• No results found

Challenges with the GDPR: A Software Developing Organization’s Guide to GDPR Compliance

N/A
N/A
Protected

Academic year: 2021

Share "Challenges with the GDPR: A Software Developing Organization’s Guide to GDPR Compliance"

Copied!
136
0
0

Loading.... (view fulltext now)

Full text

(1)

Teknik och Samhälle

Datavetenskap och Mediateknik

Examensarbete

15 högskolepoäng, grundnivå

Utmaningar med GDPR

Ett Mjukvaruutvecklings företags Guide till GDPR Kompatibilitet

Challenges with the GDPR

A Software Developing Organization’s Guide to GDPR Compliance

Olle Olsson

Examen: kandidatexamen 180 hp Handledare: Petra Mullerova

Huvudområde: datavetenskap Handledare: Dipak Surie

Program: Datavetenskap & Applikationsutveckling Examinator: Bahtijar Vogel Datum för slutseminarium: 2019-05-24

(2)

Sammanfattning

Den 25 maj 2018 trädde den nya dataskyddsförordningen, GDPR, i kraft. GDPR kräver att organisationer och företag, som behandlar persondata, att anpassa sig och andra sina system och produkter för att uppfylla kraven som förordningen ställer. Om organisationer och företag, som faller under förordningen, inte kan uppfylla dem kraven som förordningen ställer måste administrativa böter betalas, vilket kan orsaka att dessa organisationer och företag går i konkurs. Beträffande den praktiska implementeringen av GDPR inom mjukvaruutvecklande företag, är lite forskning som gjorts på det området. Den praktiska implementeringen av GDPR i mjukvaruutvecklande företag är också sällan diskuterat. Syftet med denna studie är att förstå; hur mjukvaruutvecklande företag implementerade GDPR i deras verksamheter; hur dem arbetar med GDPR i dagsläget; och hur dem kommer att arbeta med GDPR i framtiden. Litteraturstudien presenterar dem utmaningar under regleringen som tidigare forskning identifierat och presenterar även hur dem juridiska kraven som GDPR ställer översätts till tekniska lösningar; vilka mjukvaruutvecklande företag behöver implementera för att bli kompatibla med GDPR. Genom kvalitativ forskningsmetod går denna uppsats in i djupet på hur GDPR implementerades i mjukvaruutvecklande företag. Elva respondenter från sex olika företag av tre olika storlekar intervjuades genom semi-strukturerade intervjuer. Intervjufrågorna var baserade på faktorer som är relevanta för denna studie. Det empiriska materialet var sedan sammanställt, analyserat och jämfördes med insamlad litteratur som används i litteraturstudien. Det empiriska materialet visade att omfattningen av implementeringen av GDPR i mjukvaruutvecklande företag inte är

beroende på storleken på organisationerna, men snarare beroende på vad för personlig data som bearbetas. Upptäckterna från denna studie kommer fungera som en guide till GDPR kompatibilitet för mjukvaruutvecklande företag som presenteras i slutsatsen. Denna studie har identifierat följande principer att vara essentiella för mjukvaruutvecklande företag att bli GDPR kompatibla. Mjukvaruutvecklare måste nu försäkra: förståelse över vad GDPR betyder för just deras verksamhet, skapa förståelse och medvetenhet om GDPR inom hela

organisationen, genomsynlighet i förhållande till organisationens kunder och användare, att persondata lokaliseras och kartläggs i befintliga system and applikationer, att data

minimeras under principerna som GDPR tillhandahåller, att persondata krypteras, att principen privacy by design & default följs under all mjukvaruutveckling, rådgivning inom GDPR, att dagliga protokoll följs och att dessa följs upp.

(3)
(4)

Abstract

The General Data Protection Regulation came into force on the 25th of may 2018. The GDPR requires organizations and companies, who process personal data, to adjust and change their existing systems in order to meet the requirements that the GDPR puts forward. If organizations and companies fail to comply with the regulation, administrative fines and penalties will be enforced which can lead to bankruptcy for these organizations and companies. There is a lack of research made on the practical implementation of the GDPR into software developing companies and is rarely discussed. Thus, the purpose of this thesis is to understand how the GDPR was implemented into software developing companies; how software developing companies work with the GDPR today; and how software developing companies will work with the GDPR in the future. The literature review presents the challenges of the regulation that previous research has brought forward and how the legal requirements translates into technical solutions, which software developing companies need to implement in order to become compliant with the regulation. Through a qualitative research method, this thesis investigates the depth of how the GDPR was implemented into software developing companies. Eleven respondents representing six different organizations of three different sizes, was interviewed through semi-structured interviews. The interview questions was based on key factors brought forward in the literature review chapter; which are of relevance for this thesis. The empirical evidence was then summarized, analysed and compared to the used literature. The empirical evidence showed that the extent of the implementation of GDPR into software developing companies was not depending on the size of the organization, but rather depending on what personal data is being processed. The findings in this study will serve as a software developers guide to GDPR compliance which is presented in the conclusion. This study has identified the following principles to be essential for software developing companies in order to become GDPR compliant: understanding what the GDPR means for their business, awareness within their organization, transparency, locating personal data, data minimization, encryption of data, privacy by design & default, GDPR guidance, daily GDPR protocols and follow up on previous implementations.

(5)
(6)

Content

1 Introduction ... 1

1.1 Background ... 1

1.1.1 Problem ... 2

1.1.2 Connection to Computer Science ... 3

1.1.3 Purpose ... 3

1.1.4 Research question ... 3

1.1.5 Definitions ... 4

2 Literature Review ... 6

2.1 General Data Protection Regulation ... 6

2.1.1 What is Personal Data? ... 7

2.1.2 Controllers and Processors ... 7

2.1.3 GDPR Challenges and Companies ... 9

2.1.5 Lack of GDPR Awareness ... 11

2.1.6 Fines and Penalties ... 12

2.1.7 Right to Erasure (‘Right to Be Forgotten’) ... 13

2.1.8 Lawful Processing ... 14

2.2 From Legal Requirements to Technical Solutions ... 15

2.2.1 Pseudonymization of Data ... 15

2.2.2 Privacy by Design ... 16

2.2.3 Data minimization and Storage Limitation ... 18

2.2.4 Encryption of Data ... 19

2.3 Ethical Dimension of Data Protection ... 19

3 Method ... 21

3.1 Interviews ... 21

3.1.1 Interview Structure ... 21

3.1.2 Preparation & Interview Guidance ... 22

3.1.3 Selection of Respondents ... 23

3.1.4 Interview Analysis and Transcribing ... 24

3.1.5 Ethic and Checking ... 25

3.2 Suitable Research Method ... 25

3.3 Validity & Critique ... 26

3.4 Bias ... 26

(7)

