Privacy and Data protection are highly complex issues within
eHealth/M-Health systems. These systems should meet specific requirements
deriving from the organizations and users, as well as from the variety of
legal obligations deriving from GDPR that dictate protection rights of
data subjects and responsibilities of data controllers. To address that,
this paper proposes a Privacy and Data Protection Framework that provides
the appropriate steps so as the proper technical, organizational and
procedural measures to be undertaken. The framework, beyond previous
literature, supports the combination of privacy by design principles with
the newly introduced GDPR requirements in order to create a strong
elicitation process for deriving the set of the technical security and
privacy requirements that should be addressed. It also proposes a process
for validating that the elicited requirements are indeed fulfilling the
objectives addressed during the Data Protection Impact Assessment (DPIA),
carried out according to the GDPR.