Exploring Stakeholders’ Practical Needs for GDPR Compliance

Ana Ferreira

, Pedro Vieira-Marques

and Rute Almeida

RISE-Health, Department of Community Medicine, Information and Health Decision Sciences,

Faculty of Medicine, University of Porto, Porto, Portugal

Keywords: GDPR Compliance, Privacy by Design, User Centered Research.

Abstract: In a time when various regulations and directives are enforced within the European cyberspace regarding

cybersecurity and data protection, General Data Protection Regulation (GDPR) requirements are still far from

being completely understood and integrated into the practice of individuals personal and sensitive data

processing. Having clear directions of what is needed to protect the privacy of personal data is essential but

even more, is the availability of tools and mechanisms that can provide easy, structured and, hopefully, more

automated ways to implement those requirements in practice. After more than six years of GDPR enforcement,

how are people aware, knowledgeable and prepared to comply with GDPR in their daily practice? Moreover,

what still needs to be done to improve this process? This work presents the results of a survey aimed to collect

the perceptions, preferences and needs regarding interactive and assistive tools, together with its content, to

support GDPR compliance in practice. Participants (n=62) from varied backgrounds and experiences agreed

that such tools are very needed and can have beneficial impact in terms of Privacy, Knowledge, Efficiency

and Productivity, but also in terms of Safety. Results also show that stakeholders who frequently need to

perform personal data processing, do not many times have the knowledge, experience or required support to

put compliance procedures into practice, and within their context. Our study contributes to understanding

what content and functionalities a GDPR compliance tool must include to support those stakeholders.

1 INTRODUCTION

As with any legislation, the European General Data

Protection Regulation (GDPR) (GDPR, 2016) is

made to be generic. This may difficult the integration

of its requirements in different domains (Quinn and

Quinn, 2018; Cool, 2019), as it provides little or no

technical guidance to the entities that are obliged to

implement it. This approach aims to be impartial but

may cause unforeseen complications when

organizations attempt to adapt their processes to

GDPR (Politou et al., 2018).

In a 2020 literature review (Ferreira, 2020), two

years after GDPR enforcement, most proposed

guidelines and proof of concepts in the literature were

not tested or used in real settings.

Four more years have elapsed, and works focusing

on understanding end users’ needs, challenges and

preferences regarding practical GDPR compliance or

https://orcid.org/0000-0002-0953-9411

https://orcid.org/0000-0001-7755-5002

https://orcid.org/0000-0003-4174-2820

identifying available, adapted and interactive tools

that can support them with those challenges, are few.

On a search query in SCOPUS indexation

database with the following terms: TITLE-ABS-KEY

(survey AND gdpr AND compliance), on the

5/12/2024, 58 results were retrieved. From the

analysis of their titles and abstracts, only a few works

were closer to the subject in exploration in this study.

A work (Iadinic et al., 2023) discusses the results

of a survey applied to Croatian SMEs regarding

GDPR compliance challenges. Commonly, SMEs fail

to demonstrate an adequate level of compliance with

the GDPR due to a lack of literacy on the data

protection legal framework or a lack of supporting

resources. Results also indicate that SMEs would

greatly benefit from additional practical guidance and

templates relating to various internal policies and

GDPR requirements such as data retention, deletion,

access, maintaining records of processing activities

and training strategies for staff on data protection

matters (Iadinic et al., 2023). There was no clear

460

Ferreira, A., Vieira-Marques, P. and Almeida, R.

Exploring Stakeholders’ Practical Needs for GDPR Compliance.

DOI: 10.5220/0013360900003929

Paper published under CC license (CC BY-NC-ND 4.0)

In Proceedings of the 27th International Conference on Enterprise Information Systems (ICEIS 2025) - Volume 2, pages 460-469

ISBN: 978-989-758-749-8; ISSN: 2184-4992

understanding of what type of practical guidance

would be the most adequate.

Other works in the literature have explored if a

tool/platform focusing on supporting GDPR

compliance would be part of such guidance. The

study (Tsohou et al., 2023) has answered positively to

this question and described that end users highly

expressed the need for a platform that enables them

to: i) “clearly verify whether the basic GDPR

principles and their rights are complied with; ii) know

when their data is processed by third parties; iii)

define their consent; and iv) is user friendly”. A

platform was built in the ambit of that study.