4.1 Respondents ... 28 4.1.1 Respondent 1.1 (R1.1 – A) ... 28 4.1.2 Respondent 1.2 (R1.2 - A) ... 28 4.1.3 Respondent 2 (R2 - B) ... 28 4.1.4 Respondent 3 (R3 – C) ... 29 4.1.5 Respondent 4 (R4 - D) ... 29 4.1.6 Respondent 5.1 (R5.1 – E) ... 29 4.1.7 Respondent 5.2 (R5.2 - E) ... 30 4.1.8 Respondent 5.3 (R5.3 - E) ... 30 4.1.9 Respondent 5.4 (R5.4 – E) ... 30 4.1.10 Respondent 6.1 (R6.1 – F) ... 31 4.1.11 Respondent 6.2 (R6.2 – F) ... 31 4.2 Interview Results ... 32

4.2.1 Developers transition into GDPR ... 32

4.2.2 Challenges with GDPR ... 33

4.2.3 Managing the Challenges ... 35

4.2.4 Managing Personal Data ... 37

4.2.5 Technical solutions and practical work ... 39

4.2.7 How compliance is it done today ... 42

4.2.8 Before GDPR ... 44

4.2.9 Guidance from Data Protection Officers ... 45

4.2.10 Future challenges ... 45

5 Analysis ... 47

5.1 GDPR and Software Developing Companies ... 47

5.1.1 Motivation ... 47

5.1.2 Controllers and Processors ... 47

5.1.3 Before GDPR ... 48

5.1.4 How Compliance Is Done Today ... 49

5.2 From Legal Requirements To Technical Solutions ... 51

5.2.1 Pseudonymization and Encryption of Data ... 51

5.2.2 Data minimization and Storage Limitation ... 52

5.2.3 Privacy by Design & Default ... 52

5.3 GDPR Challenges ... 53

5.3.1 Interpretation of the GDPR ... 53

(8)

5.3.3 Locating Personal Data ... 55

6 Discussion ... 56

6.1 Key Findings ... 56

6.1.1 Understanding the GDPR ... 56

6.1.2 Ensuring Guidance from Experts and Data Protection Officers ... 57

6.1.3 Ensuring Lawful Processing ... 57

6.1.4 Ensuring Data minimization and Storage Limitation ... 58

6.1.5 Ensuring Transparency ... 58

6.1.6 Ensuring Locating of Personal Data ... 59

6.1.7 Ensuring Privacy by Design & Default ... 59

6.1.8 Ensuring Encryption of Data ... 60

7 Conclusion ... 61

Appendix 1 – Contact Letter ... 66

Appendix 2 – Interview Questionnaire ... 67

Appendix 3 – Transcript R1.1, R1.2 ... 70 Appendix 4 – Transcript R2 ... 79 Appendix 5 – Transcript R3 ... 86 Appendix 6 – Transcript R4 ... 93 Appendix 7 – Transcript R5.1, R5.2, R5.3, R5.4 ... 101 Appendix 8 – Transcript R6 ... 114 References ... 122

(9)
(10)

1 Introduction

1.1 Background

The GDPR closes in on its first year after its enforcement on May 25th, 2018. The GDPR aims at all businesses and other entities that collects and processes personal data of European citizens. This means that all companies situated outside of the EU, collecting personal data from EU citizens, must also comply with the GDPR (Tankard, 2016). Personal data refers to the information, managed by organizations and companies, about an identified or

identifiable individual (Blix et al., 2017). In a study made by DELL in 2016, the year that GDPR and its deadline was introduced, surveys were made amongst 821 IT data privacy experts within companies whose clientele consisted of at least 10% European costumers. The study showed that 1 in every 3 companies had an idea of what the legislation meant, both legally and technically (DELL Computers, 2016). If companies are not to comply with the regulation, fines and penalties of GDPR are high enough to put an organisation in bankruptcy

(Mansfield-Devine, 2016). Recently in January of 2019, Google became the first company given a major fine of approximately €50 million due to violation against GDPR as a result of not enough transparency between consumer-to-company (Computer Fraud & Security, 2019).

In order for organizations and companies to be compliant with the regulation, they must ensure that appropriate technologies, privacy controls and safeguards are implemented in their existing systems and programs (Tankard 2016). This introduces new practices and technical solutions as provided in the GDPR. Data protection by design is one of the most challenging aspects of the GDPR; as it forces software developing organizations to work proactively with privacy throughout design process of both software and system (Billgren and Ekman, 2017). Thus, this practice includes the full lifecycle of the personal data and how the data is used and stored (Cavoukian, 2012). Further requirements such as data

minimization must also be taken into considerations during the developing process of software and system; which suggests that processing and collection of personal data should be minimized to bare minimum (ICO, 2018). Software developing organizations and

companies also have the obligation to inform the data subjects about; who is collecting their data; what the purpose of their data being collected is; what the legal justifications are; and also how long the data will be collected (European Commission, 2018b).

The GDPR was not created as an effort of ensuring better cyber security in general, but it is a legislation that sheds light on our basic human rights (Blix et al., 2017). Moreover, the GDPR gives an effect to the fundamental right of individuals having their personal data protected, as well as setting future-proof standards. One of the key pillars within the GDPR is that it recognises the contribution of social progress, economy and technology, but brings up the

(11)

importance of technology being developed in a responsible manner; as well as giving individuals the right to have full insight and control over their data (Hijmans, H. and Raab, 2018). The benefits for companies that are subjects to the GDPR is that GDPR forces organizations and companies to organize, structure and better protect personal data, thus ensuring a mutual business-to-consumer trust (Datainspektionen, 2018c).

1.1.1 Problem

Apart from concerns on how data controllers and processors develop both transparent products and relationships with data subjects, the GDPR incorporates information security into basic privacy (Heimes, 2016). One of the biggest challenges companies faces is to manage and track all corresponding data considered to be personal data; categorizing and mapping that data; and get full control over it. Most companies have gathered personal data for the sake of consumer experience and marketing without any real regulation to force them to regulate that data (Mansfield-Devine, 2016). GDPR requires organizations and companies to ensure that controls are implemented in order to minimize risks of non-authorized access to personal data; and also putting forward usage of technological tools as standards (ICO, 2018). These technical tools and standards include privacy by design, data minimization and storage limitation (Billgren and Ekman, 2017). As mentioned in Article 17 of the GDPR, data subjects now have the right to have their data extracted from data storages within companies without undue delay. The information which the data subject is the owner of, can either be required to be completely removed or have it migrated to other parties (General Data Protection Regulation Art.17, 2018) (European Commission, 2018a). Thus, software developing organizations now need to evaluate and examine existing schemas and data storage methods to ensure that data portability is time efficient, flexible and economical at all times. Further requirements put forward by the GDPR is that all

systems within software developing organizations, both old and new, are to be developed in a manner, as well as designed, that ensures that an individual’s privacy is taken into account from the beginning (Blix et al., 2017).

The mentioned requirements put forward by the regulation puts pressure on software developing organizations. However, studies have shown that there is a lack of knowledge in terms of how the GDPR should be implemented into businesses (DELL, 2016)(Billgren and Ekman, 2017)(Mansfield-Devine, 2016). Thus, providing an opportunity to examine the challenges and activities software developing organizations have been, and are, subject to under the GDPR as the GDPR has passed its first year as a legislation. These legal

requirements will be presented and translated into technical solutions in the literature review of this thesis, and will serve as the foundation for the interviews as part of the chosen research methodology for this thesis.

