3 research outputs found
GDPR Compliance in the Context of Continuous Integration
The enactment of the General Data Protection Regulation (GDPR) in 2018 forced
any organization that collects and/or processes EU-based personal data to
comply with stringent privacy regulations. Software organizations have
struggled to achieve GDPR compliance both before and after the GDPR deadline.
While some studies have relied on surveys or interviews to find general
implications of the GDPR, there is a lack of in-depth studies that investigate
compliance practices and compliance challenges of software organizations. In
particular, there is no information on small and medium enterprises (SMEs),
which represent the majority of organizations in the EU, nor on organizations
that practice continuous integration. Using design science methodology, we
conducted an in-depth study over the span of 20 months regarding GDPR
compliance practices and challenges in collaboration with a small, startup
organization. We first identified our collaborator's business problems and then
iteratively developed two artifacts to address those problems: a set of
operationalized GDPR principles, and an automated GDPR tool that tests those
GDPR-derived privacy requirements. This design science approach resulted in
four implications for research and for practice. For example, our research
reveals that GDPR regulations can be partially operationalized and tested
through automated means, which improves compliance practices, but more research
is needed to create more efficient and effective means to disseminate and
manage GDPR knowledge among software developers.Comment: Manuscript submitted for publication, 14 page