Damiano Torre,Mauricio Alferez,Ghanem Soltana,Mehrdad Sabetzadeh,Lionel Briand

DOI: https://doi.org/10.48550/arXiv.2007.12046

2020-07-23

Abstract:In Europe and indeed worldwide, the General Data Protection Regulation (GDPR) provides protection to individuals regarding their personal data in the face of new technological developments. GDPR is widely viewed as the benchmark for data protection and privacy regulations that harmonizes data privacy laws across Europe. Although the GDPR is highly beneficial to individuals, it presents significant challenges for organizations monitoring or storing personal information. Since there is currently no automated solution with broad industrial applicability, organizations have no choice but to carry out expensive manual audits to ensure GDPR compliance. In this paper, we present a complete GDPR UML model as a first step towards designing automated methods for checking GDPR compliance. Given that the practical application of the GDPR is influenced by national laws of the EU Member States, we suggest a two-tiered description of the GDPR, generic and specialized. In this paper, we provide (1) the GDPR conceptual model we developed with complete traceability from its classes to the GDPR, (2) a glossary to help understand the model, (3) the plain-English description of 35 compliance rules derived from GDPR along with their encoding in OCL, and (4) the set of 20 variations points derived from GDPR to specialize the generic model. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it, and future directions for research.

Software Engineering

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.48550/arXiv.2002.06830

2020-02-17

Abstract:The enactment of the General Data Protection Regulation (GDPR) in 2018 forced any organization that collects and/or processes EU-based personal data to comply with stringent privacy regulations. Software organizations have struggled to achieve GDPR compliance both before and after the GDPR deadline. While some studies have relied on surveys or interviews to find general implications of the GDPR, there is a lack of in-depth studies that investigate compliance practices and compliance challenges of software organizations. In particular, there is no information on small and medium enterprises (SMEs), which represent the majority of organizations in the EU, nor on organizations that practice continuous integration. Using design science methodology, we conducted an in-depth study over the span of 20 months regarding GDPR compliance practices and challenges in collaboration with a small, startup organization. We first identified our collaborator's business problems and then iteratively developed two artifacts to address those problems: a set of operationalized GDPR principles, and an automated GDPR tool that tests those GDPR-derived privacy requirements. This design science approach resulted in four implications for research and for practice. For example, our research reveals that GDPR regulations can be partially operationalized and tested through automated means, which improves compliance practices, but more research is needed to create more efficient and effective means to disseminate and manage GDPR knowledge among software developers.

Software Engineering

Chris Jay Hoofnagle,Bart van der Sloot,Frederik Zuiderveen Borgesius

DOI: https://doi.org/10.1080/13600834.2019.1573501

2019-01-02

Abstract:This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union’s General Data Protection Regulation (‘GDPR’). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

Supreeth Shastri,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.48550/arXiv.1903.09305

2019-05-15

Abstract:In recent years, our society is being plagued by unprecedented levels of privacy and security breaches. To rein in this trend, the European Union, in 2018, introduced a comprehensive legislation called the General Data Protection Regulation (GDPR). In this paper, we review GDPR from a system design perspective, and identify how its regulations conflict with the design, architecture, and operation of modern systems. We illustrate these conflicts via the seven GDPR sins: storing data forever; reusing data indiscriminately; walled gardens and black markets; risk-agnostic data processing; hiding data breaches; making unexplainable decisions; treating security as a secondary goal. Our findings reveal a deep-rooted tussle between GDPR requirements and how modern systems have evolved. We believe that achieving compliance requires comprehensive, grounds up solutions, and anything short would amount to fixing a leaky faucet in a sinking ship.

Computers and Society,Cryptography and Security

Supreeth Shastri,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.48550/arXiv.1911.00498

2019-11-01

Abstract:In recent years, our society is being plagued by unprecedented levels of privacy and security breaches. To rein in this trend, the European Union, in 2018, introduced a comprehensive legislation called the General Data Protection Regulation (GDPR). In this article, we review GDPR from a systems perspective, and identify how the design and operation of modern cloud-scale systems conflict with this regulation. We illustrate these conflicts via six GDPR anti-patterns: storing data without a clear timeline for deletion; reusing data indiscriminately; creating walled gardens and black markets; risk-agnostic data processing; hiding data breaches; making unexplainable decisions. Our findings reveal deep-rooted tussle between GDPR requirements and how cloud-scale systems that process personal data have evolved in the modern era. While it is imperative to avoid these anti-patterns, we believe that achieving compliance requires comprehensive, grounds up solutions; anything short would amount to fixing a leaky faucet in a sinking ship.