(12)

1.1.2 Connection to Computer Science

Admitting GDPR is a legal term, all the requirements for GDPR-compliance speaks volumes in terms of the work that is put in and needs to be put in, by software developing organization managing and processing personal data. Software developing organizations are now

required to have a general knowledge of what GDPR-compliance means as well as being able to put that knowledge into practice whilst; constructing processes, developing programs and applications, structure data storage, conducting project management within software

developing organizations and providing privacy and security to their end-users. As these requirements suggests, software developing companies will now have to adapt their activities and processes in order to comply with the GDPR.

1.1.3 Purpose

The purpose of this thesis is set to investigate how software development organizations prepared for GDPR; how the regulation was put into practice by the software development organizations; and what challenges software development companies are faced with when continuously working towards GDPR-compliance. Furthermore, this paper sheds light upon the challenges developing organizations are faced with when working towards GDPR-compliance and their best practices for GDPR-GDPR-compliance. The reason to understand how software developing organizations processed personal data prior to the GDPR, is to identify bad practices and why they are bad practices in relation to the GDPR. Hence, this thesis will serve as a GDPR compliance guide for software developing organizations.

1.1.4 Research question

What challenges, when processing personal data, are software development organizations subject of whilst working towards compliance with the General Data Protection Regulation?

(13)

1.1.5 Definitions Cookie identifiers:

Cookies are small pieces of data that is asked by a party, whilst a user is visiting their website, to be contained on the user’s computer or mobile device. The server that is supplying the webpage then stores the data on the given device. The website, through the cookie, can remember actions performed by the user. Furthermore, cookies are supplied by an identifier that can be used to identify the user on whose device-memory the cookie is stored in; either computer, tablet or smartphone (European Commission, 2018c).

“Each time the user requests a new page, the web server can receive the values of the cookies it previously set and return the page with content relating to these values” (European Commission, 2018c).

Data subject:

The data subject, as described in the GDPR definitions of Article. 4, is an identifiable natural person who can be identified directly or indirectly. The identifiers as suggested by the GDPR are names, identification numbers, location data, online identifier as mentioned above, or other factors relating to one’s physical, physiological, genetic, economic, cultural or social identify of the natural person i.e. data subject (General Data Protection Regulation Art. 4, 2018).

DELL:

An American multinational computer technology company. DELL is one of the largest technological corporations in the world (DELL Annual Report, 2018).

EU:

The European Union

GDPR:

General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the EU. The legislation came to terms on the 25th of May.

ICO:

Information Commissioner’s Office is the UK’s independent authority, set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

IP-address:

(14)

Processed data:

Processed data refers to operations being performed on personal data, moth by manual or automated means. Processed data includes: collection, recording, organization, structuring, storage, adaption, alteration, retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data (General Data Protection Regulation Art.6., 2018).

“The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system”

(European Commission, n.d.)

Slack

Slack is a collaboration hub where development teams can work together remotely or in-office. The platform is used throughout developing projects to budget discussions within organizations or companies and everything in between (Slack, n.d.)

GitLab

GitLab is as an open source project to help development teams to collaborate on software development (GitLab, n.d.).

(15)

2

Literature Review

In this chapter, the GDPR is explained and clarified. The different definitions within the GDPR are also brought up and acknowledged as they are key to understanding the concept and thought behind the GDPR; both controller, processor and what personal data actually is suggested to be. This chapter also underlines the obligations the controllers and processors have, as well as the challenges they are faced with whilst they worked towards GDPR-compliance as the regulation was introduced and also what challenges and practices that is of high importance to still follow up on. The legal requirements of the GDPR is boiled down to technical requirements which are also presented in this chapter. Moreover, this chapter sheds light upon the lack of GDPR awareness amongst organizations and companies as the regulation was closing in on its deadline and also the possible fines that non-compliance with the regulation will lead to. Furthermore, the lawful bases for processing of personal data is presented alongside the social and ethical science of the GDPR. The key aspects identified in the literature review will serve as the foundation for the interviews that the method chapter further describes.

2.1 General Data Protection Regulation

The debate concerning our personal data is the very centre of the GDPR legislation which is a regulation in EU law on data protection and privacy for all individuals within the EU. The legislation came to terms on the 25th of May 2018 and has since affected the data storage amongst all companies worldwide. The GDPR focuses on promoting the consumers rights to regulate its own personal information, where it ought to be stored and how. GDPR extends data protection so that anyone or any organization that collects and processes information related to EU citizens must follow it, regardless of where they are based or where data is stored. The new regulation requires that organizations that are subjected to a data breach must notify data protection authorities within 72 hours of their discovery. Organizations may be fined up to 2% of their global revenue or €10 million, whichever is higher, even though a first offense warning may be given. For more serious infringements, fines of up to 4% of world revenues can be introduced or €20 million, whichever is (Tankard, 2016). According to the Swedish Data Protection Authority, the amount of the fine that is due to infringements is depends on both which provision the infringements concerns as well as the individual

circumstances of the case (Datainspektionen, 2018d). Moreover, the Swedish Data Protection Authority must also investigate how serious the infringement is; how much damage has been caused; if personal data is involved and what type of sensitive data has been affected; or if the infringement is somewhat intentional (Datainspektionen, 2018d).

(16)

2.1.1 What is Personal Data?

To further understand the meaning of personal data, The European Commission describes personal data as any form of information that relates to an identified or identifiable living individual. Stored information such as pieces of information which can connect an individual to that particular data is also considered as personal data. If data that has been encrypted or pseudonymized can be used to re-identify a person than that also falls within the scope of the regulation (Datainspektionen, 2019). The European Commission further describes that the regulation protects personal regardless of what the technology for processing that data is. Examples of what is considered to be personal data which ties in with the mentions above are as follows: • First name • Surname • Home address • Email-addresses • Identification card-number

• Location data (as most smartphones provide its user with) • Advertising identifier of one’s phone

(European Commission, 2019)

Furthermore, under Art. 4 GDPR § 1, online identifiers also fall within the scope of the regulation. Online identifiers are described under Recital 30 – Online identifiers for profiling and identification as being provided by one individuals device. Such as IP-addresses, cookie identifiers or radio frequency identifications tags. These online identifiers combined with unique identifiers and other information received by servers can be used to pick up traces in which this data may be used to create profiles of the natural person and hence identify that person (General Data Protection Regulation Art. 4., 2018)(General Data Protection

Regulation Recital 30, 2018).

2.1.2 Controllers and Processors

The ICO (2018), explains that these organizations and companies that the legislation applies to are so called controllers and processors. To understand the two definitions and how they differ from each other, there are several key differences that the ICO (2018) shed light upon. For organizations and companies to understand what scope they fall under, the ICO provides a list of indicators as to if a certain organization or company is a controller or not, in which a few of them will be listed below. The organization or company are to be considered as controllers if:

(17)

• they collect or process data

• they decide what the outcome or purpose are to be as the data is being processed • they decide on what personal data is to be collected

• they decide on which individual to collect personal data about

• they obtain commercial gain or other benefit of processing personal data • they have a direct relation with the data subjects

• they have complete insight in how the personal data is being processed (ICO, 2018)

Moreover, controllers carry a significant amount of the responsibility mentioned in the regulation as well as being alongside the data subject throughout the whole regulation; where the controller have obligations, the data subject has rights (Billgren and Ekman, 2017).