However, the authors could only find an online demo

and no further testing results from user experience

and impact on GDPR compliance or use in practice.

A 2021 review of GDPR compliance software

solutions shows that organisations are being “greatly

challenged in meeting GDPR compliance obligations,

despite the myriads of software tools available to

them” (Ryan et al., 2021) (IAPP-EY, 2019). Solutions

commonly lack interoperable features or are not

based on evidence.

Other works focused on specific requirements and

try to validate GDPR compliance in an automated

form (Chhetri et al. 2024) (de Montety et al., 2019)

(Libal, 2021). Moreover, a specific software tool to

provide support for Data Protection Impact

Assessments (DPIA) execution, in French, can be

found here (PIA, 2024).

Although these mentioned examples are relevant,

they address only a few specific GDPR requirements

(e.g., DPIA or consent management), not all the main

requirements. Also, those examples may potentially

need extra knowledge in terms of configuration and

data inputs for the various requirements associated

with the regulation. In addition, it is not clear if such

examples are adapted to the infrastructure and context

where they are applied as well as the users’

experiences and expectations.

In fact, existing solutions may not be as successful

as predicted. Many organisations choose to use

manual methods such as spreadsheets to manage their

GDPR compliance (Ryan et al., 2021), while 76% do

not use commercial software tools to carry out

compliance activities (IAPP, 2019). Stakeholders

continue to struggle with core GDPR compliance

requirements such as DPIA, register of processing

activities and data inventory mapping.

Functional, user-friendly, interactive, easy

understandable, freely available tools are still scarce

to find. Many times, the existing solutions are not

context-oriented, difficult to adapt and commonly

focus on a few specific GDPR aspects such as digital

consent management or data sharing. Maybe this is

explained by the fact that no exploration works of

stakeholders’ needs, preferences, context specific

needs and actual day by day activities are found in the

literature. Solutions’ design and development must be

integrated from the beginning of its conception. Co-

designing such tools with stakeholders can give a

higher degree of assurance of what is required and

really works in practice.

A recent work from the authors aims to target

these challenges but with a focus on health research

projects management (Ferreira et al., 2024). The

authors propose the implementation of a high-fidelity

prototype of a recommendation platform (IRIS) for

compliance of health projects with GDPR. The work

integrated user centered research methodologies and

was performed in co-design with the target

population. It addresses GDPR in the light of non-

experts in law or its requirements so that it is easy for

the lay user to get the main definitions and be guided

on the main requirements. Being just an interaction

design prototype, it only describes the interaction

scenarios, and the focus is a specific context.

However, some of its outcomes are being further

explored in this present work.

Our present work aims to present the results of a

survey to collect perceptions, preferences and needs

regarding GDRP compliance within stakeholders’

professional practice, from various domains, as well

as the requirements for the development of an

interactive/assistive tool to guide them in the

compliance process. Asking stakeholders directly can

provide insights into what are the real needs and

challenges that need to be addressed and overcome.

Next section describes the applied methods while

section 3 presents the obtained results. Section 4 and

5 discuss the results and conclude the work providing

future research directions, respectively.

2 METHODS

2.1 Data Collection

An anonymous online survey was designed on google

forms and shared in LinkedIn on the 18/10/2024,

where it was available for a month. Participants from

the authors’ contact networks were invited to answer

the survey via the post and to share it.

The survey was written in English to reach a wider

audience and not limit replies from the authors’ closer

community.

Exploring Stakeholders’ Practical Needs for GDPR Compliance

461

2.2 Survey Structure

The online survey comprised the following 5 main

parts:

1. Informed consent;

2. Demographics;

3. GDPR literacy;

4. Personal data processing;

5. GDPR compliance supporting tools.

More details are presented in Table 1 and in the

text that follows.

Table 1: Detailed content of each survey section.

Part Content

1. Informed consent with project’s description;

Purpose and type of data processing;

Responsible researcher contacts;

Participants’ consent to

articipate

2. Demographic data: Age, Gender, Main

Occupation, Areas of Activity;

Years of Experience;

Numbe

of Employees of Working Institution

3. Awareness, Knowledge, Relevance and

Ade

uate Su

ort re

ardin

GDPR

4. If personal data processing is part of the

participant’s professional activity;

What

ersonal data

rocessing is

erfor

5. Available tools to support GDPR compliance;

The need for such tools;

Any free tools;

The positive impact such tools could have;

The need to be adaptable to context and

requirements;

The device to use it;

The content such tools should include;

The use of a chatbot/AI Assistant to either

com

lement o

lace such tools

Although the study is anonymous, section 1 is

required for compliance with GDPR, to describe the

ambit, nature of the study, together with personal data

to be processed, to study participants before they

choose to participate or not.

