{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:39:38Z","timestamp":1767339578940,"version":"3.41.2"},"reference-count":43,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2020,4,16]],"date-time":"2020-04-16T00:00:00Z","timestamp":1586995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,4,16]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The findings provide the process for the DEFeND platform requirements\u2019 elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Social implications<\/jats:title>\n<jats:p>It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This is the first paper, according to the best of the authors\u2019 knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-01-2020-0002","type":"journal-article","created":{"date-parts":[[2020,5,5]],"date-time":"2020-05-05T08:01:25Z","timestamp":1588665685000},"page":"531-553","source":"Crossref","is-referenced-by-count":18,"title":["Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform"],"prefix":"10.1108","volume":"28","author":[{"given":"Aggeliki","family":"Tsohou","sequence":"first","affiliation":[]},{"given":"Emmanouil","family":"Magkos","sequence":"additional","affiliation":[]},{"given":"Haralambos","family":"Mouratidis","sequence":"additional","affiliation":[]},{"given":"George","family":"Chrysoloras","sequence":"additional","affiliation":[]},{"given":"Luca","family":"Piras","sequence":"additional","affiliation":[]},{"given":"Michalis","family":"Pavlidis","sequence":"additional","affiliation":[]},{"given":"Julien","family":"Debussche","sequence":"additional","affiliation":[]},{"given":"Marco","family":"Rotoloni","sequence":"additional","affiliation":[]},{"given":"Beatriz","family":"Gallego-Nicasio Crespo","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"3","key":"key2020100112345107900_ref001","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1080\/01972243.2019.1583296","article-title":"Engineering privacy by design: are engineers ready to live up to the challenge?","volume":"35","year":"2019","journal-title":"The Information Society"},{"key":"key2020100112345107900_ref002","first-page":"3","article-title":"Privacy impact assessment: comparing methodologies with a focus on practicality","volume-title":"Nordic Conference on Secure IT Systems","year":"2019"},{"volume-title":"Four Steps to the Epiphany: Successful Strategies for Products That Win","year":"2007","key":"key2020100112345107900_ref003"},{"edition":"3rd ed.","volume-title":"Social Research Methods","year":"2008","key":"key2020100112345107900_ref004"},{"key":"key2020100112345107900_ref005","unstructured":"Cavoukian, A. (2011), \u201cPrivacy by design, the 7 foundational principles, implementation and mapping of fair information practices\u201d, available at: https:\/\/iab.org\/wp-content\/IAB-uploads\/2011\/03\/fred_carter.pdf"},{"journal-title":"European Union Agency for Network and Information Security (ENISA)","article-title":"Privacy and data protection by design \u2013 from policy to engineering","year":"2015","key":"key2020100112345107900_ref011a"},{"key":"key2020100112345107900_ref006","first-page":"179","article-title":"Effectiveness of requirements elicitation techniques: empirical results derived from a systematic review","volume-title":"14th IEEE International Requirements Engineering Conference (RE\u201906), IEEE","year":"2006"},{"issue":"1","key":"key2020100112345107900_ref007","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1007\/s00766-010-0115-7","article-title":"A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements","volume":"16","year":"2011","journal-title":"Requirements Engineering"},{"issue":"1","key":"key2020100112345107900_ref011b","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/s00766-009-0094-8","article-title":"Guest editorial: security requirements engineering: past, present and future","volume":"15","year":"2010","journal-title":"Requirements Engineering"},{"key":"key2020100112345107900_ref008","unstructured":"European Data Protection Board (2019), \u201cFirst overview on the implementation of the GDPR and the roles and means of the national supervisory authorities\u201d, available at: https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/19_2019_edpb_written_report_to_libe_en.pdf"},{"key":"key2020100112345107900_ref009","first-page":"311","article-title":"Problem-based security requirements elicitation and refinement with pressure","volume-title":"International Conference on Software