Computers and Society

Tek Raj Chhetri,Anelia Kurteva,Rance J. DeLong,Rainer Hilscher,Kai Korte,Anna Fensel

DOI: https://doi.org/10.3390/s22072763

IF: 3.9

2022-04-03

Sensors

Abstract:The enforcement of the GDPR in May 2018 has led to a paradigm shift in data protection. Organizations face significant challenges, such as demonstrating compliance (or auditability) and automated compliance verification due to the complex and dynamic nature of consent, as well as the scale at which compliance verification must be performed. Furthermore, the GDPR’s promotion of data protection by design and industrial interoperability requirements has created new technical challenges, as they require significant changes in the design and implementation of systems that handle personal data. We present a scalable data protection by design tool for automated compliance verification and auditability based on informed consent that is modeled with a knowledge graph. Automated compliance verification is made possible by implementing a regulation-to-code process that translates GDPR regulations into well-defined technical and organizational measures and, ultimately, software code. We demonstrate the effectiveness of the tool in the insurance and smart cities domains. We highlight ways in which our tool can be adapted to other domains.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Raphaël Gellert

DOI: https://doi.org/10.1016/j.clsr.2017.12.003

2018-04-01

Abstract:The goal of this contribution is to understand the notion of risk as it is enshrined in the General Data Protection Regulation (GDPR), with a particular on Art. 35 providing for the obligation to carry out data protection impact assessments (DPIAs), the first risk management tool to be enshrined in EU data protection law, and which therefore contains a number of key elements in order to grasp the notion. The adoption of this risk-based approach has not come without a number of debates and controversies, notably on the scope and meaning of the risk-based approach. Yet, what has remained up to date out of the debate is the very notion of risk itself, which underpins the whole risk-based approach. The contribution uses the notions of risk and risk analysis as tools for describing and understanding risk in the GDPR. One of the main findings is that the GDPR risk is about “compliance risk” (i.e., the lower the compliance the higher the consequences upon the data subjects' rights). This stance is in direct contradiction with a number of positions arguing for a strict separation between compliance and risk issues. This contribution sees instead issues of compliance and risk to the data subjects rights and freedoms as deeply interconnected. The conclusion will use these discussions as a basis to address the long-standing debate on the differences between privacy impact assessments (PIAs) and DPIAs. They will also warn against the fact that ultimately the way risk is defined in the GDPR is somewhat irrelevant: what matters most is the methodology used and the type of risk at work therein.

law

Hanaa Alshareef,Sandro Stucki,Gerardo Schneider

DOI: https://doi.org/10.48550/arXiv.2011.12028

2020-11-24

Abstract:Recent regulations, such as the European General Data Protection Regulation (GDPR), put stringent constraints on the handling of personal data. Privacy, like security, is a non-functional property, yet most software design tools are focused on functional aspects, using for instance Data Flow Diagrams (DFDs). In previous work, a conceptual model was introduced where DFDs could be extended into so-called Privacy-Aware Data Flow Diagrams (PA-DFDs) with the aim of adding specific privacy checks to existing DFDs. In this paper, we provide an explicit algorithm and a proof-of-concept implementation to transform DFDs into PA-DFDs. Our tool assists software engineers in the critical but error-prone task of systematically inserting privacy checks during design (they are automatically added by our tool) while still allowing them to inspect and edit the. PA-DFD if necessary. We have also identified and addressed ambiguities and inaccuracies in the high-level transformation proposed in previous work. We apply our approach to two realistic applications from the construction and online retail sectors.

Software Engineering

Paul Ryan,Martin Crane,Rob Brennan

DOI: https://doi.org/10.48550/arXiv.2005.12138

2020-05-21

Computers and Society

Abstract:The Accountability Principle of the GDPR requires that an organisation can demonstrate compliance with the regulations. A survey of GDPR compliance software solutions shows significant gaps in their ability to demonstrate compliance. In contrast, RegTech has recently brought great success to financial compliance, resulting in reduced risk, cost saving and enhanced financial regulatory compliance. It is shown that many GDPR solutions lack interoperability features such as standard APIs, meta-data or reports and they are not supported by published methodologies or evidence to support their validity or even utility. A proof of concept prototype was explored using a regulator based self-assessment checklist to establish if RegTech best practice could improve the demonstration of GDPR compliance. The application of a RegTech approach provides opportunities for demonstrable and validated GDPR compliance, notwithstanding the risk reductions and cost savings that RegTech can deliver. This paper demonstrates a RegTech approach to GDPR compliance can facilitate an organisation meeting its accountability obligations.

