The General Data Protection Regulation: Requirements, Architectures, and Constraints
It provides incremental insights for software developers and organizations needing to comply with GDPR, focusing on practical application rather than broad theoretical advancements.
This paper addresses the lack of research on the practical implications of the GDPR for requirements engineering and software architectures, identifying nine constraints for SMEs and nine regulatory requirements, and presenting a compliant software architecture implementation.
The General Data Protection Regulation (GDPR) in the European Union is the most famous recently enacted privacy regulation. Despite of the regulation's legal, political, and technological ramifications, relatively little research has been carried out for better understanding the GDPR's practical implications for requirements engineering and software architectures. Building on a grounded theory approach with close ties to the Finnish software industry, this paper contributes to the sealing of this gap in previous research. Three questions are asked and answered in the context of software development organizations. First, the paper elaborates nine practical constraints under which many small and medium-sized enterprises (SMEs) often operate when implementing solutions that address the new regulatory demands. Second, the paper elicits nine regulatory requirements from the GDPR for software architectures. Third, the paper presents an implementation for a software architecture that complies both with the requirements elicited and the constraints elaborated.