Refinement of the General Data Protection Regulation (GDPR) Model: Administrative Fines Perspective

Kaspar Kala
To meet the requirements of the General Data Protection Regulation (2016/679/EU; herein-after GDPR), organizations need a framework for assessing compliance of their business processes. For such purpose, a Data Protection Observation Engine (hereinafter DPOE) – a software tool enabling business process GDPR compliance check semi-automatically – is created by the researchers of Institute of Computer Science of University of Tartu. Current research on the DPOE has produced a conceptual model covering general GDPR require-ments in an UML format describing the key entities, artefacts and relationships between these (hereinafter DPOE Model). The DPOE Model, however, requires validation in terms of legal completeness (i.e. GDPR coverage). The thesis adds to the existing research by legally validating the DPOE Model from the perspective of Article 83(4) and 83(5) of the GDPR concerning administrative fines. These articles describe key GDPR requirements which’ infringement bring about fines up to 20,000,000 EUR. Thus, these are the require-ments every organization must treat with special attention in order to be compliant with the GDPR. This validation also enables the prime users of DPOE, the data protection officers, to trust the results generated by the DPOE as they know the potential incompliance issues raised are of key importance. This in turn ensures the integrity of the output of the DPOE. As such, the basis for comparing the current version of the DPOE Model to the refined DPOE Model in terms of legal completeness (i.e. GDPR article coverage) is created. In order to measure how legal completeness has in fact improved, the results generated by the refined DPOE Model are compared to the results generated by current version of the DPOE Model on an actual business process (ÕIS2 login process). As a result of the validation and the comparison of the current version of the Model to the refined Model, the maturity of the Model is enhanced.
Graduation Thesis language
Graduation Thesis type
Master - Conversion Master in IT
Raimundas Matulevičius, Jake Tom
Defence year