Sanchit Alekh

DOI: https://doi.org/10.48550/arXiv.1806.03253

2018-06-01

Computers and Society

Abstract:The GDPR, or the Datenschutz Grundverordnung (DSGVO) in German, is an EU Law which addresses the subject of safeguarding privacy of personal data of the citizens of the EU and EEA. It also specifies how data the collected data might be transported out of the EU/EEA. It is the first genuine effort to unify the plethora of disparate privacy regulations put forward by different regulatory bodies. The GDPR aims to not only give more control over their personal data to the citizens, but also make conformance for businesses easier by defining unified guidelines. It also presses businesses, especially those dealing with sensitive personal data, to build their information systems in a way that confirms with Privacy by Design. These regulations aim to ensure a more transparent handling and processing of personal data, and create an environment of trust and awareness on both sides, i.e., the data owner as well as the controllers/processors.

Jayashree Mohan,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.1007/978-3-030-33752-0_6

2019-01-01

Abstract:AbstractWith the arrival of the European Union’s General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems which process personal data. Privacy policy is the main medium of information dissemination between the data controller and the users. This work analyzes the privacy policies of large-scaled cloud services which seek to be GDPR compliant. We show that many services that claim compliance today do not have clear and concise privacy policies. We identify several points in the privacy policies which potentially indicate non-compliance; we term these GDPR dark patterns. We identify GDPR dark patterns in ten large-scale cloud services. Based on our analysis, we propose seven best practices for crafting GDPR privacy policies.

Vishal Chakraborty,Stacy Ann-Elvy,Sharad Mehrotra,Faisal Nawab,Mohammad Sadoghi,Shantanu Sharma,Nalini Venkatsubhramanian,Farhan Saeed

DOI: https://doi.org/10.48550/arXiv.2308.07501

2023-08-15

Abstract:Data regulations, such as GDPR, are increasingly being adopted globally to protect against unsafe data management practices. Such regulations are, often ambiguous (with multiple valid interpretations) when it comes to defining the expected dynamic behavior of data processing systems. This paper argues that it is possible to represent regulations such as GDPR formally as invariants using a (small set of) data processing concepts that capture system behavior. When such concepts are grounded, i.e., they are provided with a single unambiguous interpretation, systems can achieve compliance by demonstrating that the system-actions they implement maintain the invariants (representing the regulations). To illustrate our vision, we propose Data-CASE, a simple yet powerful model that (a) captures key data processing concepts (b) a set of invariants that describe regulations in terms of these concepts. We further illustrate the concept of grounding using "deletion" as an example and highlight several ways in which end-users, companies, and software designers/engineers can use Data-CASE.

Databases

Sean Sirur,Jason R. C. Nurse,Helena Webb,Jason R.C. Nurse

DOI: https://doi.org/10.48550/arXiv.1808.07338

2018-08-22

Computers and Society

Abstract:The EU General Data Protection Regulation (GDPR), enforced from 25th May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every aspect of personal data handling, includes hefty potential penalties for non-compliance, and can prosecute any company in the world that processes EU citizens' data. In this paper, we look behind the scenes to investigate the real challenges faced by organisations in engaging with the GDPR. This considers issues in working with the regulation, the implementation process, and how compliance is verified. Our research approach relies on literature but, more importantly, draws on detailed interviews with several organisations. Key findings include the fact that large organisations generally found GDPR compliance to be reasonable and doable. The same was found for small-to-medium organisations (SMEs/SMBs) that were highly security-oriented. SMEs with less focus on data protection struggled to make what they felt was a satisfactory attempt at compliance. The main issues faced in their compliance attempts emerged from: the sheer breadth of the regulation; questions around how to enact the qualitative recommendations of the regulation; and the need to map out the entirety of their complex data networks.

