Data protection by design : Organizational integration

Firms perform the processing of physical personal data and are obliged to protect them according to the Acts. In the European Union, the General Regulation for Data Protection (GDPR) obliges firms to be proactive in the protection of the personal data they process, through data protection from the design. In this research, a group of technical and organizational measures to include in processing, under the focus of data protection from the design is determined from the definition of the processes in which data are processed. These activities, realized by making use of different firm’s profiles, promote the need to develop a proper organizational integration amongst participants. The activities done by different profiles at firms promote the need to develop an organizational integration amongst participants, activities performed by different agents, results interchanged and common products used.


Introduction
Companies use the data and information belonging to both the individuals and legal entities with whom they interact.As the owners of their personal data, individuals have a series of rights pertaining to how companies process said data, at different phases, from the collection of information and its processing to its deletion (Perera, Ranjan & Wang, 2015).
The management of personal data in relation to privacy requirements is critical for companies ISSN: 2254-6235 Harvard Deusto Business Research Data protection by design: Organizational integration Technological progress has promoted the emergence of new legislation at the European level creation of the information systems.The proposal is that businesses, from the very moment they create a business activity, must incorporate the appropriate requirements in relation to privacy that they will have to comply with in that particular business activity.

Data protection by design
The concept of privacy by design (PbD) is recognized as a philosophy that helps to improve the privacy of individuals (Poullet, 2010;Antignac & Le Métayer, 2014).
The term PbD was included among the proposals in the new Regulation (European Commission, 2012;European Parliament, 2014) and was replaced in the final version (European Parliament & Council of the European Union, in its Article 25), by the expression data protection by design.
PbD is a concept created at the turn of the century by Canadian Ann Cavoukian, ex-Commissioner for Information and Privacy of Ontario.Her initial goal was to preserve the privacy by implementing measures that integrate the fundamental aspects of data protection within the technological system used for information processing.This focus was later expanded (Cavoukian, 2012) to include three areas of application, including business practices (organizations), technology and the physical design (infrastructures).
Since PbD was included in the GDPR, many statements have been made in favor of this philosophy.ICO (2017) states: "The basis of the privacy by design approach is that if a privacy risk with a particular project is identified, this can be an opportunity to find creative technical solutions that can deliver the real benefits of the project while protecting privacy."ICDPPC (2016) indicated the importance of PbD: "Not only engineers, but also researchers need to start considering privacy engineering principles like privacy by default and privacy by design in new research, products and services."However, works such as that by Colesky, Hoepman and Hillen (2016) indicate that in and of itself, PbD lacks the specific tools to aid software developers in designing and implementing privacy-friendly systems and there are also no clear guidelines on how to map the specific legal data protection requirements to system requirements.Some authors, such as Bygrave (2017), believe that PbD has a number of deficiencies in the GDPR, particularly in terms of the lack of clarity on the parameters and methodologies to be applied to reach its objectives, the lack of clear, direct communication with those who are engaged in information systems engineering and the lack of necessary incentives to stimulate privacy-related interests.
In recent years, privacy by design has gained recognition, acceptance and notoriety.Companies, in order to comply with the PbD obligation, must use methods, techniques and tools that make it possible to apply it with a certain degree of order.

Privacy by design improves the management of personal data from a legal perspective
Almost from its origins, the practice of privacy by design has been analyzed from the perspective of risk management (Cavoukian, 2010;CNIL, 2012;ITU-T Technology Watch, 2012;ICO, 2013), which implies analyzing the threats to privacy, the possibility they will occur (vulnerability) and the impact that would result, calculating the risk to thus establish the necessary measures (security, organizational, etc.) that reduce, assume or transfer that risk.
Although the concept of PbD has acquired great importance in recent times, as indicated by Luna et al. (2012), the methods, techniques and tools that must accompany it have not kept pace, something which is also pointed out by Rachamadugu andAnderson (2008) andFTC (2010).
The potential benefits of applying the PDB have been recognized by both privacy regulators (European Parliament & Council of the European Union, 2016) and by data protection authorities (ICDPPC, 2010), although, as stressed by Notario, Crespo, Martin, Del Alamo, Le Métayer, Antignac, Kung, Kroener and Wright (2015), it is complicated to implement it, due to the lack of maturity of this discipline in its practical application.

Privacy by design through the definition of processes
Privacy from the perspective of business process management has received little attention in research and there is a gap in the current literature, as no studies are found in relation to methodologies to integrate privacy into business processes (Majdalawieh, 2013;Rachamadugu & Anderson, 2008;FTC, 2010).PbD is in and of itself a process that is closely linked to process design (Kroener & Wright, 2014).
This work studies data protection with a focus on PbD, as required by the European regulation on data protection (European Parliament & Council of the European Union, 2016), but starting with process management, injecting privacy so that it originates with it already built-in.Table 1 shows a diagram of the concepts involved and their relationship to one another.

