Privacy Threat Modeling with LINDDUN in the Context of the General Data Protection Regulation

Due to advancements in digitization it is increasingly easy to collect personal data, as performed by big companies such as Google or Facebook. Therefore, the European Union addresses resulting privacy concerns by introducing the General Data Protection Regulation (GDPR), which is part of EU law aiming to regulate data protection and privacy for all EU citizens. The GDPR affects companies not only in Europe but all across the world if they process data of EU citizens. As a result, software developers face numerous challenges from understanding what this regulation requires from their software to adapting their development processes in order to consider privacy and data protection requirements early on.
This thesis aims to give an overview of the challenges which result from the GDPR. Furthermore, privacy threat modeling in the form of the LINDDUN methodology is evaluated in the context of the GDPR. A prototype of a service-oriented application was developed and analysed with LINDDUN in order to determine if the latter is a suitable methodology that can contribute towards GDPR compliance. Therefore, the Standard-Data-Protection-Model Version 2.0 (SDM) of the German federal states alongside the GDPR itself provided the criteria used to judge the extent of LINDDUN’s contributions towards GDPR compliance.