The controllers determine the purpose and means of the processing of personal data, whereas the processors are responsible for processing personal data on behalf of the controllers (ICO, 2018). Hence, the processors act on behalf of the controllers but still have major responsibilities as they too handle personal data. As listed above for controllers, a few indicators of processors, which the ICO provides, will also be mentioned. Organizations or companies are to be considered as processors if:

• they follow instructions from someone else regarding the processing of personal data • they are given personal data by a third party or told what to collect

• they do not decide to collect personal data

• they do not decide on what personal data should be collected from individuals • they do not decide the purpose of the data being collected

• they do not decide on how long the data is kept

• they make decisions on how data is processed under a contract with someone else (ICO, 2018)

There must be clear contracts established between the controller and processor, and the processor must follow the same principles and rules in terms of documentation, data storage, as the controllers do under the GDPR (Billgren and Ekman, 2017). The ICO, according to Art. 28 GDPR, goes on to explain that processors for example, have specific legal obligations such as being required to maintain records of personal data and its processing activities. The controllers are not relieved from their obligations in regards of GDPR since GDPR places further obligations onto the controllers to ensure the contracts with the processors comply with the GDPR (ICO, 2018)(General Data Protection Regulation Art. 82, 2018).

(18)

Controllers and processors are in certain cases required to have a Data Protection Officer (DPO). When controllers and processors have large scale and systematic monitoring of EU-citizens, a DPO will have to be appointed. An example of large scale processing is a hospital keeping and managing data of patients (Billgren and Ekman, 2017). According to Article. 34 of the GDPR, a DPO should have, by minimum, the following tasks:

• Inform the controller or processor and employees carrying out processing of their obligations under the regulation

• Together with other Union or Member State, monitor; compliance of the regulation; processing of personal data; the raising of awareness of the regulation; and staff training

• Provide controller or processor of advice if so is requested • Cooperate with the supervisory authority

• Act as the contact point for the supervisory authority on issues relating to processing of sensitive data

• Whilst in performance of tasks have due regard to the risk, nature and purpose associated with the processing of sensitive data

(General Data Protection Regulation Art. 34., 2018)

Furthermore, the Swedish Data Protection Authority states that the DPO has no personal responsibility for the organization or company based in, as the full responsibility lies with the controller or the processor. If a controller or a processor makes changes, or consider making changes, concerning the processing of personal data, the DPO must always be involved in that process (Datainspektionen, 2018e). Billgren and Ekman (2017) argues that organizations and companies that are not required by law to have a DPO, would benefit from having a DPO as it helps organizations and companies to be compliant with the regulation (Billgren and Ekman, 2017).

2.1.3 GDPR Challenges and Companies

It is not only companies and organizations residing in EU that processes and holds personal data are subjects to GDPR, but also companies and organizations residing outside of EU that offer services to EU data subjects. It applies to all companies processing and holding data that is to be considered as personal data regardless of the companies’ location(EU GDPR, 2018a). Guidelines provided by European Commission (European Commission, 2018)for companies speak volumes in terms of the importance of being transparent about storing personal data. Companies must check whether they provide data subjects with all required data or if their data is being processed by these companies elsewhere (Tikkinen et al., 2018). Companies must also provide data subjects with information on who is processing what and

(19)

why it is being processed. Below are a few examples of the ‘bare minimum’ information which is to be given to the data subjects:

• The type of company that is requiring processing of personal data • The purpose of data processing

• The legal aspects of the personal data being processed • Who else will receive this data

(European Commission, 2018a)

Furthermore, The European Commission provides further demands that companies need to include when becoming GDPR-compliant, which is the individual’s right to access data and the individual’s right to data portability:

• Companies need to inform the data subject if they are processing that individuals’ personal data

• Companies need to inform the data subject about the processing of the personal data: purpose, categories of personal data concerned, recipients of that data • Companies are to provide data subjects with a copy of that personal data being

processed if so is desired by the individual. (European Commission, 2018a)

Osterman (2017) explains that companies need to evaluate and examine existing schemas and data storage methods to ensure that data portability is time efficient, flexible and

economical. Data products and services that can facilitate the portability of data should must also be taken into consideration and explored for implementation (Osterman Inc., 2017). Tankard (2016) goes on to add that data subjects must give their definite consent for their data to be processed, which must be informed and voluntary, if so is desired, have the right to access that information held on them. The GDPR have obligations that organizations and companies need to take into account when plans on how personal data are to be collected are made, as well as personal data is processed; if a company plans to profile their

customers must inform the individuals affected by this accordingly, stating and explaining the essential need for it (Tikkinen et al., 2018). The data subject can also object to the processing of their data where they have legitimate grounds for doing so (Tankard, 2016). In a study made by Billgren and Ekman (2017), the GDPR challenges that organization were faced with was explored. The findings of Billgren and Ekman (2017) showed that many companies had trouble with interpreting the regulation and the actual meaning behind the articles and recitals (Billgren and Ekman, 2017). Furthermore, Billgren and Ekman (2017) adds that interpreting the regulation is time consuming and would also contribute to

(20)

confusion as to what manners, in terms of processes and tasks, the problems should be broken down to.

Director of advisory context at Context Information Security, Tim Erridge, was interviewed by experienced journalist and IT-security expert Steve Mansfield-Devine about the

challenges that organisations are faced with when becoming GDPR-compliant (Mansfield-Devine, 2016). Erridge explains that one of the biggest challenges companies was faced with was to locate all corresponding data considered to be personal data; categorizing and mapping that data; and get full control over it. Erridge follows that statement up by mentioning the fact that most companies have gathered personal data for the sake of consumer experience and marketing without any real regulation to force them to regulate that data. When GDPR was introduced, this led companies to understand that the personal data used and stored got multiplied throughout these organizations in so many ways that it is almost impossible to keep track of it (Mansfield-Devine, 2016).

Tikkinen-Piri, Rohunen and Markkula (2018) also explains that due to the considerable changes in personal data intensive companies, these companies needed to review their strategies for becoming compliant with the regulation as well as looking in to their information systems the ensure their alignment with the regulation. Tikkinen-Piri et al. further mentions that most companies first should acquire a general understanding of the regulation before starting to implement processes and changes in already existing systems to become GDPR-compliant, as well as follow up on continuous requirements that will need to be implemented in the future as companies should strive to become as GDPR-compliant as possible (Tikkinen et al., 2018).