Companies need methods and tools that will help and guide them in the implementation of PbD
The integration of privacy in the process definition and from an organizational perspective is a different approach from other studies, as the closest would be those studies that are focused on linking privacy with the development of information systems.
The aspects to consider when integrating data protection into process definition are defined below.

Process definition
For process definition, it is suggested to use structuring in phases, activities and tasks according to MÉTRICA (2000), as well as its global orientation in terms of products, techniques and participants.We must bear in mind that it is a product-oriented methodology; in other words, it is used in the development of an information system, which bears some similarity to process development.Both must be defined and clarified, with the collaboration of users and the involvement of certain profiles that employ a range of techniques and tools.
The objective of this activity is to obtain a detailed specification of the defined process that meets the information needs of users and will serve as a basis for further development in information systems.
The initial description of the process to be defined is created based on the products generated in the global process planning.The scope of the process is established, the general requirements are designed and the process is described with the initial high-level models.
The users are also established who will define the process, delimiting their responsibilities, profiles and dedications.In addition, the planning of the following tasks is also carried out.
In the definition of new process requirements, a detailed catalog of requirements is also created that makes it possible to precisely describe the process and also serves as the basis for checking the completeness of the specification of the models that are being obtained throughout the activity.
Work sessions are conducted with the aim of gathering the information needed to obtain the detailed specification of the new process.In the work sessions, it is a good idea to use the usage case technique to establish the requirements.This technique facilitates communication between process analysts and users.The functions are then described that will be facilitated by the process and the restrictions that must be considered in terms of processing frequency, security, privacy and access control, performance, etc.This set of information is incorporated into the requirements catalog.
During the next activity, the process is divided into analytic subprocesses to obtain the detailed specification of the different models and the monitoring of requirements.

Data protection
In this activity, the aim is to study the privacy of an environment in five stages, which are consecutive and based on the structure of the MAGERIT methodology for risk management and analysis (2012).ISSN: 2254-6235 Harvard Deusto Business Research Data protection by design: Organizational integration

The integration of data protection in the definition of processes entails defining the processes
The stages are the following: • Stage 1. Organization of the work, establishing the necessary considerations for starting the project to ensure privacy.The opportunity of implementing it is studied, the objectives that must be met are defined and its scope is determined, planning the material and human means for its performance, making it possible for the project to be launched.
• Stage 2. Analysis of the personal information processed, which makes it possible to identify and assess the personal data processed, obtain an assessment of the shortcomings in the protection of said data and estimate the need for a more in-depth study with a risk analysis.
• Stage 3A.Management of privacy requirements, which allows you to configure the possible requirements that must be met in order to eliminate the shortcomings detected in the previous stage and always with the fulfillment of the stated objectives from the first stage.This stage is performed when it is not necessary to carry out a risk analysis regarding privacy.
• Stage 3B.Evaluation of the impacts on privacy, which constitutes a risk analysis and management, and therefore entails the typical risk components and identifies and evaluates the assets, threats, vulnerabilities, impacts and thresholds pertaining to the risks.This is done when the study setting has some very specific characteristics.
• Stage 4. Selection of safeguard mechanisms to deploy, developing an orientation for the deployment plan for the selected mechanisms, establishing the means for monitoring the deployment, collecting work reports on the process to ensure privacy, obtaining the final project documents and making the presentations of the results in the organization.
According to the perceived intensity in terms of the risks to privacy, the user of the method will have to choose between following stage 3A or 3B.In the latter case (Stage 3B) is aimed at high-risk environments for privacy, a study referred to as the Privacy Impact Assessment (PIA).

Integration of both
The integration of data protection in the definition of business processes makes it possible to obtain appropriate privacy requirements during the definition of the business processes.
This proposal is based on the integration of some of the products obtained in the data protection with some of the products obtained in the process definition, so that the process is defined with privacy already built in.As indicated in ICO ( 2013), it is a matter of searching for open doors that allow information to be exchanged from one method to another, providing for a synergy between the two.Various methods in other areas related to information processing are integrated into one another, as can be seen in Hanouz (1993), Baskerville (1993), MÉTRICA (2000), GISSIP (2006), ENISA (2008), MAGERIT (2012) and ICO (2013).
The integration proposal seeks the incorporation of the contribution made by users to the privacy requirements and designing options via the modeling of processes with the use of collaborative work flow tools and modeling and expression conceptual languages that are flexible to represent and formalize said requirements, providing mutual understanding between the user, the legal side, the technical side and the government regulators involved.
The objective of the proposed integration is to assist specialists in processes to incorporate the user requirements and organizational requirements in terms of privacy and data protection The integration of data protection in the definition of processes implies protecting data from the very beginning (i.e., the PbD philosophy) in the definition of processes and do so in a way that is coherent, iterative, systematic and assessable.The processes will be more reliable by taking privacy needs into consideration from the start, since later in their development, technological solutions will materialize the models designed with built-in privacy.
The recipients of this method of integration are both business analysts and privacy analysts, since it will serve as a reference guide to both for the exchange of information in their respective specialties.
The data protection activities define a cycle of privacy analysis and management along two complementary lines: • Integrating it into the proposed life cycle in the early stages of BPM methodologies, for the management of business processes, thus permitting the definition of several models of privacy in the processes, according to their level of abstraction.
• Establishing the activities to be carried out to obtain the corresponding evaluations and privacy requirements for each of these models.The corresponding interfaces with the phases, activities, tasks and techniques involved in the process definition are created.
With the data protection, the privacy safeguards are specified for each process, incorporating them as processes of quality assurance into the specification, in order to complete it and to be able to contrast it with the users, based on their roles, prototypes and functional definitions.
Figure 2 shows the details of the integration.The integration of data protection in the definition of processes implies integrating both of them