Technologies","year":"2014"},{"key":"key2020100112345107900_ref010","unstructured":"Gartner (2017), \u201cForecast analysis: information security, worldwide\u201d, 1Q17 Update, August 2017, available at: www.gartner.com\/en\/documents\/3889055"},{"first-page":"1","article-title":"GDPR compliance in cybersecurity software: a case study of DPIA in information sharing platform","year":"2019","key":"key2020100112345107900_ref011"},{"key":"key2020100112345107900_ref012","unstructured":"IAPP (2018), \u201c2018 Privacy tech vendor report v.2.4e\u201d, available at: https:\/\/iapp.org\/resources\/article\/2018-privacy-tech-vendor-report\/"},{"key":"key2020100112345107900_ref013","unstructured":"ISACA (2019), \u201cGDPR the end of the beginning\u201d, Information Systems Audit and Control Association, available at: www.isaca.org\/Knowledge-Center\/Documents\/2018-GDPR-Readiness-Survey-Report.pdf"},{"key":"key2020100112345107900_ref014","first-page":"179","article-title":"Effectiveness of requirements elicitation techniques: empirical results derived from a systematic review","volume-title":"14th IEEE International Requirements Engineering Conference (RE\u201906)(RE)","year":"2006"},{"issue":"7","key":"key2020100112345107900_ref015","doi-asserted-by":"crossref","first-page":"4341","DOI":"10.1016\/j.asoc.2010.10.012","article-title":"A soft computing approach for privacy requirements engineering: the PriS framework","volume":"11","year":"2011","journal-title":"Applied Soft Computing"},{"year":"2018","key":"key2020100112345107900_ref016","article-title":"Privacy by design to comply with GDPR: a review on third-party data processors"},{"issue":"1","key":"key2020100112345107900_ref017","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1080\/1097198X.2019.1569186","article-title":"The impact of GDPR on global technology development","volume":"22","year":"2019","journal-title":"Journal of Global Information Technology Management"},{"key":"key2020100112345107900_ref018","first-page":"543","article-title":"The cost of reading privacy policies","volume":"4","year":"2008","journal-title":"ISJLP"},{"issue":"4","key":"key2020100112345107900_ref019","doi-asserted-by":"crossref","first-page":"587","DOI":"10.1006\/ijhc.2001.0503","article-title":"Methods to support human-centred design","volume":"55","year":"2001","journal-title":"International Journal of Human-Computer Studies"},{"key":"key2020100112345107900_ref020","first-page":"108","article-title":"Methods and tools for GDPR compliance through privacy and data protection engineering","volume-title":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), IEEE","year":"2018"},{"issue":"2","key":"key2020100112345107900_ref021","doi-asserted-by":"crossref","first-page":"285","DOI":"10.1142\/S0218194007003240","article-title":"Secure Tropos: a security-oriented extension of the tropos methodology","volume":"17","year":"2007","journal-title":"International Journal of Software Engineering and Knowledge Engineering"},{"issue":"1","key":"key2020100112345107900_ref022","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1016\/j.infoandorg.2006.11.001","article-title":"The qualitative interview in is research: examining the craft","volume":"17","year":"2007","journal-title":"Information and Organization"},{"key":"key2020100112345107900_ref023","first-page":"151","article-title":"PRIPARE: integrating privacy best practices into a privacy engineering methodology","volume-title":"2015 IEEE Security and Privacy Workshop, IEEE","year":"2015"},{"key":"key2020100112345107900_ref027","unstructured":"Piras, L. (2018), \u201cAgon: a Gamification-Based framework for acceptance requirements\u201d, PhD dissertation, University of Trento."},{"article-title":"Acceptance requirements and their gamification solutions","volume-title":"24th IEEE International Requirements Engineering Conference (RE), IEEE","year":"2016","key":"key2020100112345107900_ref031"},{"article-title":"Goal models for acceptance requirements analysis and gamification design","volume-title":"36th International Conference on Conceptual Modeling (ER)","year":"2017","key":"key2020100112345107900_ref029"},{"article-title":"Gamification solutions for software acceptance: a comparative study of requirements engineering and organizational behavior techniques","volume-title":"11th IEEE International Conference on Research Challenges in Information Science (RCIS), IEEE","year":"2017","key":"key2020100112345107900_ref028"},{"article-title":"Design