GDPR-Based User Stories in the Access Control Perspective

Because of GDPR’s principle of “data protection by design and by default”, organizations who wish to stay lawful have to re-think their data practices. Access Control (AC) can be a technical solution for them to protect access to “personal data by design”, and thus to gain legal compliance, but this requires to have Access Control Policies (ACPs) expressing requirements aligned with GDPR’s provisions. Provisions are however pieces of law and are not written to be immediately interpreted as technical requirements; the task is thus not straightforward. The Agile software development methodology can help untangle the problem. It has dedicated tools to describe requirements and one of such them, User Stories, seems up to task. Stories are concise yet informal descriptions telling who, what and why something is required by users; they are prioritized in lists, called backlogs. Inspired by these Agile tools this paper advances the notion of Data Protection backlogs, which are lists of User Stories about GDPR provisions told as technical requirements. For each User Story we build a corresponding ACP, so enabling the implementation of GDPR compliant AC systems.

[1]  Karen A. Scarfone,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations [includes updates as of 02-25-2019] , 2019 .

[2]  Livio Robaldo,et al.  Legal Ontology for Modelling GDPR Concepts and Norms , 2018, JURIX.

[3]  Eda Marchetti,et al.  Towards a Lawful Authorized Access: A Preliminary GDPR-based Authorized Access , 2019, ICSOFT.

[4]  Jie Sun,et al.  The Role of Requirements Engineering Practices in Agile Development: An Empirical Study , 2014, APRES.

[5]  Sjaak Brinkkemper,et al.  Improving agile requirements: the Quality User Story framework and tool , 2016, Requirements Engineering.

[6]  Fergal McCaffery,et al.  A Process Framework Combining Safety and Security in Practice , 2018, EuroSPI.

[7]  Tao Xie,et al.  Automated extraction of security policies from natural-language software documents , 2012, SIGSOFT FSE.

[8]  Nan Niu,et al.  Mining Security Requirements from Common Vulnerabilities and Exposures for Agile Projects , 2018, 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP).

[9]  Audun Jøsang,et al.  Threat Poker: Solving Security and Privacy Threats in Agile Software Development , 2018, NordSec.

[10]  Mohamad Kassab,et al.  The changing landscape of requirements engineering practices over the past decade , 2015, 2015 IEEE Fifth International Workshop on Empirical Requirements Engineering (EmpiRE).

[11]  Mike Cohn,et al.  User Stories Applied: For Agile Software Development , 2004 .

[12]  Bartosz Zielinski,et al.  User Stories and Parameterized Role Based Access Control , 2015, MEDI.

[13]  Sandra Wachter,et al.  Normative challenges of identification in the Internet of Things: Privacy, profiling, discrimination, and the GDPR , 2018, Comput. Law Secur. Rev..

[14]  Ravi S. Sandhu,et al.  Dynamic Groups and Attribute-Based Access Control for Next-Generation Smart Cars , 2019, CODASPY.

[15]  Imran Ghani,et al.  Security backlog in Scrum security practices , 2011, 2011 Malaysian Conference in Software Engineering.

[16]  Sjaak Brinkkemper,et al.  The Use and Effectiveness of User Stories in Practice , 2016, REFSQ.

[17]  Christophe Debruyne,et al.  A Semi-Automated Methodology for Extracting Access Control Rules from the European Data Protection Directive , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[18]  Manar Alohaly,et al.  Automated extraction of attributes from natural language attribute-based access control (ABAC) Policies , 2019, Cybersecur..

[19]  Declan O'Sullivan,et al.  GDPRtEXT - GDPR as a Linked Data Resource , 2018, ESWC.

[20]  Orit Hazzan,et al.  The Agile Manifesto , 2014 .

[21]  Livio Robaldo,et al.  Towards Legal Compliance by Correlating Standards and Laws with a Semi-automated Methodology , 2016, BNCAI.

[22]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[23]  Dave Lewis,et al.  Modelling Provenance for GDPR Compliance using Linked Open Data Vocabularies , 2017, PrivOn@ISWC.

[24]  Fabio Martinelli,et al.  Towards a Declarative Approach to Stateful and Stateless Usage Control for Data Protection , 2018, WEBIST.

[25]  Frank Pallas,et al.  YaPPL - A Lightweight Privacy Preference Language for Legally Sufficient and Automated Consent Provision in IoT Scenarios , 2018, DPM/CBT@ESORICS.

[26]  Livio Robaldo,et al.  PrOnto: Privacy Ontology for Legal Reasoning , 2018, EGOVIS.