Operationalization of privacy and security requirements for eHealth IoT applications in the context of GDPR and CSL

The Fourth Industrial Revolution imposes a number of unprecedented societal challenges and these are increasingly being addressed through regulation. This, in turn, lays the burden to adopt and implement the different concepts and principles (such as privacy-by-design) with practitioners. However, these concepts and principles are formulated by legal experts in a way that does not allow their direct usage by software engineers and developers, and the practical implications are thus not always obvious nor clear-cut. Furthermore, many complementary regulatory frameworks exist to which compliance should, in some cases, be reached simultaneously. In this paper, we address this generic problem by transforming the legal requirements imposed by the EU's General Data Protection Regulation (GDPR) and the China's Cybersecurity Law (CSL) into technical requirements for an exemplar case study of a generic eHealth IoT system. The derived requirements result from an interdisciplinary collaboration between technical and legal experts and are representative of the types of trade-off decisions made in such a compliance process. By means of this exemplar case study, we propose a set of generic requirement-driven elements that can be applied to similar IoT-based architectures and thereby reduce the role of supervision from a legal point of view in the development of such architectures.

ISBN:978-3-030-55195-7

Jaar van publicatie:2020

Toegankelijkheid:Open