DPMF: A Modeling Framework for Data Protection by Design

Building software-intensive systems that respect the fundamental rights to privacy and data protection requires explicitly addressing data protection issues at the early development stages. Data Protection by Design (DPbD)—as coined by Article 25(1) of the General Data Protection Regulation (GDPR)—therefore calls for an iterative approach based on (i) the notion of risk to data subjects, (ii) a close collaboration between the involved stakeholders and (iii) accountable decision-making. In practice, however, the legal reasoning behind DPbD is often conducted on the basis of informal system descriptions that lack systematicity and reproducibility. This affects the quality of Data Protection Impact Assessments (DPIA)—i.e. the concrete manifestation of DPbD at the organizational level. This is a major stumbling block when it comes to conducting a comprehensive and durable assessment of the risks that takes both the legal and technical complexities into account. In this article, we present DPMF, a data protection modeling framework that allows for a comprehensive and accurate description of the data processing operations in terms of the key concepts used in the GDPR. The proposed modeling approach supports the automation of a number of legal reasonings and compliance assessments (e.g., purpose compatibility) that are commonly addressed in a DPIA exercise and this support is strongly rooted upon the system description models. The DPMF is supported in a prototype modeling tool and its practical applicability is validated in the context of a realistic e-health system for a number of complementary development scenarios.

[1]  Wouter Joosen,et al.  Privacy Risk Assessment for Data Subject-Aware Threat Modeling , 2019, 2019 IEEE Security and Privacy Workshops (SPW).

[2]  Luciano Floridi,et al.  Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation , 2017 .

[3]  Iris Groher,et al.  Software architecture knowledge management approaches and their support for knowledge management activities: A systematic literature review , 2016, Inf. Softw. Technol..

[4]  Denis Regaud Commission Nationale de l'Informatique et des Libertés , 2016 .

[5]  Ian Oliver Privacy Engineering: A Dataflow and Ontological Approach , 2014 .

[6]  Wouter Joosen,et al.  Risk-Based Design Security Analysis , 2018, 2018 IEEE/ACM 1st International Workshop on Security Awareness from Design to Deployment (SEAD).

[7]  Tom De Marco,et al.  Structured Analysis And System Specification , 2015 .

[8]  Daniel Amyot,et al.  Legal goal-oriented requirement language (legal GRL) for modeling regulations , 2014, MiSE 2014.

[9]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[10]  Sarah Spiekermann,et al.  A systematic methodology for privacy impact assessments: a design science approach , 2014, Eur. J. Inf. Syst..

[11]  Fabio Massacci,et al.  How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns , 2009, Artificial Intelligence and Law.

[12]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[13]  Gerti Kappel,et al.  An Introduction to Model Versioning , 2012, SFM.

[14]  GroherIris,et al.  Software architecture knowledge management approaches and their support for knowledge management activities , 2016 .

[15]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[16]  Philippe Kruchten,et al.  Building Up and Reasoning About Architectural Knowledge , 2006, QoSA.

[17]  Guido Boella,et al.  Argumentation-Based Legal Requirements Engineering: The Role of Legal Interpretation in Requirements Acquisition , 2016, 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW).

[18]  Seth Flaxman,et al.  European Union Regulations on Algorithmic Decision-Making and a "Right to Explanation" , 2016, AI Mag..

[19]  Wouter Joosen,et al.  A comparison of system description models for data protection by design , 2019, SAC.

[20]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[21]  Sourya Joyee De,et al.  PRIAM: A Privacy Risk Analysis Methodology , 2016, DPM/QASA@ESORICS.

[22]  Mushfiqur Rahman,et al.  A Petri Nets Semantics for Privacy-Aware Data Flow Diagrams , 2017 .

[23]  Marit Hansen,et al.  A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation , 2016, APF.

[24]  Michael Friedewald,et al.  Developing and testing a surveillance impact assessment methodology , 2015 .

[25]  Shamal Faily,et al.  Tool-Supporting Data Protection Impact Assessments with CAIRIS , 2018, 2018 IEEE 5th International Workshop on Evolving Security & Privacy Requirements Engineering (ESPRE).