Section 2 aims to characterise the main

participants’ demographic variables.

Section 3 bases the questions on one of the three

main categories raised by (Ferreira et al., 2024) in the

analysis of data collected from interviews, the main

“Concerns about GDPR”.

Section 4 questions aim to detail our sample needs

and associated activities for personal data processing.

Section 5 bases its questions on two of the three

main categories raised by (Ferreira et al., 2024)

“Content for the tool” and “Tool characteristics”, to

explore our sample needs in terms of supporting tool

features and content.

2.3 Data Analysis

Descriptive statistics were extracted from the google

forms report as well as from a .csv file exported from

the same forms.

3 RESULTS

3.1 Demographics

The online survey was answered by 62 participants,

47% female, with an age ranging from 36 to 45 years

old (31%) and 46 to 60 years old (50%).

Forty percent (40%) of participants work in

research, 26% in Education while 26% in IT

(Information Technology). Their main areas of

actuation are Healthcare (47%), Cybersecurity and

Privacy (42%) as well as IT engineering and

networking (26%) (Figure 1).

More than half of respondents (58%) have more

than 20 years of experience working in their specific

areas while 15% have between 16 and 19 years of

experience, 13% between 6 to 9 years of experience

and 8% less than 5 years of expertise.

Figure 1: The main areas of actuation of the survey

respondents.

Forty seven percent (47%) of participants work in

large companies (more than 1000 employees) while

others are distributed by companies between 200 and

1000 employees (21%), 50-200 employees (19%) and

less than 50 employees (13%) (Figure 2).

47%

42%

26%

Healthcare

Cybersecurity

& Privacy

Energy

Management

Arts

Main areas of actuation

ICEIS 2025 - 27th International Conference on Enterprise Information Systems

462

33.90%

37.10%

29%

Yes Sometimes No

Figure 2: Participants’ institutions dimension.

3.2 GDPR Perceptions

Most respondents (82%) completely agree or agree

that they are aware of GDPR while 76% completely

agree or agree that they are knowledgeable regarding

this regulation (Figure 3).

Figure 3: Perceptions of awareness and knowledge

regarding GDPR.

3.3 Personal Data Processing

Eighty four percent (84%) of participants completely

agree or agree that GDPR is essential for the

protection of personal data processing. Moreover

34% affirm that personal data protection is frequently

part of their main occupation, 37% state that

sometimes it is while 29% answered No (Figure 4).

When asked what type of personal data processing

was performed, 37% mentioned personal data from

staff, clients or the academic community while 23%

referred the processing of clinical/health/patient data.

Figure 4: Answers from respondents regarding the

frequency they engage in personal data processing on the

course of their activity.

3.4 GDPR Supporting Tools

Regarding the knowledge of existing supporting tools

to comply with GDPR during personal data

processing, 48% of respondents do not know, 27%

answered Yes while 25% replied No. Some

characteristics referred by the participants about those

tools are presented in Figure 5.

Figure 5: GDPR compliance supporting tools mentioned by

the survey participants.

When asked specifically about free tools, 90% of

respondents answered No and 10% answered Yes.

Names provided for these free tools comprise:

Ghostery, Cookie Script, PIA tool from CNIL; or the

European Data Protection Board Guidelines.

3.5 Need for a GDPR Supporting Tool

Regarding the usefulness of a GDRP supporting tool,

89% of participants agree while 10% do not know.

Participants agree in the positive impact such tools

can have in terms of Privacy (76%); Knowledge

(63%); Safety (60%); Efficiency (53%); and

Productivity (45%) (Figure 6).

