Volltext-Downloads (blau) und Frontdoor-Views (grau)

Effective data protection by design through interdisciplinary research methods: The example of effective purpose specification by applying user-Centred UX-design methods

  • While the recent discussion on Art. 25 GDPR often considers the approach of data protection by design as an innovative idea, the notion of making data protection law more effective through requiring the data controller to implement the legal norms into the processing design is almost as old as the data protection debate. However, there is another, more recent shift in establishing the data protection by design approach through law, which is not yet understood to its fullest extent in the debate. Art. 25 GDPR requires the controller to not only implement the legal norms into the processing design but to do so in an effective manner. By explicitly declaring the effectiveness of the protection measures to be the legally required result, the legislator inevitably raises the question of which methods can be used to test and assure such efficacy. In our opinion, extending the legal compatibility assessment to the real effects of the required measures opens this approach to interdisciplinary methodologies. In this paper, we first summarise the current state of research on the methodology established in Art. 25 sect. 1 GDPR, and pinpoint some of the challenges of incorporating interdisciplinary research methodologies. On this premise, we present an empirical research methodology and first findings which offer one approach to answering the question on how to specify processing purposes effectively. Lastly, we discuss the implications of these findings for the legal interpretation of Art. 25 GDPR and related provisions, especially with respect to a more effective implementation of transparency and consent, and provide an outlook on possible next research steps.

Download full text files

Export metadata

Additional Services

Search Google Scholar

Statistics

Show usage statistics
Metadaten
Document Type:Article
Language:English
Author:Max von Grafenstein, Timo Jakobi, Gunnar Stevens
Parent Title (English):Computer Law & Security Review
Volume:46
Article Number:105722
Number of pages:22
ISSN:0267-3649
URN:urn:nbn:de:hbz:1044-opus-64094
DOI:https://doi.org/10.1016/j.clsr.2022.105722
Publisher:Elsevier
Publishing Institution:Hochschule Bonn-Rhein-Sieg
Date of first publication:2022/08/09
Copyright:© 2022 Max von Grafenstein, Timo Jakobi, Gunnar Stevens. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license.
Keywords:Data protection by design; Effective purpose specification; GDPR; HCI; UXD
Departments, institutes and facilities:Fachbereich Wirtschaftswissenschaften
Institut für Verbraucherinformatik (IVI)
Dewey Decimal Classification (DDC):0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten
Entry in this database:2022/09/02
Licence (German):License LogoCreative Commons - CC BY-NC-ND - Namensnennung - Nicht kommerziell - Keine Bearbeitungen 4.0 International