The consequences of not complying with the requirements of General Data Protection Regulation (GDPR) is immense for all international data processors. The fines and penalties even for small companies can be as high as 20 million EUR, and GDPR requires data protection by design and by default. Most IT companies do not have in-house expertise to identify the required features for full compliance. This work provides a valuable vendor and technology-agnostic toolkit for building GDPR-complaint software with minimum cost and effort. The toolkit is based on a tag-based approach for identifying required features and tasks. After reviewing various privacy regulations, including GDPR, and coding their content, we arrived at a set of tags that fully capture the principles and notions of privacy requirements relevant to software development, deployment and operation. The tags are organized in 14 classes and include sub-tags, and variants. Any list of privacy and security controls can be evaluated using these tags to ascertain if they adequately enable the desired level of privacy. As a case study we will develop the first publicly available agile scrum template, using the proposed tagging system, for the development of an IoT system that transmits private information across the international borders. The tagging system and the approach could be easily customized for any other agile methodology and framework. The talk will expand on some of the recent stories and case studies of how missing the tags can create non-compliance and as a result, huge liability.
