TY - GEN
T1 - Understanding the Implementation of Technical Measures in the Process of Data Privacy Compliance
T2 - 16th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2022
AU - Klymenko, Oleksandra
AU - Kosenkov, Oleksandr
AU - Meisenbacher, Stephen
AU - Elahidoost, Parisa
AU - Mendez, Daniel
AU - Matthes, Florian
N1 - Publisher Copyright:
© 2022 Association for Computing Machinery.
PY - 2022/9/19
Y1 - 2022/9/19
N2 - Background: Modern privacy regulations, such as the General Data Protection Regulation (GDPR), address privacy in software systems in a technologically agnostic way by mentioning general "technical measures"for data privacy compliance rather than dictating how these should be implemented. An understanding of the concept of technical measures and how exactly these can be handled in practice, however, is not trivial due to its interdisciplinary nature and the necessary technical-legal interactions. Aims: We aim to investigate how the concept of technical measures for data privacy compliance is understood in practice as well as the technical-legal interaction intrinsic to the process of implementing those technical measures. Methods: We follow a research design that is 1) exploratory in nature, 2) qualitative, and 3) interview-based, with 16 selected privacy professionals in the technical and legal domains. Results: Our results suggest that there is no clear mutual understanding and commonly accepted approach to handling technical measures. Both technical and legal roles are involved in the implementation of such measures. While they still often operate in separate spheres, a predominant opinion amongst the interviewees is to promote more interdisciplinary collaboration. Conclusions: Our empirical findings confirm the need for better interaction between legal and engineering teams when implementing technical measures for data privacy. We posit that interdisciplinary collaboration is paramount to a more complete understanding of technical measures, which currently lacks a mutually accepted notion. Yet, as strongly suggested by our results, there is still a lack of systematic approaches to such interaction. Therefore, the results strengthen our confidence in the need for further investigations into the technical-legal dynamic of data privacy compliance.
AB - Background: Modern privacy regulations, such as the General Data Protection Regulation (GDPR), address privacy in software systems in a technologically agnostic way by mentioning general "technical measures"for data privacy compliance rather than dictating how these should be implemented. An understanding of the concept of technical measures and how exactly these can be handled in practice, however, is not trivial due to its interdisciplinary nature and the necessary technical-legal interactions. Aims: We aim to investigate how the concept of technical measures for data privacy compliance is understood in practice as well as the technical-legal interaction intrinsic to the process of implementing those technical measures. Methods: We follow a research design that is 1) exploratory in nature, 2) qualitative, and 3) interview-based, with 16 selected privacy professionals in the technical and legal domains. Results: Our results suggest that there is no clear mutual understanding and commonly accepted approach to handling technical measures. Both technical and legal roles are involved in the implementation of such measures. While they still often operate in separate spheres, a predominant opinion amongst the interviewees is to promote more interdisciplinary collaboration. Conclusions: Our empirical findings confirm the need for better interaction between legal and engineering teams when implementing technical measures for data privacy. We posit that interdisciplinary collaboration is paramount to a more complete understanding of technical measures, which currently lacks a mutually accepted notion. Yet, as strongly suggested by our results, there is still a lack of systematic approaches to such interaction. Therefore, the results strengthen our confidence in the need for further investigations into the technical-legal dynamic of data privacy compliance.
KW - GDPR
KW - data privacy
KW - privacy compliance
KW - technical measures
UR - http://www.scopus.com/inward/record.url?scp=85139835328&partnerID=8YFLogxK
U2 - 10.1145/3544902.3546234
DO - 10.1145/3544902.3546234
M3 - Conference contribution
AN - SCOPUS:85139835328
T3 - International Symposium on Empirical Software Engineering and Measurement
SP - 261
EP - 271
BT - Proceedings of the 16th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2022
A2 - Madeiral, Fernanda
A2 - Lassenius, Casper
A2 - Lassenius, Casper
A2 - Conte, Tayana
A2 - Mannisto, Tomi
PB - IEEE Computer Society
Y2 - 18 September 2022 through 23 September 2022
ER -