Towards a Process-Based Approach to Compliance with GDPR

Since May 2018, private and public companies handling personal data must comply with the General Data Protection Regulation (GDPR). While many regulations are highly prescriptive in telling regulated entities and individuals what to do and how to do it, GDPR only sets up data protection principles that must be respected to protect the rights and the freedom of the data subjects. Thus, complying with GDPR supposes that companies handling personal data must prove that appropriate technical and organizational measures are defined and effectively implemented to protect privacy of natural persons. This paper describes a privacy evaluation mechanism combining a generic process assessment framework (i.e. TIPA) with a GDPR-based process assessment model. It describes the experimentation project that permit to verify both the correctness and completeness of the GDPR Process Model, and the utility of performing a privacy evaluation. Eventually, the paper presents the benefits perceived by the Data Protection Officers of the companies where the process-based privacy evaluations were experimented.