CrowdRE, User Feedback and GDPR: Towards Tackling GDPR Implications with Adequate Technical and Organizational Measures in an Effort-Minimal Way

In 2018, the General Data Protection Regulation (GDPR) came into force, imposing strict laws aimed to protect the privacy of natural persons in member states of the European Union. However, the implications of the GDPR with respect to gathering, storing, and analyzing online user feedback - which is an important source of information for Crowd-based Requirements Engineering (CrowdRE) - have not been assessed yet. User feedback has been found to contain personal data, so the GDPR applies. It may be used for CrowdRE if conditions regarding data storage and handling are met and if, when used commercially, the duty to inform is carried out and the data subjects' rights and freedoms are respected. This can be a burden on the application of CrowdRE and might even inhibit its adoption. We propose a heuristic-based solution to anonymize the most prevalent types of personal data while crawling user feedback so that the data processing is no longer subject to GDPR.