Skip to main content

Research Repository

Advanced Search

Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform

Tsohou, Aggeliki; Magkos, Emmanouil; Mouratidis, Haralambos; Chrysoloras, George; Piras, Luca; Pavlidis, Michalis; Debussche, Julien; Rotoloni, Marco; Gallego-Nicasio Crespo, Beatriz


Aggeliki Tsohou

Emmanouil Magkos

Haralambos Mouratidis

George Chrysoloras

Luca Piras

Michalis Pavlidis

Julien Debussche

Marco Rotoloni

Beatriz Gallego-Nicasio Crespo


Purpose– General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform. Design/methodology/approach– The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors. Findings– The findings provide the process for the DEFeND platform requirements’elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements. Practical implications– The proposed software engineering methodology and data collection tools(i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry. Social implications– It is reported repeatedly that data controllers face difficulties in complying with theGDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR,thus, offering a significant boost toward the European personal data protection objectives. Originality/value– This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.


TSOHOU, A., MAGKOS, E., MOURATIDIS, H., CHRYSOLORAS, G., PIRAS, L., PAVLIDIS, M., DEBUSSCHE, J., ROTOLONI, M. and CRESPO, B. G.-N. 2020. Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform. Information and computer security [online], 28(4), pages 531-553. Available from:

Journal Article Type Article
Acceptance Date Mar 15, 2020
Online Publication Date Apr 16, 2020
Publication Date Oct 31, 2020
Deposit Date Jan 18, 2021
Publicly Available Date Jan 18, 2021
Journal Information & Computer Security
Print ISSN 2056-4961
Electronic ISSN 2056-497X
Publisher Emerald
Peer Reviewed Peer Reviewed
Volume 28
Issue 4
Pages 531-553
Keywords GDPR; Compliance; Software requirements; Prioritisation
Public URL


You might also like

Downloadable Citations