Digitalizing Process Assessment Approach: An Illustration with GDPR Compliance Self-assessment for SMEs
Cortina S., Picard M., Renault S., Valoggia P.
Communications in Computer and Information Science, vol. 1891 CCIS, pp. 125-138, 2023
While many regulations are highly prescriptive in informing regulated entities of what to do and how to do it, this is not the case with the General Data Protection Regulation (GDPR), which simply requires data protection principles (Art. 5) to be respected to ensure compliance. This compliance regime implies a liability shift between the regulator and regulated entities, with the latter becoming “responsible for, and […] able to demonstrate compliance with data protection principles (‘accountability’)” (GDPR, Art. 5.2). It is then up to the regulated entities to demonstrate they have implemented the “appropriate technical and organisational measures to ensure […] that processing is performed in accordance with” this regulation (GDPR, Art. 24.1). In addition, regulated entities must demonstrate that these measures are “reviewed and updated where necessary”. Due to a lack of resources, small and medium-sized enterprises (SMEs) struggle to identify both privacy requirements and the technical and organizational measures needed to meet them. To support the compliance of SMEs with GDPR, a regulatory technology has been developed based on the digitalization of a GDPR capability assessment approach. The proposed regulatory technology goes beyond the previous process assessment automation by considering the digitalization of identification and collection of objective evidence. After introducing the main features of this regulatory technology, the paper presents the results of its assessment process, measurement framework and assessment model conformity assessment. The paper also discusses the challenges and opportunities offered by the automation of the ISO/IEC 330xx series assessment framework.
doi:10.1007/978-3-031-42310-9_9