0% 20% 40% 60% 80% 100%

I'm aware of this

regulation

I'm knowledgeable

about it

I completely agree

I agree

Neutral

I disagree

I completely disagree

12.90%

19.40%

21%

46.80%

Less than 50 employees

50-200 employees

200-1000 employees

More than 1000 employees

Exploring Stakeholders’ Practical Needs for GDPR Compliance

463

0% 20% 40% 60% 80% 100%

Clear main GDPR terms

Clear GDPR requirements

Clear data owner rights

I completely agree I agree Neutral I disagree I completely disagree

Figure 6: Respondents’ opinions regarding the impact that

a supporting tool for GDPR compliance would have in their

daily activities.

When asked to justify the need for such tool,

participants gave various reasons. The most frequent

justifications were that a tool would help: i) to

understand legal concepts and requirements as well as

provide adequate and even automated protection

(n=11; 18%) and ii) to support non-experts in the

field, including SMEs and researchers, to understand

basic concepts (n=10; 16%). Other participants also

referred that such tool could help in data processing

management and efficiency and would be useful to

provide a compliance score when self-evaluating

their data processing procedures for GDPR

compliance.

Quotes from the participants are presented in

Figure 7.

Figure 7: Quotes from survey participants on the need for a

GDPR compliance supporting tool.

3.6 GDPR Supporting Tool - Design

A tool to support GDPR compliance in different

contexts must necessarily integrate different

functionalities and respond to various needs. Next, we

describe tool’s characteristics that were mentioned by

our sample.

Regarding tool content, 89% and 90% of

respondents completely agree or agree they would

like to have clarification of GDPR main terms and

requirements, respectively, while 79% completely

agree or agree to have clarification of data owners’

rights (Figure 8).

Moreover, when participants were asked about

practical measures for data protection processing

within the tool, 87% and 84% of respondents

completely agree or agree they would like to have

guided data protection processing and guided GDPR

requirements application in the practice of data

processing, respectively (Figure 9).

Also, 84% of participants would like to have

access to recommendations of security measures

and/or mechanisms to apply according to their own

data processing needs.

Figure 8: Participants’ opinions regarding GDPR supporting tool compliance content.

76%

63%

60%

53%

45%

Privacy

Knowledge

Safety

Efficiency

Productivity

Compliance

Completeness

Audit

GDRP compliance tool impact

ICEIS 2025 - 27th International Conference on Enterprise Information Systems

464

18%

27%

34%

11%

10%

I completely agree

I agree

Neutral

I disagree

I completely disagree

Figure 9: Participants’ opinions regarding practical procedures for secure data processing.

Figure 10: Participants’ opinions regarding access to templates for informed consent or DPIA procedures.

Regarding templates the tool might include, 82%

and 84% of participants completely agree or agree to

have access to informed consent and DPIA templates,

respectively (Figure 10).

Figure 11 shows the percentages of responses

regarding the integration of a Chatbot/AI Assistant

feature within the GDPR compliance supporting tool.

Forty-five percent of respondents completely agree or

agree with this integration while around a third of

respondents did not have a defined opinion.

Figure 11: Opinions regarding the inclusion of a Chatbot/AI

Assistant feature to the GDPR compliance tool.

For more clarification, participants were asked

regarding the detachment of the compliance tool from

the Chatbot/AI Assistant. If they would prefer both or

only one of those tools. Answers show that 47% of

respondents prefer the compliance tool alone while

42% prefer both tools. One participant also refers that

including an AI Assistant implies that it needs to

comply with the AI Act (AI Act, 2024).

Bringing to more general design and

specifications, 74% of respondents agree that a

GDPR compliance supporting tool must be adaptable

to the context of data processing while 16% agree it

to be adapted to both data processing context and

users’ needs.

Some quotes to justify these responses are

presented in Figure 12.

Figure 12: Quotes from survey participants regarding the

need for the GDPR compliance support tool to integrate

both context and users’ needs.

0% 20% 40% 60% 80% 100%

Informed consent templates

Data protection impact assessment

(DPIA) templates

I completely agree I agree Neutral I disagree I completely disagree

0% 20% 40% 60% 80% 100%

Guided data protection processing

Apply GDPR requirements into data

processing practice

Mechanisms for secure data processing

I completely agree I agree Neutral I disagree I completely disagree

Exploring Stakeholders’ Practical Needs for GDPR Compliance

465

Further, while asking the participants what type of

device they would be more willing to use to access

such tool, 81% mentioned they would prefer using a

laptop while 15% a smartphone.

