Effective data protection by design through interdisciplinary research methods: The example of effective purpose specification by applying user-Centred UX-design methods
- While the recent discussion on Art. 25 GDPR often considers the approach of data protection by design as an innovative idea, the notion of making data protection law more effective through requiring the data controller to implement the legal norms into the processing design is almost as old as the data protection debate. However, there is another, more recent shift in establishing the data protection by design approach through law, which is not yet understood to its fullest extent in the debate. Art. 25 GDPR requires the controller to not only implement the legal norms into the processing design but to do so in an effective manner. By explicitly declaring the effectiveness of the protection measures to be the legally required result, the legislator inevitably raises the question of which methods can be used to test and assure such efficacy. In our opinion, extending the legal compatibility assessment to the real effects of the required measures opens this approach to interdisciplinary methodologies. In this paper, we first summarise the current state of research on the methodology established in Art. 25 sect. 1 GDPR, and pinpoint some of the challenges of incorporating interdisciplinary research methodologies. On this premise, we present an empirical research methodology and first findings which offer one approach to answering the question on how to specify processing purposes effectively. Lastly, we discuss the implications of these findings for the legal interpretation of Art. 25 GDPR and related provisions, especially with respect to a more effective implementation of transparency and consent, and provide an outlook on possible next research steps.
Document Type: | Article |
---|---|
Language: | English |
Author: | Max von Grafenstein, Timo Jakobi, Gunnar Stevens |
Parent Title (English): | Computer Law & Security Review |
Volume: | 46 |
Article Number: | 105722 |
Number of pages: | 22 |
ISSN: | 0267-3649 |
URN: | urn:nbn:de:hbz:1044-opus-64094 |
DOI: | https://doi.org/10.1016/j.clsr.2022.105722 |
Publisher: | Elsevier |
Publishing Institution: | Hochschule Bonn-Rhein-Sieg |
Date of first publication: | 2022/08/09 |
Copyright: | © 2022 Max von Grafenstein, Timo Jakobi, Gunnar Stevens. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license. |
Keywords: | Data protection by design; Effective purpose specification; GDPR; HCI; UXD |
Departments, institutes and facilities: | Fachbereich Wirtschaftswissenschaften |
Institut für Verbraucherinformatik (IVI) | |
Dewey Decimal Classification (DDC): | 0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten |
Entry in this database: | 2022/09/02 |
Licence (German): | Creative Commons - CC BY-NC-ND - Namensnennung - Nicht kommerziell - Keine Bearbeitungen 4.0 International |