Data Privacy Compliance
GDPR Assessment Tool for Higher Education Institutions in Switzerland
The contribution of this study is a development of a prototype for a GDPR assessment tool that can be used in any education institution, HEI, in Switzerland to give an estimation, represented of a total score, of compliance with GDPR. Moreover, this estimation can also be used to reflect the readiness of the organization to the new Swiss data protection act that will be introduced in 2019.
Habbabeh, Ali, 2018
Type of Thesis Bachelor Thesis
Client Institute for Information Systems, HSW FHNW
Supervisor Asprion, Petra
Views: 37 - Downloads: 9
Most of the Swiss universities have students and employees from the EU. Therefore, they are under the scope of GDPR, a data privacy act that was introduced in March 2018. Therefore, every Higher education institution in Switzerland, must take steps into the journy of compliance with GDPR, which will also help them in preparing for the new Federal Swiss data privacy act that will take place in 2019.
Up till now, there is no tool that allows universities in Switzerland to check their GDPR compliance. Therefore, this study aims to cover that gap.
The study aimed at answering the following research questions:
RQ1: What is Data Privacy Compliance, and what are its requirements in Switzerland?
To answer this research question, a systematic literature analysis was conducted using predefined keywords.
RQ2: What are the requirements for an assessment tool for HEI?
a. RQ2.1: What GDPR assessment tools already exist?
b. RQ2.2: Which components of existing tools that could be
utilized in creating a GDPR assessment tool for HEI?
To answer the second research questions, and its subparts, new keywords were generated related to the topic. The requirements for an assessment tool was found to be a full coverage of the GDPR principles which was used later to divide the assessments into different parts according to these principles.
Dedicated to research question 2.1, four existing tools were chosen to be examined due to their popularity and reputability: ISACA assessment tool, DPC, IBM Framework, and EUGDOR Academy tool. To answer research question 2.2, the tools were investigated and extracted the useful parts of each one to the purpose of this study. Later, the parts extracted were adapted to fit an assessment tool that targets HEIs in Switzerland.
The study resulted in a first prototype for the intended tool:
The first prototype consists of the following parts:
.* An Excel sheet that contains all the questions of the assessment tool numbered and color-coded.
. *A document that contains all the modeled assessment of the two stages of the tool which is used to guide the order of the assessment and intended when developed. Each model is numbered and color-coded in correspondence to the previously mentioned excel sheet.
. *An Awareness video and promotional cover page which help to spread awareness about the tool and GDPR, internally or externally.
>>>The prototype was tested and evaluated by compliance, GDPR and modelling experts who concluded that the prototype is useful and could be utilized by data privacy personnel to fulfil its purpose which is to assist any DPO in measuring an own HEI compliance with GDPR.
Studyprogram: Business Information Technology (Bachelor)
Keywords GDPR, GDPR for Switzerland, Data Privacy, GDPR for nonprofit, Assessment tool, GDPR impact
Confidentiality: öffentlich