2.1.5 Lack of GDPR Awareness

All aspects mentioned above sheds light on the fact that much must be taken into

consideration as companies strive towards being compliant with the GDPR regulation. This of course led to many companies believing they would be subjects of the fines and penalties, that non-compliant companies are faced with, when GDPR was introduced(Tankard, 2016). In 2016, a survey was made by DELLComputers to understand perceptions of the GDPR among IT data privacy experts within companies whose clientele consisted of at least 10% European costumers. The questions in the survey focused on awareness of the coming legislation and expected impacts. There was a total of 821 individuals who conducted the survey whereas all had a certain responsibility for data privacy within the company they worked for (Dell Computers, 2016). 50% of the respondents came from big enterprises with 1000 to 5000 or more employees, and 50% of the respondents came from small-to-medium-sized companies with less than 100 to up to 1000 employees. 72% of the respondents represented companies in Europe, 19% United States or Canada and 9% represented Asia (Dell Computers, 2016).

(21)

Figure 1.1: Dell Computers, 2016, ‘How would you characterize your awareness of GDPR?’

Other results from the survey showed a lack of awareness of the coming legislation; less than 1 in 3 companies were prepared for the legislation and what it meant for their company; and 97% did not have a plan to prepare for the legislation.

Figure 1.2: Dell Computers, 2016, ‘In your opinion, is your company prepared for GDPR today?’

Tankard (2016) also describes that 52% of companies, according to Ovum, believed that the legislation would result in fines and penalties for their companies. Tankard also predicted that in order for companies who was introduced to the legislation back in 2016 would need at least two-years to prepare in order for them to become GDPR-compliant.

2.1.6 Fines and Penalties

Erridge (2016) explains that data protection always has been a subject of discussions in companies and that companies investigate whether or not they should implement further data protection based on the probability of being fined for it. Erridge also explains that some companies have chosen not to follow previous data protection regulations because the fines would not be as high as the cost of implementing the data protection in the organisations

(22)

(Mansfield-Devine, 2016).However, with GDPR, fines and penalties are now high enough to put an organisation in bankruptcy. The GDPR is designed to force companies to sit up and pay attention and then actually start to do something about trying to proactively safeguard the data.

There are a lower level of sanctions and a higher level of sanctions that will be enforced as the regulation is violated. As Tankard (2016) describes, the sanctions for minor violations of the GDPR, companies can be fined up to 2% of their global turnover preceding financial year or 10 million EUR; whichever is higher. Companies will also get notified with a warning that they have violated the regulation and an immediate solution is required. Tankard also describes the higher sanctions which are 4% of companies’ global turnover preceding financial year or 20 million EUR; whichever is higher (Tankard, 2016).Art. 84 in the regulation provides details on the administrative fines. Infringements made by either controllers of processors and their fine for non-compliance will be determined by the behaviour of the organisation as well as the amount of data subjects affected (General Data Protection Regulation Art. 84., 2018).

2.1.7 Right to Erasure (‘Right to Be Forgotten’)

One of the biggest changes for companies as the regulation was introduced was Art. 17 of the GDPR; Right to Erasure, also commonly called ‘Right to Be Forgotten’. This means that controllers and processors has the obligation to erase all that existing personal data of a data subject without undue delay under specific circumstances(General Data Protection Regulation Art. 17., 2018). In order for companies and organizations to not keep the data longer than was is desired from the individual requesting that data to be removed, one of the few following requirements are to be met:

• The personal data are to be no longer necessary in relation as to why that personal data was gathered and stored in the first place

• The data subject objects to the usage of its personal data and withdraws consent • The personal data has been unlawfully processed

• The personal data must be erased due to legal obligation in Union or Member State law

(General Data Protection Regulation Art. 17., 2018)

The European Commission’s guidelines for GDPR (2018) and The Right To be Forgotten, Tankard (2016) calls this right one of the areas that makes compliance harder for companies. Tankard goes on to add that this is an area that is suggested as controversial for some. This requires companies to be fully aware of how personal data is stored and where it is being stored. The request by an individual to have its personal data erased from specific

(23)

companies and organizations should also include history of the data stored; how it has been processed throughout its lifespan at its host; how long it has been processed and stored; and who has been the recipient and additional user of that personal data (Billgren and Ekman, 2017). Tikkinen et al. (2018) also mentions that companies and organizations must ensure that there are ways of communication for informing third parties that processes an individual’s personal data once the request of being forgotten is made. Hence, companies ensure the individual’s right to be forgotten by keeping track of documentation of the data within the companies as well as keeping track of the data managed by third parties as well (Tikkinen et al. 2018).

2.1.8 Lawful Processing

In order for organizations and companies to be compliant with the regulation, they must at glance have a valid lawful basis in order to process that personal data. The ICO explains that there are six bases for lawful processing of personal data that will be explained more in detail below, which are:

• Consent • Contract • Legal obligation • Vital interest • Public task • Legitimate interest

This means that the data subject whose personal data is being processed, has given clear consent for that particular processing. There should also be a contract in which the data subject should take party prior to entering into the contract and beyond contractual

obligations, the processing of data should comply with all laws related to data processing to which the controller is subject to (ICO, 2018). According to Article. 6 § 1d in the GDPR, the processing should be necessary in order to protect the vital interest of the data subject or another natural person.

The bases of public task, is explained clarified by the ICO as the personal data that is being processed is part of process that is carried out by the public interest or in the exercise the official authority vested for the controller (General Data Protection Regulation Art.6., 2018). Furthermore, there should be a legitimate interest for the processing of personal data by the controller or by a third party. However, these interest to not apply if they are overridden by the interest of the data subjects or the fundamental rights and freedoms of the data subject which require the protection of personal data (General Data Protection Regulation Art. 6., 2018).

(24)

The ICO explains that the bases of data processing mentioned above are all indifferent when it comes to the importance of applying them. One of the key components in the processing of personal data is to understand the necessity of it. The ICO explains that the personal data must be more than just useful and a standard practice; there must be a targeted and

appropriate way of achieving a certain purpose (ICO, 2018). The six lawful bases will not apply if there are other ways of achieving the purpose by using less data or by other less intrusive means. Organizations and companies can no longer argue that the there is a necessity of processing because their business is built in a particular way. Instead, the importance is not whether the processing is part of chosen methods by the organizations and companies; but whether the processing is objectively necessary for the states purpose (ICO, 2018).

2.2 From Legal Requirements to Technical Solutions

The GDPR sets many demands on companies and organizations that are storing personal data. One of the key components of data privacy is data security. Apart from concerns on how data controllers and processors develop transparent and trustworthy relationships with data subjects, the GDPR incorporates information security into basic privacy (Heimes, 2016). However, something that is rarely mentioned in earlier research made on the subject rarely talks about how the regulation in practice is implemented in to companies. One of the requirements put forward by the GDPR is that all systems within an organization or company, both old and new, are to be developed in a manner, as well as designed, that ensures that an individual’s privacy is taken into account from the beginning (Blix et al., 2017). According to Martin and Kung (2018), their research suggests that engineers and developers’ usual skills include working with dataflow models, database structures and architecture of systems. Furthermore, Martin and Kung goes on to add that engineers and developers feel somewhat disoriented when it comes to interpreting the rules and demands from the GDPR to ensure privacy and data protection and putting this into practice, thus meeting the proposed users’ rights. Martin and Kung argues that if engineers and developers has followed principles and requirements from mentioned skillsets above, the same

approach should be applied when meeting privacy and data protection requirements that the GDPR enforces (Martin & Kung, 2018). Below follows different tools and methods that can be used by organizations and companies whilst working towards GDPR-compliance.

