Implementing a data protection impact assessment for the web-application on the piloting phase
1University of Oulu, Faculty of Information Technology and Electrical Engineering, Department of Information Processing Science, Information Processing Science
|PDF Full Text (PDF, 0.8 MB)
Oulu : J. Tikka,
The General Data Protection Regulation (GDPR) contains several obligations for the ones that are processing personal data of the EU citizens. The major obligations are to take data protection by design and by default, and to carry out a data protection impact assessment (DPIA) whenever there is a high risk to breach privacy. Some organizations and companies are still struggling to achieve these obligations. Violating these obligations may cause sanctions that are up to 4% of the annual turnover. This created the motivation to research how these obligations should be implemented to achieve better compliance with the GDPR.
The objective of this thesis work was to research how the GDPR should be considered in applications that are processing personal data. Based on the related work, it was possible to recognize that DPIA process was recommended to cover the obligations of the GDPR. Therefore, the purpose was to research how the DPIA process would affect to the case application. Case application was a web-application that was on the piloting phase.
Design science research was applied as a research method. It was decided to carry out a DPIA by applying the guidelines of the Information commissioner’s office (ICO). The DPIA process was applied to the case application. After the DPIA was completed, it was possible to evaluate its impact on the case application. Evaluation was completed in three parts, by evaluating how well the process of the DPIA covered the requirements of the GDPR, by evaluating the technical advantages and costs of the process, and by evaluating how the DPIA was applied in practice.
The results of this thesis showed that applying the DPIA process improved data protection, privacy and technical features of the case application. It was possible to reduce the privacy risks associated with data processing activities. In addition, DPIA process improved the technical side of the case application. The data model was simplified and unnecessary information flows were eliminated. These improvements were estimated to increase the workload of the developers for 2.7%. This meant that DPIA process was suitable way to cover the obligations of the GDPR.
© Jaakko Tikka, 2020. This publication is copyrighted. You may download, display and print it for your own personal use. Commercial use is prohibited.