Static Analysis for GDPR Compliance
نویسندگان
چکیده
Information systems might access, manage and record sensitive data about citizens. In addition, the pervasiveness of these systems is dramatically increasing and increasing thanks to the mobile and the IoT revolutions. However, several unintended data breaches are reported every week, and this might compromise the privacy, safety, and security of citizens. For all these reasons, the European Parliament approved in April 2016 the EU General Data Protection Regulation (GDPR). The main goal of such regulation is to protect the privacy of citizens with regard to the processing of their personal data. It enforces a Privacy by Design and by Default approach, where personal data is processed only when needed by the functionalities of the information system. On the other hand, static analysis aims at proving at compile time various properties on information systems. This discipline has been widely applied during the last decades to identify potential software leaks of sensitive data. In this scenario, this paper discusses what role static analysis could play in a GDPR perspective. In particular, we introduce GDPR and static analysis, and we then propose how existing taint analyses and backward slicing algorithms might be combined to produce reports useful for GDPR compliance. We identify four main actors in the GDPR compliance process (namely, data protection officers, chief information security officers, project managers, and developers), and we propose a specific level of reporting for each of them.
منابع مشابه
Towards an Understanding of Stakeholders and Dependencies in the EU GDPR
Personal data has evolved into an essential element of current business models, which pose new challenges to legislation and organizations. To address these challenges at a European level, the European Commission has passed the General Data Protection Regulation (GDPR). Using a data-driven approach, we identify the key stakeholders that are described in the GDPR, which are the data subject, the...
متن کاملDesigning a GDPR-compliant and Usable Privacy Dashboard
The role of personal data gained significance across all business domains in past decades. Despite strict legal restrictions that processing personal data is subject to, users tend to respond to the extensive collection of data by service providers with distrust. Legal battles between data subjects and processors emphasized the need of adaptations by the current law to face today’s challenges. ...
متن کاملModelling Provenance for GDPR Compliance using Linked Open Data Vocabularies
The upcoming General Data Protection Regulation (GDPR) requires justification of data activities to acquire, use, share, and store data using consent obtained from the user. Failure to comply may result in significant heavy fines which incentivises creation and maintenance of records for all activities involving consent and data. Compliance documentation therefore requires provenance informatio...
متن کاملCompliance through Informed Consent: Semantic Based Consent Permission and Data Management Model
The General Data Protection Regulations (GDPR) imposes greater restrictions on obtaining valid user consents involving the use of personal data. A semantic model of consent can make the concepts of consent explicit, establish a common understanding and enable re-use of consent. Therefore, forming a semantic model of consent will satisfy the GDPR requirements of specificity and unambiguity and i...
متن کاملToward GDPR-Compliant Socio-Technical Systems: Modeling Language and Reasoning Framework
Privacy is a key aspect for the European Union (EU), where it is regulated by a specific law, the General Data Protection Regulation (GDPR). Compliance to the GDPR is a problem for organizations, it imposes strict constraints whenever they deal with personal data and, in case of infringement, it specifies severe consequences such as legal and monetary penalties. Such organizations frequently ar...
متن کامل