The last survey question asked the participants to

provide other suggestions they would like to share

with study researchers. We highlight here two of

those suggestions for further discussion:

• “Possibility of generating the necessary

documents from the provided data”

• “AI Assistance should be provided in the

background, handling events, and helping to

fill the gaps”

4 DISCUSSION

GDPR is to be applied in any domain where personal

data processing is required and it needs to integrate

the necessary privacy and security to prove that it is

so. This demands that every such context needs the

available expertise to implement it in practice. If we

consider the type of knowledge such person needs to

have, we reach a set of multidisciplinary and very

different and complex subjects such as IT, privacy,

cybersecurity, the domain associated to the context

and law, just to name a few, which are not easily

acquired.

This is likely unmanageable for many

organizations, and this is why we need to devise other

strategies to overcome these challenges. This study

aims to contribute a step further in this direction.

The sample that participated in our online survey

had a lot of experience in areas such as healthcare and

IT which may mean they are more aware of the

importance of protecting sensitive and personal data.

However, as shown by our results, this may not also

mean that they have the required knowledge or tools

to implement GDPR compliance best practice, which

research commonly shows (Iadinic et al., 2023)

(Tsohou et al., 2023). Our sample was not so

confident in their knowledge of GDPR as they were

aware of it.

Almost half of our sample is working in large

companies which may explain their frequent

participation in personal data processing activities

with some knowledge of existing tools to support

those activities. However, most of the mentioned

tools are in fact manual guidelines or procedures, also

in accordance with previous works (Ryan et al.,

2021). Even when in online format, they still lack

interactive capabilities. Possibly those that mentioned

proprietary tools may have more of the late features

integrated, but the authors could not assess them.

Regarding the mentioned free tools, these are

specific tools which are not comprehensively tackling

the main GDPR requirements or providing practical

knowledge to users but rather focus on specific needs.

For example: the Ghostery is a tracker and Ad blocker

and includes online private search; the Cookie Script

includes tools to make a website compliant with the

latest privacy regulations including GDPR (not more

details were provided in its description); the PIA tool

from CNIL comprises mainly documents and guides

for best practice while performing a DPIA, and the

European Data Protection Board Guidelines are also

documents to provide best practice and to clarify the

law for better interpretation.

Overall, our sample clearly confirms the need of a

more interactive and comprehensive GDPR

compliance supporting tool, as explored in previous

research (Iadinic et al., 2023) (Tsohou et al., 2023).

The authors would like to stress this fact for future

research in this area. Associated justifications focus

on the complexity of the theme and the volume of

knowledge and data there is to manage. A tool could

alleviate and support that work as well as facilitate the

communication, translation and interpretation of legal

language to practical settings, in accordance with this

previous study (Iadinic et al., 2023). It would also

help in the compliance implementation and

verification, again as shown already in the literature

by (Tsohou et al., 2023), where the need for a

platform to automatically verify compliance of

specific GDPR requirements would be of great help.

Moreover, our sample clearly perceives and

acknowledges the impact such tool could have not

only on the protection of personal data processing but

also on improved knowledge of the regulation and its

requirements and practical implementation. In turn,

this can have an impact on the efficiency and

productivity of their professional activity. In addition,

if the privacy of personal data is increased so can be

the safety of the data subjects, especially in the

healthcare domain (well represented in our sample),

where breaches of confidentiality and privacy can

negatively impact patients’ safety and wellbeing.

Another contribution of this work is the specific

characteristics and associated justification that the

tool may include. Although a high experienced

sample and actively dealing with data protection

challenges, they value the integration of clear content

from GDPR general knowledge and concepts as well

as from more specific guidance in practice. Previous

research also highlights the fact that there is a lack of

literacy as well as supporting resources, guidance and

ICEIS 2025 - 27th International Conference on Enterprise Information Systems

466

templates to provide for GDPR compliance in

practice (Iadinic et al., 2023) (Ryan et al., 2021). A

focus is put on the inclusion of templates, which can

save a lot of time, especially regarding informed

consent (mandatory), and in the suggestion of the

most adequate security mechanisms or measures to

apply and how.

Other tool components that may be useful to

complement the main tool functionalities is a

Chatbot/AI Assistant. Almost half of participants

agree with the inclusion of this component but more

than a third also remain neutral about this topic. Our

sample perceives the benefit of an AI Assistant

mostly when integrated in the main tool, as a

complementary support. One participant even refers,

as an added suggestion at the end of the survey, that

AI Assistance should be provided in the background,

handling events and maybe fill the gaps.

