Glasgow University Leads Efforts on GDPR Compliance in Software Design
Researchers are seeking input from the developer community to deepen their understanding of how stakeholders in software development view, prioritise and work with privacy by design.
Researchers at the University of Glasgow’s School of Computing Science are developing new tools and techniques for software designers and developers to fulfil their obligations to GDPR – and are reaching out to the tech community for input on their research.
Dr Inah Omoronyia, who heads up the research, has been funded by the Innovate UK Cybersecurity Startup Accelerator Programme to potentially commercialise this area of research through a new spin-out company.
Dr Omoronyia’s area of research expertise is in privacy and software engineering. His work acknowledges the constraints and competing pressures in software design between functional requirements, resources, timescales, security, privacy and other parameters. With this project, he aims to enable developers to bake in privacy at the earliest stages of software design and give application owners the greatest opportunity to comply with privacy regulations in spirit and practice.
To progress his work, Dr Omoronyia is looking for input from the developer community via a short survey aimed at deepening the team’s understanding of how various stakeholders in software development view, prioritise and work with privacy by design.
Speaking about the project, Omoronyia said: “In an era where privacy regulatory compliance is key, organisations are keen to ensure that they mitigate their risks to violation by pushing software builders to consider privacy early during software design.
“The design phase offers the greatest value for incorporating privacy in software since issues discovered later in the software lifecycle become more difficult and expensive to fix. Products that are developed following this approach can leverage the Privacy-by-Design badge as a selling advantage. But these benefits can quickly be overshadowed by the burden it brings to the software designer and/or developer.”
Omoronyia added: “Software designers are not normally employed as privacy experts, yet they carry the ultimate responsibility of privacy-preserving design. Core in the designer’s mindset is how to translate functional requirements into engineering actions in a design.
“If privacy is considered at all, it is often later when the core designed decisions are already made. Our aim is to better-enable software designers to incorporate privacy at the earliest stages and reduce the burden on those team members to know, hold and work with privacy regulations in depth.”
Dr Omoronyia will be working alongside the ICO and NCSC as he develops his work. He has earned plaudits for insightful research in the domain of privacy techniques for software engineer.
As the project develops, the team will be investigating further how developers learn and work with Fair Information Practice Principles (FIPPs) as the basis for existing and emerging privacy and data protection laws (e.g GDPR and Data Protection Act).
As organisations in all sectors continue to grapple with the unknown on how GDPR regulations will be upheld and enforced in practice, the team will look to explore how organisations manage their responsibilities to privacy regulation through their development teams, leadership, audit, compliance and quality control functions.
Recognising that this is a high-stakes issue for CEOs across the world, Dr Omoronyia acknowledges that at the very least, the inappropriate consideration of privacy becomes a barrier to technology adoption; users trust in a brand becomes compromised and custom is lost. Add to that the risk of crippling regulatory fines and sanctions.
Dr Omoronyia explained: “One approach to this conundrum is to design the software in a win-win positive-sum manner where end users are not required to consider trade-offs.
“But this approach often takes time, requiring detailed consideration of the nature of inconsistencies and navigating the difficult path of comparing design alternatives. This is an expensive option which is often at odds with the realities of deadline-driven deployment cycles.”
As an expert in privacy, Dr Omoronyia has a keen appreciation of privacy regulations as they apply to software engineering but also acknowledges that these regulations are not created with software engineering in mind.
“I would not suggest that the manner in which existing regulations and laws are written helps abate the problem for the software designer. Often, they are written abstractly to cover a wider audience, making it difficult to measure disclosure risk in a more intuitive way,” he commented. “In other cases, they are formulated as slogans that offer useful explanations of the meaning of privacy, but are relatively quiet on expected systematic and analytic lines of action to achieve such privacy.”
Dr Omoronyia added: “The designer needs to ask substantive privacy questions to result in concrete engineering actions that comply with a regulatory requirement in the design. If regulations, principles and laws provide no guidelines on how such questions may be asked, designers may find themselves unable to translate privacy requirements of end-users into concrete and verifiable evidence technology.”
Speaking about his ambitions for a possible spin-out company, he stated: “Our aim is to empower software designers and developers when considering privacy in modern technology. We believe that it should be easy and straightforward for software builders to effectively demonstrate evidence that their products preserve privacy.”
Offering some further sources of information for those with a deeper interest in this topic, Dr Omoronyia recommends “you may want to have a read on Prof. Bashar Nuseibeh review of living with inconsistencies in software development for a deeper perspective of this problem, and Dr Ann Cavoukian case study of successfully applying privacy-by-design in a facial recognition system”.
Have your say – take the survey here.