2.2.1 Pseudonymization of Data

Pseudonymized data is one of the definitions within the GDPR regulation and it means that personal data is processed in such manner that the personal data can no longer be tied to a specific data subject without the use of additional information provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural

(25)

person (Datainspektionen, 2018a). In practice, pseudonymization means separating

elements of data corresponding to an individual that can be used to identify that individual once these elements are combined. These elements, considered as personal identifiers, can be social security numbers, date and time for a specific purchase or access of material, phone numbers, home addresses (Osterman Inc., 2017), as well as already mentioned online identifiers. Billgren and Ekman (2017) found in their research that companies are willing to use pseudonymization as a method of encryption. However, Osterman explains that pseudonymization of data is not a failsafe approach per the data requirements of GDPR as the data can be re-identified. The safer approach would be to fully anonymize the data through both pseudonymization and encryption. Tankard (2016) believes that

pseudonymization of data is to be trusted as a good method provided by the regulation, but companies and organizations must ensure that pseudonymized data are to be held separate from any additional information in clear form to ensure itself. Tankard goes on to add that companies and organizations also must ensure that access controls are to be implemented to prevent unauthorized access when data is decrypted and control what users can do with that decrypted data based on their role in the company or organization (Tankard, 2016).

2.2.2 Privacy by Design

Privacy by design was adopted as an international privacy standard in 2010 (Cavoukian, 2012). Furthermore, Hilldebrandt (2013) describes privacy by design as one of the hardest challenges of the GDPR data controllers and processors was to be faced with when the regulation was introduced. Privacy by design is all about how a company or organization strive towards protecting the personal data that is being stored, and the ability to detect data breaches and respond to them in a fast and controlled manner (Mansfield-Devine, 2016). Essentially, privacy by design is the idea of that organizations and companies work proactive with implementation of privacy aspects for all personal information stored within that organization or company (Cavoukian, 2012). The GDPR addresses for the first time this method as a legal obligation for data controllers and processors to follow, highlighting data minimization and the use pseudonymization of data (ENISA, 2018).

What this means in practice is that these rules are taken into consideration already at early stages of developing IT systems and different procedures are designed. By doing this, organizations and companies ensure that they are compliant with the GDPR and that their respective data subjects are being protected (Datainspektionen, 2018b).According to Cavoukian et al. (2010), there are seven principles on which privacy by design relies on and should always rely on no matter the circumstances of implementation:

(26)

Privacy by design is characterized by proactive measures rather than reactive measures. It anticipates privacy invasive events before they happen, as well as prevents privacy invasive events before they happen. It aims to prevent privacy risks from occurring. Hence, privacy by design comes before-the-fact, not after.

• Privacy as the Default Setting

In IT system settings or in business practice, privacy by design is set to deliver the maximum degree of privacy by always ensuring users privacy as a default setting. If an individual does nothing with its settings, their privacy is to be intact at all times. In conclusion, no action is required by the user to ensure its privacy – it is already built in to the system as default. • Privacy Embedded into Design

Privacy by design is embedded into the design and user interface within IT systems and business practices. Nor is it an add-on, hence the privacy becoming an essential component of the core functionality that is delivered. Thus, privacy is integrated into the system, without having any effect on functionality.

• Full Functionality – Positive-Sum, not Zero-Sum

Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum win-win manner, not through a dated, zero-positive-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretence of false dichotomies, such as privacy vs. security – demonstrating that it is possible to have both.

• End-to-End Security – Full Lifecycle Protection

Privacy by design extends securely throughout of the lifecycle of the data involved. It is essential that security is kept strong from start to finish to ensure data is retained in a secure manner as well as destroyed in a secure manner at the end of the lifecycle. Thus, privacy by design ensures a cradle to grave, end-to-end secure lifecycle.

• Visibility and Transparency – Keep it Open

Privacy by design seeks to assure all stakeholders that it is operating in lawful manners and does not intend to withhold any information concerning business practice or technology involved. Its ambition is to remain transparent and visible to users and providers alike. • Respect for User Privacy – keep it User-Centric

(27)

privacy defaults, appropriate notice, user-friendly options and; keep it user-centric. (Cavoukian, 2010)

Privacy by design has openly been embraced since the GDPR was introduced back in 2016 as well as supported by the European Commission in order to foster data security (Martin & Kung, 2018). Apart from the seven principles mentioned by Cavoukian, Martin and Kung (2018) brings up the responsibility that developers and engineers carry whilst organization and companies promote the technical aid that is privacy by design whilst becoming GDPR-compliant. This because the engineers and developers are ultimately responsible for creating the products (Martin & Kung, 2018).

2.2.3 Data minimization and Storage Limitation

Under the GDPR, organizations are no longer allowed to store, process and manage personal data indefinitely without good reasons of doing so (Billgren and Ekman, 2017). The GDPR states in Art. 5 § 1c that personal data are to be relevant and limited in relevance to its usage and purpose for which it is being processed (General Data Protection Regulation Art. 5, 2018). If agreements are served with data subjects, organizations and companies can

maintain and process personal data for extended periods of time (Billgren and Ekman, 2017). Moreover, since the regulation was implemented, companies and organizations are now faced with much more strict demands for data minimization than before. If the processing of personal data does not serve its original purpose, it will be unlawful (Billgren and Ekman, 2017). Essentially, the principle means that companies and organizations limit personal data collection and must assess their storages and data processing (Gruschka et al., 2018). Hence minimizing the risk that the data becomes excessive or out of date (ICO, 2018). The ICO (2018) further states that organizations and companies comply to the GDPR by

implementing data minimization and process principles, this also reduce the risk of using personal data unlawfully or in error (ICO, 2018). Tankard (2016), believes that even though personal data is being encrypted, it is never a bad practice to minimize the amount of data that is being collected. This also minimized costs for storage and security, is it is inefficient for organizations and companies to hold more data than needed. Furthermore, minimization of personal data will; reduce the burden of big dataset protection and; most likely make organizations and companies not to fall foul of requirements under the GDPR since the data that is collected is only used for the purposes of it being collected in the first place, and no other (Tankard, 2016).

(28)

2.2.4 Encryption of Data

There is a certain risk whilst organizations and companies process personal data since cyber-attacks nowadays are almost unavoidable for larger companies. Therefore, risk management plays a big role in IT security and organizations and companies can reduce the probability of data breaches and thus reduce the risk of sanctions by using encryption of personal data (General Data Protection Regulation, 2018). Furthermore, Tankard (2016) describes that if organizations and companies encrypt data and if a data breach would to occur, these

organisations are not obligated to notify the data subjects. This because the data, if the data is encrypted and is so in a correct manner, are considered to be appropriately protected (Tankard, 2016). Tankard (2017) believes that encryption and key management are to be considered as the cornerstone of any data security strategy for organizations and companies handling big data. Tankard and Osterman Inc., (2017) believes that pseudonymization has its flaws, thus encryption should be the first choice for any organization and company whilst working towards data protection and privacy. Tankard goes on to describe that encryption should be used for both structured* and unstructured* data as the data can be stored in databases, spreadsheets, text-documents, emails or other archives. Heimes (2016) mentions that the level of security that organizations and companies are subject to under the GDPR depends on available technology and cost (Heimes, 2016).