Duarte Gouveia,David Aveiro

DOI: https://doi.org/10.1007/978-3-030-06097-8_9

2018-12-31

Abstract:In this paper we use Design and Engineering Methodology for Organizations (DEMO) to formally describe the European Union General Data Protection Regulation (2016/679) which entries into force and application on May 25, 2018. This law introduces a paradigm shift in information systems by requiring by design and by default much more control on personal data and its processing. The data subjects can give and remove consent for processing and establish restrictions on what the data is processed for. They can also ask for their information, object to automated decision making based on it, require changes to that information or ask that it be erased (‘right to be forgotten’). When they ask for their information, it must be provided in a machine-readable format, which implies data portability and the ability to provide it to another party. This law creates a new role, the data protection officer, and assigns duties to data controllers, data processors, supervisory authorities, national authorities and EU authorities. This work shows how DEMO can present in a simple way the system described by this law, and analyses the challenges and insights provided by using this modeling method.

Regina Becker,Davit Chokoshvili,Adrian Thorogood,Edward S Dove,Fruzsina Molnár-Gábor,Alexandra Ziaka,Olga Tzortzatou-Nanopoulou,Giovanni Comandè

DOI: https://doi.org/10.1093/jlb/lsae001

IF: 3.4

2024-01-01

Journal of Law and the Biosciences

Abstract:Abstract The General Data Protection Regulation (GDPR) of the European Union, which became applicable in 2018, contains a new accountability principle. Under this principle, controllers (ie parties determining the purposes and the means of the processing of personal data) are responsible for ensuring and demonstrating the overall compliance with the GDPR. However, interpretive uncertainties of the GDPR mean that controllers must exercise considerable judgement in designing and implementing an appropriate compliance strategy, making GDPR compliance both complex and resource-intensive. In this article, we provide conceptual clarity around GDPR compliance with respect to one core aspect of the law: the determination and relevance of the purpose of personal data processing. We derive from the GDPR’s text concrete requirements for purpose specification, which we subsequently apply to the area of secondary use of personal data for scientific research. We offer guidance for correctly specifying purposes of data processing under different research scenarios. To illustrate the practical necessity of purpose specification for GDPR compliance, we then show how our proposed approach can enable controllers to meet their compliance obligations, using the example of the overarching GDPR principle of lawfulness to highlight the relevance of purpose specification for the identification of a suitable legal basis.

ethics,law,medicine, legal,medical ethics

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.1016/j.infsof.2022.106868

IF: 3.9

2022-06-01

Information and Software Technology

Abstract:Context: Complying with privacy regulations has taken on new importance with the introduction of the EU’s General Data Protection Regulation (GDPR) and other privacy regulations. Privacy measures are becoming a paramount requirement demanding software organizations’ attention as recent privacy breaches such as the Capital One data breach affected millions of customers. Software organizations, however, struggle with achieving privacy compliance. In particular, there is a lack of research into the organizational practices and challenges involved in compliance, particularly for small and medium enterprises (SMEs), which represent a sizeable portion of organizations. Many SMEs use a continuous software engineering (CSE) approach, which introduces additional adoption and application challenges. For example, the fast pace of CSE makes it harder for SMEs that are already more resource constrained to prioritize non-functional requirements such as privacy. Objective: This paper aims to fill a gap in the under-researched area of continuous compliance with privacy requirements in practice, by investigating how a continuous practicing SME dealt with GDPR compliance. Method: Using design science, we conducted an in-depth ethnographically informed study over the span of 16 months and iteratively developed two artifacts to help address the organization’s challenges in addressing GDPR compliance. Results: We identified 3 main challenges that our collaborating organization experienced when trying to comply with the GDPR. To help mitigate the challenges, we developed two design science artifacts, which include a list of privacy requirements that operationalized the GDPR principles for automated verification, and an automated testing tool that helps to verify these privacy requirements. We validated these artifacts through close collaboration with our partner organization and applying our artifacts to the partner organization’s system. Conclusions: We conclude with a discussion of opportunities and obstacles in leveraging CSE to achieve continuous compliance with the GDPR. We also highlight the importance of building a shared understanding of privacy non-functional requirements and how risk management plays an important role in an organization’s GDPR compliance.

computer science, information systems, software engineering

Sallam Abualhaija,Marcello Ceci,Lionel Briand

2024-02-17

Abstract:Modern software has been an integral part of everyday activities in many disciplines and application contexts. Introducing intelligent automation by leveraging artificial intelligence (AI) led to break-throughs in many fields. The effectiveness of AI can be attributed to several factors, among which is the increasing availability of data. Regulations such as the general data protection regulation (GDPR) in the European Union (EU) are introduced to ensure the protection of personal data. Software systems that collect, process, or share personal data are subject to compliance with such regulations. Developing compliant software depends heavily on addressing legal requirements stipulated in applicable regulations, a central activity in the requirements engineering (RE) phase of the software development process. RE is concerned with specifying and maintaining requirements of a system-to-be, including legal requirements. Legal agreements which describe the policies organizations implement for processing personal data can provide an additional source to regulations for eliciting legal requirements. In this chapter, we explore a variety of methods for analyzing legal requirements and exemplify them on GDPR. Specifically, we describe possible alternatives for creating machine-analyzable representations from regulations, survey the existing automated means for enabling compliance verification against regulations, and further reflect on the current challenges of legal requirements analysis.

