论文信息 - Analyzing GDPR Compliance Through the Lens of Privacy Policy

Analyzing GDPR Compliance Through the Lens of Privacy Policy

With the arrival of the European Union's General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems which process personal data. This work analyzes the privacy policies of large-scaled cloud services which seek to be GDPR compliant. The privacy policy is the main medium of information dissemination between the data controller and the users. We show that many services that claim compliance today do not have clear and concise privacy policies. We identify several points in the privacy policies which potentially indicate non-compliance; we term these GDPR vulnerabilities. We identify GDPR vulnerabilities in ten cloud services. Based on our analysis, we propose seven best practices for crafting GDPR privacy policies.

[1] Brent Waters,et al. Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[2] Ittai Abraham,et al. Replex: A Scalable, Highly Available Multi-Index Data Store , 2016, USENIX Annual Technical Conference.

[3] Vijay Chidambaram,et al. The Seven Sins of Personal-Data Processing Systems under GDPR , 2019, HotCloud.

[4] Vijay Chidambaram,et al. Analyzing the Impact of GDPR on Storage Systems , 2019, HotStorage.

[5] Liu Xiao-ying. Fast Subsequence Matching in Time-series Database , 2008 .

[6] Carlos Flavián,et al. Consumer trust, perceived security and privacy policy: Three basic elements of loyalty to a web site , 2006, Ind. Manag. Data Syst..

[7] Hakan Hacigümüs,et al. Executing SQL over encrypted data in the database-service-provider model , 2002, SIGMOD '02.

[8] Jyoti Leeka,et al. INSTalytics , 2019, FAST.

[9] Michael Chow,et al. Eidetic Systems , 2014, OSDI.

[10] Samuel Madden,et al. Processing Analytical Queries over Encrypted Data , 2013, Proc. VLDB Endow..

[11] Marianne Winslett,et al. No Registration Needed: How to Use Declarative Policies and Negotiation to Access Sensitive Resources on the Semantic Web , 2004, ESWS.

[12] Christos Faloutsos,et al. Fast subsequence matching in time-series databases , 1994, SIGMOD '94.