate how the concept of technical measures for data privacy compliance is understood in practice as well as the technical-legal interaction intrinsic to the process of implementing those technical measures. Methods: We follow a research design that is 1) exploratory in nature, 2) qualitative, and 3) interview-based, with 16 selected privacy professionals in the technical and legal domains. Results: Our results suggest that there is no clear mutual understanding and commonly accepted approach to handling technical measures. Both technical and legal roles are involved in the implementation of such measures. While they still often operate in separate spheres, a predominant opinion amongst the interviewees is to promote more interdisciplinary collaboration. Conclusions: Our empirical findings confirm the need for better interaction between legal and engineering teams when implementing technical measures for data privacy. We posit that interdisciplinary collaboration is paramount to a more complete understanding of technical measures, which currently lacks a mutually accepted notion. Yet, as strongly suggested by our results, there is still a lack of systematic approaches to such interaction. Therefore, the results strengthen our confidence in the need for further investigations into the technical-legal dynamic of data privacy compliance. © 2022 Association for Computing Machinery.
Place, publisher, year, edition, pages
IEEE Computer Society, 2022. p. 261-271
Series
International Symposium on Empirical Software Engineering and Measurement, ISSN 1949-3770, E-ISSN 1949-3789
Keywords [en]
data privacy, GDPR, privacy compliance, technical measures, Laws and legislation, General data protection regulations, Interdisciplinary collaborations, Legal domains, Mutual understanding, Privacy regulation, Qualitative study, Research designs, Software-systems
National Category
Media and Communication Technology
Identifiers
URN: urn:nbn:se:bth-23787DOI: 10.1145/3544902.3546234ISI: 001139214400024Scopus ID: 2-s2.0-85139835328ISBN: 9781450394277 (print)OAI: oai:DiVA.org:bth-23787DiVA, id: diva2:1706928
Conference
16th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2022, Helsinki, 18 September through 23 September 2022
Note
open access
2022-10-282022-10-282025-01-02Bibliographically approved