In addition, AI can be used not only to provide

pre-defined legal recommendations as well as

improve user’s interaction experience, but also to be

able to integrate and adapt users’ requirements for

specific contexts. As confirmed by our study, the

majority of participants (74%) agree that supporting

tools for GDPR compliance must comprise the need

to be adaptable to context. AI can easily learn and

integrate specific needs from specific contexts into

the on-the-fly recommendations and support.

To notice also that another participant raised the

issue that such Assistant needs to be AI Act

compliant. In fact, the tool itself needs to be GDPR

compliant, and this awareness is very important to

keep in mind for future developments.

An important detail that was revealed by our

sample is the preference of using a laptop device to

access the compliance supporting tool. This may be

because the laptop is still the most common working

device and using this tool will be part of their

professional context.

More than quantitative data, the survey also

collected qualitative data to further explore the

choices of our sample. The need for a compliance

supporting tool is justified to alleviate the complexity

of procedures as well as the day-to-day management

of personal data processing, aiming to improve

effectiveness and efficiency of the process. To

accomplish this, such tool needs to be flexible and

adaptable (mentioned by various participants – no

one-size-fits-all solutions) to be able to consider both

general and specific requirements. But not all

participants have this opinion. One participant prefers

standardized tools. These have obvious advantages

for compliance procedures that are common to

different domains and purposes and can even be used

across different regulations and legislations.

However, to bring more value, the tool also needs to

allow customization both for the context and

specificities at hand as well as for the users that will

interact with it. As mentioned by the participants, the

tool needs to support both expert and lay people. As

GDPR goes across every domain where personal data

is processed, we cannot expect to have law experts in

every possible setting.

This aspect goes along with some of the

suggestions made by the participants at the end of the

survey:

• “Possibility of generating the necessary

documents from the provided data”. General

templates can be made available, especially the

ones concerning informed consent as a

mandatory requirement for personal data

processing, However, other documents may also

be generated for specific domains, such as in

research when an Ethics Commission needs to

approve a study, or a record of activities

performed in the ambit of the “right of access” or

the “right to be forgotten” in healthcare;

• “AI Assistance should be provided in the

background, handling events, and helping to fill

the gaps”. AI can be very useful in filling the

gaps to adapt and customise needs on the go, to

learn what can be more relevant to a certain

context at a certain time, and to answer to users’

requests for different types of data processing or

even added protection for more sensitive data.

4.1 Limitations

This work has some limitations, including the small

sample size and the main recruitment venue being

used was the LinkedIn platform. However, since this

was a short period study, the authors agreed that it

was a platform where a more varied sample of people

could be reached and faster. Still, this can also be

biased by the authors’ connections most probably

linked with their own personal and professional

interests.

The analysis was only made with descriptive

statistics, but a deeper exploration can be made to find

possibly deeper connections between demographic

variables such as age and domains of actuation to the

specific tool characteristics, preferences and

perceived benefits.

Exploring Stakeholders’ Practical Needs for GDPR Compliance

467

5 CONCLUSIONS

By 2024, more than 6 years after the GDPR has been

enforced in all European State Members to regulate

citizens personal data protection, not many works

were found in the literature that aim to understand

users’ knowledge, needs and contexts to implement

GDPR compliance in practice.

The lack of research on this topic impacts the way

users and organizations will approach this

requirement. Also, not many straightforward tools are

available to provide the right knowledge and support

the usage of that knowledge within stakeholders’

professional contexts, without needing to be experts

in law or privacy.

On the way to fill this gap, this study aimed to

explore the perceptions, preferences and needs

regarding interactive and assistive tools, together with

its content, to support GDPR compliance in practice.

Our results show that stakeholders who frequently

need to perform personal data processing do not often

have the knowledge, experience or required support

to put compliance procedures into practice in their

context. This work contributes to understanding what

content and functionalities could be included in an

interactive tool to be designed to provide a holistic

management of all requirements and further

enhancing the capability of GDPR compliance.

Our study outcomes can be leveraged with the

outcomes of previous works to integrate both user

research needs not only at the interaction and design

level but also on the content needs and expectations.

