Data-CASE: Grounding Data Regulations for Compliant Data Processing Systems

TL;DR

Data-CASE offers a formal framework to interpret and enforce data regulations like GDPR by representing them as invariants grounded in key data processing concepts, enabling compliance verification.

Contribution

It introduces a formal model that captures data regulations as invariants grounded in data processing concepts, facilitating unambiguous compliance enforcement.

Findings

Formal representation of GDPR as invariants

Grounding concepts enables compliance verification

Illustration of deletion concept in data regulation

Abstract

Data regulations, such as GDPR, are increasingly being adopted globally to protect against unsafe data management practices. Such regulations are, often ambiguous (with multiple valid interpretations) when it comes to defining the expected dynamic behavior of data processing systems. This paper argues that it is possible to represent regulations such as GDPR formally as invariants using a (small set of) data processing concepts that capture system behavior. When such concepts are grounded, i.e., they are provided with a single unambiguous interpretation, systems can achieve compliance by demonstrating that the system-actions they implement maintain the invariants (representing the regulations). To illustrate our vision, we propose Data-CASE, a simple yet powerful model that (a) captures key data processing concepts (b) a set of invariants that describe regulations in terms of these concepts. We further illustrate the concept of grounding using "deletion" as an example and highlight several ways in which end-users, companies, and software designers/engineers can use Data-CASE.