Privacy by Design: On the Formal Design and Conformance Check of Personal Data Protection Policies and Architectures

TL;DR

This paper introduces a formal framework for designing and verifying compliance of data protection policies and architectures with GDPR, reducing misinterpretation and errors in conformance checks.

Contribution

It presents a (semi-)formal method for specifying and reasoning about data protection policies and architectures, enabling systematic and unambiguous compliance verification.

Findings

Framework effectively models GDPR compliance requirements.

Case study demonstrates practical applicability.

Formal conformance checks improve accuracy and consistency.

Abstract

The new General Data Protection Regulation (GDPR) will take effect in May 2018, and hence, designing compliant data protection policies and system architectures became crucial for organizations to avoid penalties. Unfortunately, the regulations given in a textual format can be easily misinterpreted by the policy and system designers, which also making the conformance check error-prone for auditors. In this paper, we apply formal approach to facilitate systematic design of policies and architectures in an unambiguous way, and provide a framework for mathematically sound conformance checks against the current data protection regulations. We propose a (semi-)formal approach for specifying and reasoning about data protection policies and architectures as well as defining conformance relations between architectures and policies. The usability of our proposed approach is demonstrated on a smart metering service case study.