On Purpose and by Necessity: Compliance Under the GDPR

The European General Data Protection Regulation (GDPR) gives primacy to purpose: Data may be collected and stored only when (i) end-users have consented, often explicitly, to the purposes for which that data is collected, and (ii) the collected data is actually necessary for achieving these purposes. This development in data protection regulations begets the question: how do we audit a computer system’s adherence to a purpose?

[1]  Christian Schaefer,et al.  Mechanisms for usage control , 2008, ASIACCS '08.

[2]  Reihaneh Safavi-Naini,et al.  Towards defining semantic foundations for purpose-based privacy policies , 2011, CODASPY '11.

[3]  Mark von Rosing,et al.  Business Process Model and Notation - BPMN , 2015, The Complete Business Process Handbook, Vol. I.

[4]  Richard Hull,et al.  Introducing the Guard-Stage-Milestone Approach for Specifying Business Entity Lifecycles , 2010, WS-FM.

[5]  Søren Debois,et al.  Concurrency and Asynchrony in Declarative Workflows , 2015, BPM.

[6]  R. K. Shyamasundar,et al.  Realizing Purpose-Based Privacy Policies Succinctly via Information-Flow Labels , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[7]  Jan Mendling,et al.  Untrusted Business Process Monitoring and Execution Using Blockchain , 2016, BPM.

[8]  Amirreza Masoumzadeh,et al.  PuRBAC: Purpose-Aware Role-Based Access Control , 2008, OTM Conferences.

[9]  Wil M. P. van der Aalst,et al.  DecSerFlow: Towards a Truly Declarative Service Flow Language , 2006, WS-FM.

[10]  Thomas H. Davenport,et al.  Process Innovation: Reengineering Work Through Information Technology , 1992 .

[11]  Bernhard Steffen,et al.  Towards a tool kit for the automatic generation of interprocedural data flow analyses , 1996, J. Program. Lang..

[12]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[13]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[14]  Jun Gu,et al.  Dynamic Purpose-Based Access Control , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications.

[15]  M. Fragkakis,et al.  Comparing the Trust and Security Models of Mobile Agents , 2007 .

[16]  Nicola Zannone,et al.  Purpose Control: Did You Process the Data for the Intended Purpose? , 2011, Secure Data Management.

[17]  Wil M. P. van der Aalst,et al.  DECLARE: Full Support for Loosely-Structured Processes , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[18]  Elijah Okon John The Rule of Law in Nigeria: Myth or Reality? , 2011 .

[19]  Ning Zhang,et al.  A Purpose-Based Access Control Model , 2007, Third International Symposium on Information Assurance and Security.

[20]  David Harel,et al.  Modeling Reactive Systems With Statecharts : The Statemate Approach , 1998 .

[21]  Raghava Rao Mukkamala,et al.  Declarative Event-Based Workflow as Distributed Dynamic Condition Response Graphs , 2011, PLACES.

[22]  Alexander Pretschner,et al.  Distributed usage control , 2006, CACM.

[23]  Ninghui Li,et al.  Purpose based access control for privacy protection in relational database systems , 2008, The VLDB Journal.

[24]  Elisa Bertino,et al.  A conditional purpose-based access control model with dynamic roles , 2011, Expert Syst. Appl..