Software Engineering,Artificial Intelligence

Naila Azam,Anna Lito Michala,Shuja Ansari,Nguyen Truong

2024-04-22

Abstract:Data-driven applications and services have been increasingly deployed in all aspects of life including healthcare and medical services in which a huge amount of personal data is collected, aggregated, and processed in a centralised server from various sources. As a consequence, preserving the data privacy and security of these applications is of paramount importance. Since May 2018, the new data protection legislation in the EU/UK, namely the General Data Protection Regulation (GDPR), has come into force and this has called for a critical need for modelling compliance with the GDPR's sophisticated requirements. Existing threat modelling techniques are not designed to model GDPR compliance, particularly in a complex system where personal data is collected, processed, manipulated, and shared with third parties. In this paper, we present a novel comprehensive solution for developing a threat modelling technique to address threats of non-compliance and mitigate them by taking GDPR requirements as the baseline and combining them with the existing security and privacy modelling techniques (i.e., \textit{STRIDE} and \textit{LINDDUN}, respectively). For this purpose, we propose a new data flow diagram integrated with the GDPR principles, develop a knowledge base for the non-compliance threats, and leverage an inference engine for reasoning the GDPR non-compliance threats over the knowledge base. Finally, we demonstrate our solution for threats of non-compliance with legal basis and accountability in a telehealth system to show the feasibility and effectiveness of the proposed solution.

Cryptography and Security

M. Emilia Cambronero,Miguel A. Martínez,Luis Llana,Ricardo J. Rodríguez,Alejandro Russo

DOI: https://doi.org/10.7717/peerj-cs.1898

2024-03-29

PeerJ Computer Science

Abstract:Data privacy is one of the biggest challenges facing system architects at the system design stage. Especially when certain laws, such as the General Data Protection Regulation (GDPR), have to be complied with by cloud environments. In this article, we want to help cloud providers comply with the GDPR by proposing a GDPR-compliant cloud architecture. To do this, we use model-driven engineering techniques to design cloud architecture and analyze cloud interactions. In particular, we develop a complete framework, called MDCT, which includes a Unified Modeling Language profile that allows us to define specific cloud scenarios and profile validation to ensure that certain required properties are met. The validation process is implemented through the Object Constraint Language (OCL) rules, which allow us to describe the constraints in these models. To comply with many GDPR articles, the proposed cloud architecture considers data privacy and data tracking, enabling safe and secure data management and tracking in the context of the cloud. For this purpose, sticky policies associated with the data are incorporated to define permission for third parties to access the data and track instances of data access. As a result, a cloud architecture designed with MDCT contains a set of OCL rules to validate it as a GDPR-compliant cloud architecture. Our tool models key GDPR points such as user consent/withdrawal, the purpose of access, and data transparency and auditing, and considers data privacy and data tracking with the help of sticky policies.

computer science, information systems, artificial intelligence, theory & methods

Larisa GĂBUDEANU

DOI: https://doi.org/10.19107/ijisc.2022.01.01

2022-06-28

International Journal of Information Security and Cybercrime

Abstract:One of the main legal requirements for the adopting the GDPR was the technical and organizational security requirements, alongside the transparency and purpose limitation principles. The wide wording mentioned by the GDPR in terms of state-of-the-art security measures has given rise to a series of interpretations both in literature and by the data controllers and data processors. The manner in which national data protection authorities interpret this wording on a case-by-case basis is a good indicator in terms of interpretation, as the authorities look into the specific use case requiring preventive security measures. Thus, this research paper brings additional clarity in the interpretation of this legal requirement in terms of the risks and damages considered relevant for the specific data breach or lack of proper legal requirement implementation, given publicly available information in this respect. Further, the research paper highlights the number of use cases analyzed by different national data protection authorities and the views of each national data protection authority.