Integration of products
The products obtained in both types of tasks will be documentary in nature, and due to the different objectives, they will have little in common.The subject matter, methods and techniques used to get the products will barely coincide, due to the fact that they are applied in very different areas within the companies.
The activities involved in defining processes are oriented towards how to obtain the products and services provided by the company and the data protection activities seek to ensure the privacy of those involved in these products and services.
Those professionals who perform and/or use products of process definition or data protection activities must know and understand very well the products of both, as integrating the products of one into the other is complex.
The activities of process definition include a hierarchy, with a structure to obtain different products throughout the order in which they are performed.The products obtained in the data protection activities must be incorporated into this structure.The products generated for data protection activities (lists of recommended measures and management reports) will be introduced under the name of "data protection products."These products of data protection activities will generate some requirements that will affect other process definition products.Mylopoulos, Chung and Nixon (1992) already distinguished between the functional requirements (what the system does) and the non-functional requirements (those referring to restrictions, conditions, quality and others).In the latter case would be the privacy requirements.
The requirements generated by the data protection activities will be added to the requirements catalog generated in the process definition, and later adapted in the process development phases.A complete specification of the requirements at all levels is key for the correct development of the process.
There are two products that are the most important products of a data protection review: 1.The data protection management report.
2. The recommended protective measures (requirements) and the mechanisms to meet the requirements.
These products need to be interpreted and analyzed by the process definition team.The following key factors must be considered: • The data protection analysts must discuss the requirements with the professionals defining the processes to create a list of new privacy-related proposals.• The different types of protective measures should be incorporated in the detailed definition of the process phase.

Integration of participants
As Hitpass (2012) points out, the process definition activities are carried out by the process analyst with the collaboration of the process manager and the process participants (user, business executive).The data protection activities will be performed by the data protection analyst, in collaboration with the process manager and the process participants (user, business The proposed integration will help incorporate the requirements of both users and the organization executive).Both teams will work in parallel, with the process definition team doing most of the work.Therefore, a careful plan is required to integrate the data protection activities with the process definition activities.
Once the product has been established that is to be obtained with the process definition, it is important to hold a series of management meetings to discuss the results of each data protection review.The number of meetings, their field of action and their frequency will depend on the scope of the project.
The integration for business process analysts has the following objectives: • Ensuring an adequate understanding of the process definition method from the perspective of the privacy in the processes being defined.• Providing a sufficient basis to prepare for the integration.• Collaborating in establishing the optimal conditions to protect privacy in the newly defined processes.
In the process definition environment, the data protection analyst is faced with the challenge that much of the required information is merely theoretical, and quite vague.

Integration of activities
When integrating data protection within a process definition project, it is important to plan the activities required by both types of work at the same time to prevent unnecessary delays.It is therefore necessary to hold a series of meetings and interviews with the process definition project team and the data protection analysts at the start of the project to establish the basis for later development.It is very important to schedule all the work that is to be done by the data protection team in conjunction with the planning carried out by the process definition team.Furthermore, whenever data protection reviews are carried out, the process definition team will need fast results.
Both the process definition professionals and those reviewing the data protection need to conduct interviews with the profiles representing the process manager and the participants in the process.For the process definition professionals, these interviews are important to determine the business requirements needed to define the processes.For those reviewing data protection, on the other hand, these interviews are important to establish the processing of personal data and their sensitivity, as well as the evaluations of the threats and vulnerabilities related to privacy.Both types of interviews must be performed simultaneously to ensure the smooth running of the project and prevent wasted time by the users.
To summarize, the planning and preparation for these interviews must be a key point on which both the data protection reviewers and the process definition team must work together.

Conclusion
Data protection by design, as a new mandate of the GDPR, involves establishing the technical and organizational measures as soon as possible in the cycle in order to respect the rights of individuals when companies process their data.This paper proposes that the establishment of these privacy requirements be studied as soon as the processes are proposed that will process these data.In this way, by defining these processes with their functional requirements, the data protection requirements will be incorporated in such a way that they are described and implemented with the most appropriate mechanisms in later phases.

Table 1 Concepts and their interrelation
Harvard Deusto Business Research Data protection by design: Organizational integration

Table 2 Integration of data protection into process definition ISSN
: 2254-6235 Harvard Deusto Business Research Data protection by design: Organizational integration