thinking and acceptance requirements for designing gamified software","volume-title":"13th IEEE International Conference on Research Challenges in Information Science (RCIS), IEEE","year":"2019","key":"key2020100112345107900_ref030"},{"article-title":"DEFeND architecture: a privacy by design platform for GDPR compliance","volume-title":"16th International Conference on Trust, Privacy and Security in Digital Business-TrustBus","year":"2019","key":"key2020100112345107900_ref026"},{"key":"key2020100112345107900_ref024","first-page":"95","article-title":"A CASE tool to support automated modelling and analysis of security requirements, based on secure tropos","volume-title":"International Conference on Advanced Information Systems Engineering","year":"2012"},{"key":"key2020100112345107900_ref025","first-page":"89","article-title":"SecTro: a CASE tool for modelling security in requirements engineering using secure tropos","volume-title":"CAiSE Forum","year":"2011"},{"issue":"1","key":"key2020100112345107900_ref032","article-title":"Forgetting personal data and revoking consent under the GDPR: challenges and proposed solutions","volume":"4","year":"2018","journal-title":"Journal of Cybersecurity"},{"key":"key2020100112345107900_ref033","first-page":"190","article-title":"Strategy and solution to comply with GDPR: guideline to comply major articles and save a penalty from non-compliance","volume-title":"2018 2nd International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC), IEEE","year":"2018"},{"key":"key2020100112345107900_ref034","unstructured":"Pulse Survey (2017), \u201cGDPR budgets top $10 million for 40% of surveyed companies\u201d, available at: www.pwc.com\/us\/en\/services\/consulting\/library\/general-data-protection-regulation-gdpr-budgets.html"},{"key":"key2020100112345107900_ref035","unstructured":"Thomson Reuters (2019), \u201cStudy finds organizations are not ready for GDPR compliance issues\u201d, available at: https:\/\/legal.thomsonreuters.com\/en\/insights\/articles\/study-finds-organizations-not-ready-gdpr-compliance-issues (accessed 5 April 2019)."},{"key":"key2020100112345107900_ref036","unstructured":"TrustArc (2018), GDPR Compliance Status. A comparison of US, UK and EU Companies, TrustArc, July 2018."},{"issue":"4","key":"key2020100112345107900_ref037","doi-asserted-by":"crossref","first-page":"434","DOI":"10.1016\/j.clsr.2017.03.027","article-title":"Enabling valid informed consent for location tracking through privacy awareness of users: a process theory","volume":"33","year":"2017","journal-title":"Computer Law and Security Review"},{"key":"key2020100112345107900_ref038","first-page":"1","article-title":"GDPR compliance in the design of the INFORM e-learning platform: a case study","volume-title":"2019 13th International Conference on Research Challenges in Information Science (RCIS)","year":"2019"},{"key":"key2020100112345107900_ref011c","unstructured":"WP29 Guidelines on Data Protection Impact Assessment (2017), \u201cGuidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is \u2018likely to result in a high risk\u2019 for the purposes of Regulation 2016\/679\u201d, available at: https:\/\/ec.europa.eu\/newsroom\/article29\/itemdetail.cfm?item_id=611236"},{"issue":"1","key":"key2020100112345107900_ref039","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1017\/S0269888905000299","article-title":"Methods and techniques for the evaluation of user-adaptive systems","volume":"20","year":"2005","journal-title":"The Knowledge Engineering Review"},{"article-title":"Privacy, security, legal and technology acceptance requirements for a GDPR compliance platform","volume-title":"3rd International Workshop on SECurity and Privacy Requirements Engineering (SECPRE 2019)","year":"2019","key":"key2020100112345107900_ref040"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2020-0002\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2020-0002\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:37Z","timestamp":1753406557000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/4\/531-553\/112412"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,4,16]]},"references-count":43,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,4,16]]}},"alternative-id":["10.1108\/ICS-01-2020-0002"],"URL":"https:\/\/doi.org\/10.1108\/ics-01-2020-0002","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"},{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2020,4,16]]}}}