Expert opinions on making GDPR usable (2308.08287v1)

Abstract: We present the results of a study done in order to validate concepts and methods that have been introduced in (Johansen and Fischer-Hubner, 2020. "Making GDPR Usable: A Model to Support Usability Evaluations of Privacy." in IFIP AICT 576, 275-291). We use as respondents in our interviews experts working across fields of relevance to these concepts, including law and data protection/privacy, certifications and standardization, and usability (as studied in the field of Human-Computer Interaction). We study the experts' opinions about four new concepts, namely: (i) a definition of Usable Privacy, (ii) 30 Usable Privacy Goals identified as excerpts from the GDPR (European General Data Protection Regulation), (iii) a set of 25 corresponding Usable Privacy Criteria together with their multiple measurable sub-criteria, and (iv) the Usable Privacy Cube model, which puts all these together with the EuroPriSe certification criteria, with the purpose of making explicit several aspects of certification processes such as orderings of criteria, interactions between these, different stakeholder perspectives, and context of use/processing. The expert opinions are varied, example-rich, and forward-looking, which gives a impressive list of open problems where the above four concepts can work as a foundation for further developments. We employed a critical qualitative research, using theory triangulation to analyze the data representing three groups of experts, categorized as 'certifications', 'law', and 'usability', coming both from industry and academia. The results of our analysis show agreement among the experts about the need for evaluations and measuring of usability of privacy in order to allow for exercising data subjects' rights and to evaluate the degree to which data controllers comply with the data protection principles.