2.3 Ethical Dimension of Data Protection

Data protection laws are based on notions of ethics that underline fundamental rights of privacy as well as data protection. With the rapid advancement of technology, big data processing, the connection between digital devices and the ever increasingly usage of personal data, the threats to privacy and data protection are imminent (EDPS, 2018). The EDPS’s main driver for dealing with ethics, within the aspects of data protection, was the human dignity. According to the EDPS, the human dignity is something that should be protected at all times whilst personal data is managed by organizations and companies (EDPS, 2018). Hijmans and Raab goes into Recital 4 of the GDPR and clarifies a general mentioning of an ethical aspect of the legislation; that the processing and management of personal should be designed to serve mankind. Throughout the recitals and articles of the GDPR, the GDPR puts emphasis on the respect for the data subject’s fundamental rights and freedoms, as well as detailed rights of the data subject (Hijmans and Raab, 2018) (ICO, 2018).

Hijmans and Raab further explains that fairness is another key concept of the ethical aspects of the GDPR (2018). The GDPR, as traditional data protection principles also underline, is that personal data should be fairly and lawfully collected (Hijmans and Raab, 2018). There should also be a certain purpose of the data being collected in the first place; nor should the data be excessive in relation to its main purpose; not stored longer that needed; and

(29)

collected with a consent and knowledge of the individuals whose personal data is collected (European Commission, 2018a). Furthermore, Hijmans and Raab explains that the GDPR goes further into the realm of ethics as the GDPR is emphasising principles of transparency and accountability which previously where not so prominent. These principles address both the ethical and practical relationship between controllers and processors managing personal data (2018).

Under Article. 57 of the GDPR, certain tasks are specified which supervisory authorities are to follow accordingly. One of these tasks are to promote public awareness in relation to data processing and data protection. The public are to be informed about risk, rules, safeguards and rights in relation to data processing, as well being informed about controllers and processors and what their obligations under the regulation are (General Data Protection Regulation Art.57., 2018). Hijmans and Raab argues that there are practical reasons behind the supervisory authorities to inform the public about information processing and rights, but there is also an ethical dimension to this. Hijmans and Raab argues that by raising awareness to the public, this could contribute to the shaping of societal conditions and a so called ‘ecosystem’ for data protection and privacy that would be much appreciated in the information age (Hijmans and Raab, 2018).

Moreover, data protection brings up further moral value notions such as human dignity and personal autonomy, which also are part of ethical dimensions within the GDPR; and in the legislation, ethical considerations play a significant role. As mentioned above; the GDPR, as different from former data protection laws, gives effect to the fundamental rights of data protection. Hijmans and Raab (2018), clarifies that these ethical aspects of the GDPR makes the legislation a long-term and future-proof legislation.

(30)

3 Method

This chapter presents the scientific method used for the data collection in this paper. The chosen research method for this research is presented and argued, as well as the other methods that have been left out during this research. The chapter describes the qualitative research that has been conducted, as well as the interview planning, interview structure and the selection of respondents.

3.1 Interviews

The difference between quantitative research methods and qualitative research methods are significant. While a quantitative research method is based on numerical data in larger proportions, a qualitative research method is based on non-numerical data. Qualitative research is more focused on a smaller scale of subjects in the research being made, which gives much more depth to the data gathered. Thus, a qualitative method contributes with a deeper understanding of the respondents own experiences. The selection of interview subjects is therefore essential in order for the research fulfilling its purpose. The method seeks to apply open conversations between the investigator and its target group (Oates, 2006).

Interviews can be used when the research seeks to obtain detailed information; asking complex questions or open-ended questions. Interviews are also a method of gathering privileged information from the respondents, which they maybe not would be willing to write on paper to a researcher they have not met before. Since this research is focused on gathering information about different experiences from developers and project managers within software developing organizations, a qualitative research method is reasonable when approaching this type of data collection (Oates, 2006).Hence it being used in this study.

3.1.1 Interview Structure

In order to make research interviews successful, they must be well planned and a certain type of skills must be applied as well. There are three types of interview structure that can be used when conducting a research: structured interviews, semi-structured interviews and unstructured interviews (Oates, 2006).Each type of interview structure gives a certain perspective on the problem that is being investigated. By having structured interviews the researcher and the respondents does not have a social interaction in the sense that a discussion can be held of the subject. The respondents are given pre-determined and identical questions which can generate supplementary questions from the respondent, in which the researcher can choose to respond to, but the answers given should be a

(31)

in full control of the interview (Oates, 2006).

Unstructured interviews on the other hand, gives the respondents more control of the interview and the researcher less. The researcher conducting the interview introduces the given topic to the respondents and let the respondents speak freely about the topic while the researcher is not trying to interrupt (Oates, 2006).

Both semi-structured interviews and unstructured interviews allows the respondents to ‘speak their mind’ and are used as a form of broader discovery of a topic rather than control of a topic (Oates, 2006).Since this paper is set to grasp a deeper understanding of the research questions, an open dialogue and discussion is a better approach, hence structured interviews and unstructured interviews being left out. To get both sides of the spectrum, the interviews for this paper focuses on semi-structured interviews.

3.1.2 Preparation & Interview Guidance

The interview questionnaire was derived based on the findings in the literature review, as the literature review serves as the foundation for the interviews (Billgren and Ekman, 2017). To prepare interviews it is important to take into account the issue that is being brought up and from that, create relevant questions based on the actual issue. Since GDPR is such a broad subject, the interviews focus more on how software developers, system developers and program developers within software developing organizations work in order for them to be compliant with GDPR, rather than investigating the GDPR and the articles within that regulation. Hence, the focus is more directed towards the practical side of software developing organizations and becoming GDPR compliant.

Before the interviews began, the respondent/respondents were informed about the background of the research, why the interviews were being conducted as well as what the material of the interview was to be used for. Furthermore, there was a check made in regards of possible questions the respondent/respondents might have before the interview began. Further details on what was said before the interview can be found in 3.1.5 Ethics and Checking.

The interviews, as mentioned before, follow a semi-structured form and allows the

respondents to talk freely and open minded about the subject in hand. The questionnaire is made up of 17 questions whereas the majority of them are open questions. The questions that are a direct ‘yes or no’ questions are followed by one or more than one open question that gives the subject being interviewed to go into detail of what that answer actually means. The respondents were given the questions beforehand in order for them to familiar themselves with the subject.

(32)

To ease in the interview, the first questions are formed in a matter in which the

respondent/respondents would most likely be familiar with the question at hand and have well-formed views about it (Oates, 2006).The respondents were asked about their role in the company and how much experience they have had in the industry in which they work. As mentioned, fairly easy questions were asked in the beginning of the interview since they do not acquire much efforts from the respondents. Instead, these types of questions lead the way for the more complex questions that follows. Following these questions, the questions that are relevant for the thesis were asked to the respondent/respondents. The interview questions (Appendix 2) were phrased so both developers, project managers and IT managers could respond to them since the different answers from the different respondents share the same purpose in this research.

