A comparison of system description models for data protection by design.

Since the General Data Protection Regulation (GDPR) entered into force, every actor involved in the processing of personal data must comply with Data Protection by Design (DPbD). Doing so requires assessing the risks to data subjects' rights and freedoms and implementing appropriate countermeasures. While legal experts traditionally apply Data Protection Impact Assessments (DPIA), software engineers rely on threat modeling for their assessment. Despite significant differences, both approaches nonetheless revolve around (i) a description of the system and (ii) the identification, assessment and mitigation of specific risks. In practice, however, DPIAs and threat modeling are usually performed in complete isolation, following their own, unharmonized lexicon and abstractions. Such as disconnect lowers the quality of the assessment and of the conceptual and architectural trade-offs In this paper, we present (i) an overview of the legal and architectural modeling requirements and (ii) incentives and recommendations for aligning both modeling paradigms in order to support data protection by design from both a legal and a technical perspective.