6 Part 6: V-Modell Reference Activities

6.3 Activities

6.3.7 Requirements and Analyses

6.3.7.6 Preparing Data Protection Concept

Purpose

A data protection concept shall be prepared for a project if the project deals with personal data.

This activity is intended to prepare and update a project-related data protection concept. During the preparation and updating of the data protection concept, the contents of the concept shall be verified for correctness, consistency and completeness and be adapted as required.

During service use, the data protection concept shall be updated in case of a change of provisions, technical modifications, extension of functionalities, construction measures, etc.

The activity "Preparing Data Protection Concept" describes a planned approach for fulfilling data protection requirements. The measures required for covering the requirements will be specified in the data protection concept.

In order to achieve a high data protection level, the following steps - among others - shall be executed when preparing the concept:

• Determining the legal foundations for handling personal data,
• describing the origin of personal data and the collecting method,
• providing a system survey focussing on system elements which process personal data,
• determining the protection requirements for personal data,
• identifying possible risks incurred when handling personal data,
• determining data protection requirements (legal, technical, organizational, personnel and material requirements) and determining measures for covering the requirements.

This includes, e.g., the following aspects:

• Describing the administration and handling of personal data on data carriers and servers,
• specifying the necessary controls,
• specifying the obligation to notification,
• specifying release procedures,
• regulating possible job data processing.