markets without regulation can fail and produce non-optimal outcomes. In [ 14 ] we analyze the market for personal mobility data and alternative business models to handle personal data, but still many of today's business models rely on the exchange of free services for broad rights to data that is generated by the user. Another initial nucleus could be the personal motivation of users to protect privacy, but [ 9 ] and [ 15 ] suggest that individuals do not necessarily know how to value their privacy and are not willing to pay for privacy.

As an approach to address data privacy from a legislative perspective, the European Union (EU) adopted the General Data Protection Regulation (Regulation 2016/679, GDPR) in April 2016 [ 6 ]. It was passed after thorough consideration and includes 99 articles and 173 recitals that guide the articles. As a major change, failure to comply with the regulation can be ned with up to four percent of an organization's revenue. This underlines the importance of clearly understanding the requirements, analyzing the status quo of data protection measures, deriving an action plan and implementing the necessary technical and organizational measures to attain compliance with the GDPR. Thus, we set the research goal of this project:

Research Goal: To support the adaptation of privacy legislation in organizations, consisting of people, processes and IT systems. 2

For addressing the set research goal, we will rst refer to our concept of an Enterprise Model and then analyze existing work using the established Enterprise Model in order to categorize the existing work and determine which of the aspects of the model it addresses. We rely on a simpli ed Enterprise Architecture model based on [ 4 ] and only consider the three layers Business & Organization, Application & Information and Infrastructure. Figure 1 locates the presented work within this Enterprise Architecture model.

Legal advice gives an abstract view of the challenges to be addressed. According to [ 12 ], these are the principle of accountability, the creation of records of processing activities, the execution of data protection impact assessments, the implementation of technical measures for protection, the extension of data subject rights and the installation of the role of data protection o cer (DPO). [ 21 ] analyses the regulation and compares it in detail to Directive 95/46/EC, which it repeals when entering into force. The resulting practical implications are the obligation to specify data needs and usage, to consider conditions for data processing in an international context, to build privacy through data protection by design and default, to demonstrate compliance, to develop processes for dealing with data breaches, to consider possible sanctions when acting, to designate a DPO, to establish processes for providing information to and getting consent from data subjects, to create ways of deleting or transferring an individual's data and to document processing activities.

The paradigm of Privacy by Design was keyed by the Canadian Information Commissioner [ 5 ] and encompasses the notion of building privacy into IT systems and processes, but also physical designs. However, the seven proposed principles are rather a goal de nition than an instruction of how to implement privacy [ 19 ] and a translation of these principles into system requirements is necessary [ 11 ]. Nonetheless, there are also critical voices who claim that "privacy cannot be hardcoded" [ 16 ].

Method engineering, according to [ 1 ], is the discipline of creating methods that support the development of Information Systems and can be compared to Software Engineering for the development of software. When adapting a method for a speci c situation and combining individual elements, so-called method chunks, it is called a situational method [ 13 ]. An application to the domain of governance, risk and compliance can be found in [ 7 ], where method fragments are categorized into ve dimensions (conceptual, strategic, organizational, technical, cultural) and assigned to di erent roles within the enterprise. A recent development is the eld of Privacy Engineering [ 10 ], which systematically addresses privacy issues during system development.

A notable method for modeling privacy threats is LINDDUN [ 23 ], [ 24 ]. It is intended to support software developers in identifying and addressing privacy threats early during software development. An extensive privacy threat tree [ 23 ] addresses all the security threats that are included in the acronym and gives guidance to software developers.

The operationalization of Privacy and Security by Design was the subject of study of the EU project PRIPARE (Preparing Industry to Privacy-by-design by supporting its Application in Research) [ 18 ], which we consider to cover all three layers of the model presented earlier. The main results include a process to address the accountability postulate of the GDPR and so-called patterns for privacy preserving development of software. They distinguish between risk-based (such as LINDDUN, [ 23 ]) and goal-oriented approaches, such as the GDPR, which have to be broken down into smaller requirements. These two approaches are considered to be complimentary, with application of the goal-oriented principle rst and detailed system analysis second [ 18 ].

