General Data Protection Regulation - Requirement Analysis of Customer Personal Data: Case Study
Permanent address of the item is
Multiple companies in EU have their core business running around digital information holding data about individual people. A new GDPR – general data protection regulation aims to harmonize data protection laws in the EU giving individuals a better understanding and control of their personal data. This master thesis is a GDPR case study which investigates customer data change requirements in a company’s IT systems. The research investigated what GDPR regulation is and what is required to consent the regulation. As the case business utilizes an agile development philosophy in their software development, agile requirement engineering was researched to support the requirements analysis. By combining GDPR literature, agile requirements engineering, and case company’s requirements with a deductive qualitative research approach a conceptual model for GDPR customer data requirements was made to support the case study. The case study proceeded from general GDPR approach and semi-structured interviews to an analysis where the most critical IT systems and the then most critical change requirements were detected. The final elicited implementation descriptions including two IT systems were written in a form which the SCRUM team developers can understand, implement and create test cases for the requirements. The case study also researched the empirical effects of GDPR on the business. The final implementation descriptions included four features for two different systems. The entity system of portal, mobile and warehouse UI required a GDPR consent. Furthermore, portal and mobile being web-based services a requirement for cookie statement was identified. The last two requirements were related to access rights. The service support tool required a group limitation feature ensuring that only relevant personnel can access the customer warehouse data. Lastly, the entity of systems required a mandatory password change improving data security.