Helping Software Architects Familiarize with the General Data Protection Regulation

The General Data Protection Regulation (GDPR) impacts any information systems that process personal data in or from the European Union. Yet its enforcement is still recent. Organizations under its effect are slow to adopt its principles. One particular difficulty is the low familiarity with the regulation among software architects and designers. The difficulty to interpret the content of the legal regulation at a technical level adds to that. This results in problems in understanding the impact and consequences that the regulation may have in detail for a particular system or project context. In this paper we present some early work and emerging results related to supporting software architects in this situation. Specifically, we target those who need to understand how the GDPR might impact their design decisions. In the spirit of architectural tactics and patterns, we systematically identified and categorized 155 forces in the regulation. These results form the conceptual base for a first prototypical tool. It enables software architects to identify the relevant forces by guiding them through an online questionnaire. This leads them to relevant fragments of the GDPR and potentially relevant privacy patterns. We argue that this approach may help software professionals, in particular architects, familiarize with the GDPR and outline potential paths for evaluation.