Dealing with Privacy Obligations in Enterprises

This paper focuses on the problem of dealing with privacy obligations in enterprises. Privacy obligations dictate expected behaviours, tasks and constraints that must be satisfied when handling personal and confidential data. This includes being compliant with data retention policies and satisfying constraints dictated by customers’ opt-in and opt-out choices. It is important for enterprises to address this problem to preserve their reputation and brand and be compliant with legislation and customers’ requirements. This paper describes important related issues and requirements to be kept into account, including dealing with transactional, ongoing and long-term obligations. Technical work has already been done for the management of obligations subordinated to authorization aspects and simple obligations for data retention: however, dealing with ongoing and long-term aspects of obligations is still a green field and open to research. We introduce and describe a trusted system, currently under research and development at HP Labs, dealing with the monitoring, enforcement and tracking of privacy obligations: this system will support the strong association of privacy obligations to data, accountability management and users’ involvement.