ACKNOWLEDGEMENTS

This work is funded by project Health from Portugal

- HfPT (Aviso 2022-C05i0101-02 Agendas/Alianças

mobilizadoras para a reindustrialização, Projeto nº

C630926586-00465198”).

Ana Ferreira is supported by Fundação para a

Ciência e Tecnologia (FCT), project DRAPE-

Designing Trust and Privacy into Research, Ref.

2022.00381.CEECIND/CP1712/CT0001; DOI:

10.54499/2022.00381.CEECIND/CP1712/CT0001.

Rute Almeida is supported by FCT, Ref.

CEECINST/00056/2021/CP2804/CT0004; DOI:

10.54499/CEECINST/00056/2021/CP2804/CT0004.

REFERENCES

AI ACT. (2024). General Data Protection Regulation (EU)

2024/1689 of the European Parliament and of the

Council. Official Journal of the European Union.

Chhetri, E., Fensel, A., DeLong, R. (2024). GDPR consent

management and automated compliance verification

tool, SoftwareX, Volume 27, 2024, 101821,

https://doi.org/10.1016/j.softx.2024.101821.

Cool, A. (2019). Impossible, unknowable, accountable:

Dramas and dilemmas of data law. Soc Stud Sci.

49(4):503-530. doi: 10.1177/0306312719846557.

de Montety C., Antignac T., Slim C. (2019). GDPR

modelling for log-based compliance checking IFIP

Advances in Information and Communication

Technology, 563 IFIP, pp. 1 - 18. DOI: 10.1007/978-3-

030-33716-2_1.

Ferreira, A. (2020). GDPR: What’s in a year (and a half)?

22nd International Conference on Enterprise

Information Systems. Volume 2, 209-216.

Ferreira, L., Martins, T., Dias, E. and Ferreira, A. (2024).

IRIS: A Prototype for GDPR Health Research

Compliance. CHIRA 2024 – 8

International

Conference on Computer-Human Interaction Research

and Applications. (In Press).

GDPR. (2016). General Data Protection Regulation (EU)

2016/679 of the European Parliament and of the

Council L 119. Official Journal of the European Union.

ladinić A., Vukić Z., Rončević A. (2023). GDPR

Compliance Challenges in Croatian Micro, Small and

Medium Sized Enterprises. Pravni vjesnik. 39 (3-4), pp.

53 – 75. DOI: 10.25234/pv/23972.

IAPP and Trust Arc. (2019). Trust Arc: Measuring Privacy

Operations. International Association of Privacy

Professionals.

IAPP-EY. (2019). Annual Privacy Governance Report.

International Association of Privacy Professionals.

Libal, T. (2021). Towards Automated GDPR Compliance

Checking. Lecture Notes in Computer Science

(including subseries Lecture Notes in Artificial

Intelligence and Lecture Notes in Bioinformatics),

12641 LNAI, pp. 3 – 19. DOI: 10.1007/978-3-030-

73959-1_1

PIA - Privacy Impact Assessment Software. CNIL -

Commission Nationale de l’Informatique et des

Libertés. Available at: https://www.cnil.fr/en/privacy-

impact-assessment-pia. Acccessed on: 11/12/2024.

Politou, E., Alepis, E., Patsakis. C. (2018). Forgetting

personal data and revoking consent under the GDPR:

Challenges and proposed solutions, Journal of

Cybersecurity, Volume 4, Issue 1.

https://doi.org/10.1093/cybsec/tyy001.

Quinn, P., Quinn, L. (2018). Big genetic data and its big

data protection challenges, Computer Law & Security

Review, Volume 34, Issue 5,1000-1018.

https://doi.org/10.1016/j.clsr.2018.05.028.

Ryan P., Crane M., Brennan R. (2021). GDPR Compliance

Tools: Best Practice from RegTech. Lecture Notes in

Business Information Processing, 417, pp. 905 - 929,

Cited 14 times. DOI: 10.1007/978-3-030-75418-1_41.

ICEIS 2025 - 27th International Conference on Enterprise Information Systems

468

Tsohou, A. et al. (2020). Privacy, Security, Legal and

Technology Acceptance Requirements for a GDPR

Compliance Platform. Lecture Notes in Computer

Science, vol 11980. Springer, Cham.

https://doi.org/10.1007/978-3-030-42048-2_14.

Exploring Stakeholders’ Practical Needs for GDPR Compliance

469