On Purpose and by Necessity: Compliance Under the GDPR

被引：26

作者：

Basin, David ^{[1
]}

Debois, Soren ^{[2
]}

Hildebrandt, Thomas ^{[2
]}

机构：

[1] Swiss Fed Inst Technol, Zurich, Switzerland

[2] IT Univ Copenhagen, Copenhagen, Denmark

来源：

FINANCIAL CRYPTOGRAPHY AND DATA SECURITY, FC 2018 | 2018年 / 10957卷

关键词：

ACCESS-CONTROL;

D O I：

10.1007/978-3-662-58387-6_2

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

The European General Data Protection Regulation (GDPR) gives primacy to purpose: Data may be collected and stored only when (i) end-users have consented, often explicitly, to the purposes for which that data is collected, and (ii) the collected data is actually necessary for achieving these purposes. This development in data protection regulations begets the question: how do we audit a computer system's adherence to a purpose? We propose an approach that identifies a purpose with a business process, and show how formal models of interprocess communication can be used to audit or even derive privacy policies. Based on this insight, we propose a methodology for auditing GDPR compliance. Moreover, we show how given a simple interprocess dataflow model, aspects of GDPR compliance can be determined algorithmically.

引用

页码：20 / 37

页数：18

共 26 条

[1]

[Anonymous], 2011, FORMAL20110103 BPMN

[2]

[Anonymous], 1993, Process Innovation. ReengineeringWork Through Information Technology

[3] Purpose based access control for privacy protection in relational database systems [J].