Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information Systems

Guarda, Paolo; Ranise, Silvio; Siswantoro, Hari

doi:10.1145/3078861.3078879

Cited by 13 publications

(14 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ranise and Siswantoro [34] devise an SMT-based tool for checking compliance of security policies at design time. Guarda et al [35] propose a logic-based framework to support the specification of information system designs, purpose-aware access control policies, and legal requirements.…”

Section: Related Workmentioning

confidence: 99%

Using Models to Enable Compliance Checking Against the GDPR: An Experience Report

Torre

Soltana

Sabetzadeh

et al. 2019

2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS)

View full text Add to dashboard Cite

The General Data Protection Regulation (GDPR) harmonizes data privacy laws and regulations across Europe. Through the GDPR, individuals are able to better control their personal data in the face of new technological developments. While the GDPR is highly advantageous to individuals, complying with it poses major challenges for organizations that control or process personal data. Since no automated solution with broad industrial applicability currently exists for GDPR compliance checking, organizations have no choice but to perform costly manual audits to ensure compliance. In this paper, we share our experience building a UML representation of the GDPR as a first step towards the development of future automated methods for assessing compliance with the GDPR. Given that a concrete implementation of the GDPR is affected by the national laws of the EU member states, GDPR's expanding body of case law and other contextual information, we propose a two-tiered representation of the GDPR: a generic tier and a specialized tier. The generic tier captures the concepts and principles of the GDPR that apply to all contexts, whereas the specialized tier describes a specific tailoring of the generic tier to a given context, including the contextual variations that may impact the interpretation and application of the GDPR. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it, and future directions for research.

show abstract

Section: Related Workmentioning

confidence: 99%

Using Models to Enable Compliance Checking Against the GDPR: An Experience Report

Torre

Soltana

Sabetzadeh

et al. 2019

2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS)

View full text Add to dashboard Cite

show abstract

“…Guarda et al [47] presented a set of categories that organized the information to be protected in the followed categories: 1) Classes: Personal Data refers to the data that allow identifying a personal; Sensitive Data (SD) which refers to Personal Data that includes information on ethnicity, gender, religion and political opinion; and Non-Persoal Data (NPD) that was information that could not be associated with a person; 2) Legal Roles: refers to actions that could be performed by agents within the Personal Data life cycle such as:…”

Section: Work Related To Personal Data Transparencymentioning

confidence: 99%

“…The paper presented by Guarda et al [47] proposed a methodology and a set of techniques for integrating Personal Data security with compliance with Personal Data usage regulations. The methodology aimed to support the abstraction of complex security actions and deliver friendly information to be analyzed and support the decision about the security of their data.…”

Section: Work Related To Personal Data Transparencymentioning

confidence: 99%

TR-Model. A Metadata Profile Application for Personal Data Transparency

et al. 2020

View full text Add to dashboard Cite

People's usage of social networks, mobile applications, websites, sensor networks and other computer systems leads to a massive production of personal data about their behaviors and preferences. Personal data are used by organizations in business and marketing tasks. However, details about personal data usage are often not accessible or clear to data subject, raising concerns about privacy and security. Presentation of information about personal data usage needs improvement towards Personal Data Transparency. Thus, this paper aims to present the TR-Model, a Metadata Application Profile guideline that intends to propose a standardization on information to be considered minimally necessary to Personal Data Transparency as well as a set of specifications to guide developers on how to present this data. TR-Model elements are focused providing Personal Data Transparency in a user-friendly and high quality format. TR-Model presents a set of specification based on entities, metadata, metaevents and descriptions. The model evaluation was based on user testing in several scenarios of usage of personal data in a gym application tool. The information presented was created based on the TR-Model metadata, metaevents and descriptions. Participants evaluated transparency considering dimensions of Human-Computer Interaction and Information Quality. Participants' opinions were recorded in surveys and analyzed with descriptive statistics; the results indicate that the TR-Model was effective in supporting the production of friendly, understandable and relevant Transparency for data subjects, in compliance with regulations like GDPR.

show abstract

“…We handle variability in OCL constraints using partially specified operations that need to be later updated or redefined based on the context at hand. For example, the second constraint (L. [15][16][17][18][19] states that the age of data subjects should be greater than a certain dynamic threshold. However, when the context is known, the operation V getMinimumAgeForDS should dynamically identify the value of the threshold based on the country of residence of the data subject and the locations of the involved data processing, controllers, and processors.…”

Section: Gdpr Concepts (In Grey)mentioning

confidence: 99%

“…Ayala-Rivera and Pasquale [3] 2018 Partial × Burmeister et al [6] 2019 Complete × × Diamantopoulou et al [11] 2017 Partial × × × Sing [32] 2018 Complete × Caramujo et al [8] 2019 Partial × × Pullonen and Matulevicius [27] 2019 Complete × × Tom et al [38] 2018 Complete × × Chung et al [9] 2008 NA × Panesar-Walawege et al [26] 2013 NA Ranise and Siswantoro [28] 2020 Partial × × Guarda et al [18] 2017 NA This article 2021 Complete ships in their Information Systems, whilst complying with laws and regulations. Sing [32] proposes a method based on a metamodel for analysing business processes of information systems and aligning them with the GDPR.…”

Section: Compliance Available Expertmentioning

confidence: 99%