Patterns are observed solutions for a given problem [ 3 ] that have emerged in three independent instances. Historically, they originate from the domain of software architecture, but have also been applied in Enterprise Architecture Management, a holistic approach to align business and IT [ 2 ]. They describe the solution with consequences, known uses, actors and related patterns [ 3 ]. The PRIPARE project also created a pattern catalog [ 17 ] that includes 26 privacy patterns at a technological level.

The gap we identify is the consideration of holistic patterns that are specifically targeted at compliance with the new GDPR regulation. As it has been passed in 2016 and becomes e ective in 2018, there are currently industry efforts under way who aim at achieving compliance by the time the GDPR becomes e ective. These e orts have not been investigated so far and have not been analyzed with regards to the existing body of knowledge. 3

The goal of this research project is to support the practical application of privacy patterns by developing theory and insight from the current industry e orts. An approach that was designed to ensure theoretical contributions of industry cooperation projects is pattern-based design research [ 3 ]. It combines the use of patterns, design theory and the concept of a design theory nexus to propose a four-step process (as depicted in gure 2) consisting of the steps observe & conceptualize, pattern-based theory building, solution design and application and evaluation and learning.

The EU GDPR is not the rst privacy regulation that organizations have to become compliant to. In fact, it repeals EU directive 95/46/EC, which was the basis for prior national privacy legislation. Researchers have addressed these concerns with threat frameworks and situational methods before. There are also similar legislation that requires action within the organization and has been researched before, such as nancial or risk regulation. To develop a clear understanding of the existing work and to be able to concisely identify the di erences that are invoked speci cally by the GDPR, we derive the rst research question: RQ1: Which conceptual frameworks exist that can be instrumented to describe regulatory requirements and the design of possible solutions? The GDPR as a whole consists of 99 articles, some of which de ning terms, some concerning administrative acts regarding the regulation, and some introducing rights for data subjects and obligations for the data controllers and processors. These have to be extracted from the legal text and formalized as elementary requirements. Each of the requirements can then be addressed by methods or techniques that are investigated at a later stage. Thus, we formulate the second research question:

RQ2: What are the elementary requirements of the GDPR and how can they be modeled with the existing concepts?

Since the GDPR is applicable from 2018, there are currently ongoing e orts in organizations with the goal to prepare for the legislation and to implement the required measures, such as the establishment of a data protection o cer. It is necessary to observe and describe these e orts and to classify the approaches. Who is responsible? Who is in charge of planning, who is in charge of execution? How are the requirements identi ed, how are project goals set, which processes are established? Which tools or methods are used to support this e ort? In short, we state the third research question as:

RQ3: What is the state of the practice in the implementation of GDPR requirements in Germany and how does the practice instrument theoretical knowledge?

From these practical investigations, we aim to identify common observations from various industry partners. These so-called pattern candidates have to be consolidated into patterns and described using the theoretical background that was identi ed before. It will be analyzed how successful the application of each pattern has been, since commonality does not necessarily imply quality. As the fourth research question, de ne:

RQ4: Which successful patterns can be identi ed for ful lling the elementary requirements of the GDPR?

There might be di erent patterns that address the same elementary requirement. At the same time, there might be patterns that require the application of another pattern in order to be executed successfully. In the last step, we aim to analyze dependencies among patterns. One such dependency could be the reduced need for on site data security when transferring personal data to cloud services, but a rigorous selection process for the cloud provider to comply with the data security requirements. This leads to the last research question: RQ5: How are solution options interrelated with each other? Which solutions are independent, which require other actions, and which replace other solution options?

This dissertation project is supervised by Prof. Dr. Florian Matthes at the chair for Software Engineering for Business Information Systems, TU Munchen. It is part of the TUM Living Lab Connected Mobility (TUM LLCM) project and has been funded by the Bavarian Ministry of Economic A airs and Media, Energy and Technology (StMWi) through the Center Digitisation.Bavaria, an initiative of the Bavarian State Government.