Integrating Data Protection into the Software Life Cycle

Abstract

Data protection has become increasingly important in recent years, partly due to the EU General Data Protection Regulation (GDPR) and similar legislations in other countries, but also because of various privacy scandals which led to bad press for the affected companies. Since most of the processing of the relevant personal data is performed by software, data protection needs to be addressed in the development of software. This paper therefore investigates how to incorporate data protection in the software life cycle. Based on a simple default life cycle model, the main questions to ask and issues to address in the various phases are summarized. These questions and issues are independent of the exact life cycle model used, whether plan-driven, agile or some hybrid, and can therefore easily be mapped to some other model. Not surprisingly, data protection mainly affects the analysis and design of software systems (“privacy by design”) when the data to be processed and stored as well as the form of processing and the protection mechanisms to be used are defined. Nevertheless, to some extent the entire life cycle down to withdrawal is affected.