The main ambition and estimation of the interview duration based on the context of the interview, was that the timeframe should not exceed 60 minutes. This information was given to the respondent/respondents when the first contact with them was made (Appendix 1). The interviews that was held with only one respondent did not exceed the estimated duration of the interview, nor did the interviews with more than one respondent. If the duration of the interview were shorter than what was first anticipated, the

respondent/respondents were informed that all needed data had been gathered and asked if there was anything they would like to ad.

3.1.3 Selection of Respondents

To get a wider perspective of the problem formulation of this thesis, six organizations were selected with three different sizes in terms of the number of employees. The six selected companies represent 2 small enterprises (S), 2 medium enterprises (M) and 2 large enterprises (L). In this research, the small enterprises represent companies with 1-100 employees, the medium enterprises represent companies with 100-1000 employees and the large enterprises represents companies with 1000 or more employees. To get great data whilst conducting research, selecting interviewees that have the right property for the research being conducted is essential (Recker, 2013). For this research, it was of importance to find organizations and companies who handles personal data as a controller or as a processor and who also have experience with the GDPR relating to their work. Reaching out to companies to get in touch was made through communications such as email, Skype or LinkedIn. The contact letter can be found under Appendix 1. Many of the companies where happy to have received the honour, but could unfortunately not take part in the research due to lack of time. Some organizations figured that their experience or their knowledge with the GDPR was not enough to suffice for this research, as they were shown the interview questions that can be found in Appendix 2. The interviews were being held at the

respondents working place, and one of the interviews was held through Skype. The respondents selected for this research have experience within branches such as

(33)

IT-consulting, software development, backend development and full stack development in relation to the GDPR.

Table 1.1: Respondents

Respondent Company Current Occupation

R1.1 A (M) System Developer

R1.2 A (M) System Developer

R2 B (S) IT Head of Agency

R3 C (M) IT Consultant and Software Developer

R4 D (S) Software Developer

R5.1 E (L) Sr. Business Development Manager

R5.2 E (L) Master Architect/Software Developer

R5.3 E (L) Privacy Program Manager

R5.4 E (L) Sr. Engineer/Software engineer

R6.1 F (L) System Architect/Software Developer

R6.2 F (L) IT Team Manager

3.1.4 Interview Analysis and Transcribing

The interviews were recorded through a mobile application or through a computer

application, depending on the sound quality in the location were the interviews took place, and then the interviews were transcribed. Whilst transcribing the interviews, unnecessary comments, phrases, names or sounds in general were not transcribed as it will not

contribute to this research. Sentences that did not relate to the main purpose of the interview was also removed out of transcript; such as conversations that were being held about other subjects than the actual research subject or subjects not relating to the interview questions. This choice was made to make the transcripts easy to read, easy to understand and easy to follow for the reader; to give the reader a good reading experience. As seen in the figure above, the names of the respondents as well as the names of the organization or company whom they work for, has been left out and replaced by other characters. In the transcript, the different respondents and companies go by the identifiers shown in the figure. Other companies or persons mentioned during the interviews are represented by the letters X. If more than one person or other company are mentioned, these are represented by the letter Y and Z.

After the transcribing of interviews, the respondents were given the chance to look at the data collected and correct anything that could misrepresent their intentional meaning behind their words or if they wanted to further add on to their previous statements. The data then was analysed by going through each and every question with its significant answer from the different respondents of the different organizations. By doing this, it was easy to

(34)

find similarities as well as differences between the respondents. Moreover, by going through the questions one by one, and listening to the transcript in the same fashion, different phrases or terms that were used by the respondents could be different by have the same underlying meaning. Other technical terms or general terms that differed from each other was compared and analysed to get a wider perspective on the matter.

3.1.5 Ethic and Checking

Whilst conducting interviews, there are a few ethical aspects that needs to be taken into consideration. Ethics are important to take into account when conducting research, as scientific findings has often been manipulated for personal gain or validity (Bhattacherjee, 2012). During the interview, it is essential that the respondent does not feel mislead. Furthermore, the study and its purpose is completely transparent to the interviewee in the sense that all of the respondents where made fully aware of how the data was supposed to be used in the research, how the interview was being recorded and how the interview would be transcribed (Oates, 2006).In order for the respondents to feel relaxed and safe during the interview, the interviews were held in a setting of the respondent’s choice in which they felt comfortable being in (Bhattacherjee, 2012). The interviews that was held took place at the respondent’s workplace in a location of their choice.

This allowed the respondents to make a conscious decision about actually taking part in this and taking into consideration the risks of contributing to the research and their own

personal gain. Additionally, the respondents were given the choice to be completely anonymous for this research and also made aware of that if they choose to do so, all the information that could identify them or their company would be withdrawn from the data collected. This because of the importance of confidentiality. The interviewees part of a research should not normally be named in the research unless their name has significant meaning to the research (University of Glasgow, n.d).For this study, the names of the respondents were insignificant.

Further ethical considerations for this research was to inform the interviewees that the procedures would be laid out in writing and also that the interviewees would be supplied by these and checked by themselves and approved before publishing [University of Glasgow]. This then allowed the interviewees to confirm that the notes and transcript from the interview were correct and that what was transcribed from the interview was something they meant and stand behind (Oates, 2006).

3.2 Suitable Research Method

Research methods not chosen for this study are experiments; as raw data collection and hypothesis are not intended for the selected problem formulation. Since there is no

Figure

Figure 1.1: Dell Computers, 2016, ‘How would you characterize your awareness of GDPR?’
Table 1.1: Respondents
Table 1.2: A Software Developers Guide to Compliance

References

Related documents

systemet.) Det finns en mapp för varje patient du skapar i ResScan, och denna ResScan-fil kan användas av en annan ResScan-instans med version 6.0 eller senare genom att du

Studien undersöker vilka krav som ställs på en webbapplikation för att uppfylla GDPR, och hur man kan bygga en applikation för att den ska kunna kallas framtidssäkrad.. Vi tittar

According to the framework, GDPR implementation starts with conducting GDPR assessments and than documenting which personal information is collected and stored, and which

The goal with these guidelines is to provide Delivery Engineering with nec- essary guidance in how to help feature teams in terms of Amazon Cloud infrastructure while also

Många företag och organisationer känner vagt till GDPR, och har inte riktigt lyft foten för att ta första steget.. Lika många är fortfarande i förnekelsefasen: ”Det kan inte

Då detta även gäller för de arbetstagare som uppgett att deras arbetsplatser inte påverkas nämnvärt av GDPR behöver det inte innebära att deras företag har varit involverade

118 On that note, problem is that Article 3(1) GDPR explicitly states that the Regulation shall apply if the personal data is processed in the context of the activities of

En analys på vad Primona som organisation behöver vidta för andra åtgärder för att uppnå kraven i GDPR är att utse en ansvarig för implementation,