[26]  Jaap-Henk Hoepman,et al.  A Critical Analysis of Privacy Design Strategies , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[27]  Sophie Dupuy-Chessa,et al.  Using an Enterprise Architecture Model for GDPR Compliance Principles , 2019, PoEM.

[28]  Ali Sunyaev,et al.  An Information Privacy Risk Index for mHealth Apps , 2016, APF.

[29]  Haralambos Mouratidis,et al.  Towards a Framework to Elicit and Manage Security and Privacy Requirements from Laws and Regulations , 2010, REFSQ.

[30]  Adam Shostack,et al.  Experiences Threat Modeling at Microsoft , 2008, MODSEC@MoDELS.

[31]  Wouter Joosen,et al.  Solution-aware data flow diagrams for security threat modeling , 2018, SAC.

[32]  Raimundas Matulevicius,et al.  Conceptual Representation of the GDPR: Model and Application Directions , 2018, BIR.

[33]  Andrew C. Simpson,et al.  A model-based approach to support privacy compliance , 2018, Inf. Comput. Secur..

[34]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[35]  Riccardo Scandariato,et al.  Towards Security Threats that Matter , 2017, CyberICPS/SECPRE@ESORICS.

[36]  Maritta Heisel,et al.  A Taxonomy of Requirements for the Privacy Goal Transparency , 2015, TrustBus.

[37]  Raphaël Gellert,et al.  Understanding the notion of risk in the General Data Protection Regulation , 2018, Comput. Law Secur. Rev..

[38]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[39]  Bashar Nuseibeh,et al.  Weaving Together Requirements and Architectures , 2001, Computer.

[40]  M. Wimmer,et al.  Why Model Versioning Research is Needed ! ? An Experience Report ? , 2009 .

[41]  Wouter Joosen,et al.  An Architectural View for Data Protection by Design , 2019, 2019 IEEE International Conference on Software Architecture (ICSA).

[42]  Jan Jürjens,et al.  Supporting privacy impact assessment by model-based privacy analysis , 2018, SAC.

[43]  Giovanni Comandé,et al.  Why a Right to Legibility of Automated Decision-Making Exists in the General Data Protection Regulation , 2017 .

[44]  Mehrdad Sabetzadeh,et al.  Using Models to Enable Compliance Checking Against the GDPR: An Experience Report , 2019, 2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS).

[45]  John Mylopoulos,et al.  A Meta-Model for Modelling Law-Compliant Requirements , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[46]  Livio Robaldo,et al.  Legal Ontology for Modelling GDPR Concepts and Norms , 2018, JURIX.

[47]  Manuel Wimmer,et al.  A survey on model versioning approaches , 2009, Int. J. Web Inf. Syst..

[48]  Jan Jürjens,et al.  Extending model-based privacy analysis for the industrial data space by exploiting privacy level agreements , 2018, SAC.

[49]  Richard F. Paige,et al.  Evolving models in Model-Driven Engineering: State-of-the-art and future challenges , 2016, J. Syst. Softw..

[50]  Nikos Fotiou,et al.  A Framework for Privacy Analysis of ICN Architectures , 2014, APF.

[51]  Julia Powles,et al.  "Meaningful Information" and the Right to Explanation , 2017, FAT.

[52]  Elmar Jürgens,et al.  The loss of architectural knowledge during system evolution: An industrial case study , 2009, 2009 IEEE 17th International Conference on Program Comprehension.

[53]  The Standard Data Protection Model A concept for inspection and consultation on the basis of unified protection goals , .

[54]  Karsten Sohr,et al.  Automatically Extracting Threats from Extended Data Flow Diagrams , 2016, ESSoS.

[55]  Eerke Albert Boiten,et al.  Challenges in assessing privacy impact: Tales from the front lines , 2020, Secur. Priv..

[56]  Jack Jones,et al.  Measuring and Managing Information Risk: A FAIR Approach , 2014 .

[57]  Roland Vogl,et al.  Rethinking Explainable Machines: The GDPR's 'Right to Explanation' Debate and the Rise of Algorithmic Audits in Enterprise , 2018 .