Master's Thesis Laura Stojko

An Information Model as a Basis for Information Gathering to comply with Data Portability according to GDPR Art. 20

Motivation

With announcement of the European Union general data protection regulation (GDPR), data privacy laws shall be harmonized in European countries [1]. Article 20 of the new data privacy laws describes data portability as one essential aspect [1]. To assure data portability in businesses, companies face the challenge to establish new processes and apply new techniques. An extremely high workload is expected as customers can request a report about their saved personal data. To reduce the effort of gathering this information at all applications in the company and to enable process automation, the identification of business applications which save personal data within their business objects [2] must take place. For this purpose, an information model shall be defined which considers necessary personal data storage or processing information according to Article 20 GDPR [1].

By conducting a literature related review, several existing approaches of information models shall be discussed [2] [3] [4]. As a result, the advantages and disadvantages of data models will show, which model is the best suitable for this case.

To determine the aspects of the information model, a requirement analysis of Article 20 GDPR [1] will be performed. This step will identify necessary information about business applications, which process or save personal data. It will reveal which information about business objects are needed to match the requirements of Article 20 GDPR. After reviewing several approaches for information models and identifying the requirements of the law, the information model will be developed.

To provide an evaluation of the information model, it shall be evaluated by experts.

Research outline

1. Literature review: Information gathering referring to information models, data models, metadata in relation to business application and business objects.
2. Requirement Analysis: Analysis of necessary information about personal data stored on business applications regarding to Article 20 GDPR.
3. Development of information model: Developing an information model related to business objects and containing the requirements of Article 20 GDPR.
4. Evaluation on business applications: Evaluating the information model by experts.

References

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union, Vol. L119 (4 May 2016), pp. 1-88, 2016.

[2] Buckl, S.; Ernst, A.; Lankes, J.; Matthes, F.; Schweda, C. M.: Enterprise Architecture Management Patterns - Exemplifying the Approach. In: The 12th IEEE International EDOC Conference (EDOC 2008), München, p. 393-402, 2008.

[3] Buckl, S.; Matthes, F.; Monahov, I.; Roth, S.; Schulz, C.; Schweda, C.M.: Enterprise Architecture Management Patterns for Enterprise-wide Access Views on Business Objects. In: European Conference on Pattern Languages of Programs (EuroPLoP) 2011, Irsee Monastery, Bavaria, Germany.

[4] Spiekermann, M.; Tebernum, D.; Wenzel, S.; Otto, B.: A Metadata Model for Data Goods. In: Multikonferenz Wirtschaftsinformatik 2018, Lüneburg, Germany, p. 326 – 337, 2018