Empirical Task Analysis of Data Protection Management
Abstract
Even three years after the announcement of the General Data Protection Regulation (GDPR) organizations still struggle to achieve regulation compliance.
Previous work has often tried to address this problem by identifying changes that are resulting from the GDPR and implementation barriers that need to be overcome. However, given that ensuring regulation compliance is an ongoing activity, an overview of reoccurring tasks in what we call Data Protection Management (DPM) is necessary to precisely describe where certain issues arise that hinder the process of achieving regulation compliance.
Although the GDPR specifies the general conditions for achieving compliance, it does not provide information on how these responsibilities can be met in practice. To close this gap we conduct an empirical task analysis of DPM to ensure practical relevance and applicability of the results. To reduce the amount of tasks they were grouped into activities based on their characteristics which were then rated by 38 data protection officers from Germany in terms of complexity, time consumption and frequently occurring problems. Given that one potentially effective way to support DPM is its collaboration with Enterprise Architecture Management (EAM), we assess the status quo and helpfulness of the collaboration.
As a result, nine activities are identified and evaluated which can be used to cover the range of tasks in data protection management. Furthermore, the frequencies of the most severe problems that arise during each of the single activities are determined and interpreted. The collaboration of DPM and EAM can be summarized as quite effective for eight of the nine activities and is therefore in general recommended.
References
https://gdpr-info.eu/
Team, ITGP Privacy (2017): EU general data protection regulation (GDPR): an implementation and compliance guide: IT Governance Ltd.
Christina Tikkinen-Piri; Anna Rohunen; Jouni Markkula (2018): EU General Data Protection Regulation: Changes and implications for personal data collecting companies. In Computer Law & Security Review 34 (1), pp. 134–153. DOI: 10.1016/j.clsr.2017.05.015.
Bieker, Felix; Friedewald, Michael; Hansen, Marit; Obersteller, Hannah; Rost, Martin (2016): A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation. In Stefan Schiffner, Jetzabel Serna, Demosthenes Ikonomou, Kai Rannenberg (Eds.): Privacy Technologies and Policy. Cham: Springer International Publishing, pp. 21–37.