Modeling data protection and privacy: application and experience with GDPR

In Europe and indeed worldwide, the General Data Protection Regulation (GDPR) provides protection to individuals regarding their personal data in the face of new technological developments. GDPR is widely viewed as the benchmark for data protection and privacy regulations that harmonizes data privacy laws across Europe. Although the GDPR is highly beneficial to individuals, it presents significant challenges for organizations monitoring or storing personal information. Since there is currently no automated solution with broad industrial applicability, organizations have no choice but to carry out expensive manual audits to ensure GDPR compliance. In this paper, we present a complete GDPR UML model as a first step towards designing automated methods for checking GDPR compliance. Given that the practical application of the GDPR is influenced by national laws of the EU Member States, Damiano Torre E-mail: damiano.torre@tamuct.edu Mauricio Alferez E-mail: alferez.mauricio@gmail.com Ghanem Soltana E-mail: ghanem.soltana@gmail.com Mehrdad Sabetzadeh E-mail: m.sabetzadeh@uottawa.ca Lionel Briand E-mail: lionel.briand@uni.lu 1 SnT Centre for Security, Reliability and Trust, University of Luxembourg, Luxembourg 2 School of Electrical Engineering and Computer Science, University of Ottawa, Canada 3 Department of Computer Information Systems, Texas A&M University Central Texas, United States we suggest a two-tiered description of the GDPR, generic and specialized. In this paper, we provide (1) the GDPR conceptual model we developed with complete traceability from its classes to the GDPR, (2) a glossary to help understand the model, (3) the plain-English description of 35 compliance rules derived from GDPR along with their encoding in OCL, and (4) the set of 20 variations points derived from GDPR to specialize the generic model. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it, and future directions for research.

[1]  Lionel Briand,et al.  An AI-assisted Approach for Checking the Completeness of Privacy Policies Against GDPR , 2020, 2020 IEEE 28th International Requirements Engineering Conference (RE).

[2]  Mehrdad Sabetzadeh,et al.  Model-based simulation of legal policies: framework, tool support, and validation , 2016, Software & Systems Modeling.

[3]  Mehrdad Sabetzadeh,et al.  Extracting domain models from natural-language requirements: approach and industrial evaluation , 2016, MoDELS.

[4]  Haralambos Mouratidis,et al.  A Metamodel for GDPR-based Privacy Level Agreements , 2017, ER Forum/Demos.

[5]  Paul W. H. Chung,et al.  Compliance Flow - Managing the compliance of dynamic and complex processes , 2008, Knowl. Based Syst..

[6]  Liliana Pasquale,et al.  The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements , 2018, 2018 IEEE 26th International Requirements Engineering Conference (RE).

[7]  Travis D. Breaux Exercising Due Diligence in Legal Requirements Acquisition: A Tool-supported, Frame-Based Approach , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[8]  Ingrid Schirmer,et al.  A Privacy-driven Enterprise Architecture Meta-Model for Supporting Compliance with the General Data Protection Regulation , 2019, HICSS.

[9]  Sepideh Ghanavati,et al.  A Methodology for Implementing the Formal Legal-GRL Framework: A Research Preview , 2020, REFSQ.

[10]  John Mylopoulos,et al.  Nòmos 3: Reasoning about regulatory compliance of requirements , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[11]  Agustí Verde Parera,et al.  General data protection regulation , 2018 .

[12]  Mehrdad Sabetzadeh,et al.  Supporting the verification of compliance to safety standards via model-driven engineering: Approach, tool-support and empirical validation , 2013, Inf. Softw. Technol..

[13]  Hinrich Schütze,et al.  Book Reviews: Foundations of Statistical Natural Language Processing , 1999, CL.

[14]  Mehrdad Sabetzadeh,et al.  Practical Model-driven Data Generation for System Testing , 2019, ArXiv.

[15]  Jordi Cabot,et al.  UMLtoCSP: a tool for the formal verification of UML/OCL models using constraint programming , 2007, ASE.

[16]  Nick Hammond,et al.  Argumentation-based design rationale: what use at what cost? , 1994, Int. J. Hum. Comput. Stud..

[17]  Colin Tankard,et al.  What the GDPR means for businesses , 2016, Netw. Secur..

[18]  Lionel C. Briand,et al.  Configuring use case models in product families , 2016, Software & Systems Modeling.

[19]  Pável Calado,et al.  RSL-IL4Privacy: a domain-specific language for the rigorous specification of privacy policies , 2018, Requirements Engineering.

[20]  Paul Clements,et al.  Software product lines - practices and patterns , 2001, SEI series in software engineering.

[21]  Wolfgang Emmerich,et al.  Managing Standards Compliance , 1999, IEEE Trans. Software Eng..

[22]  Raimundas Matulevicius,et al.  Conceptual Representation of the GDPR: Model and Application Directions , 2018, BIR.

[23]  Silvio Ranise,et al.  Automated Legal Compliance Checking by Security Policy Analysis , 2017, SAFECOMP Workshops.

[24]  Axel van Lamsweerde,et al.  Requirements Engineering: From System Goals to UML Models to Software Specifications , 2009 .

[25]  Mehrdad Sabetzadeh,et al.  Using Models to Enable Compliance Checking Against the GDPR: An Experience Report , 2019, 2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS).

[26]  Bernhard Rumpe,et al.  Model-driven Development of Complex Software : A Research Roadmap , 2007 .

[27]  Mehrdad Sabetzadeh,et al.  Using UML for Modeling Procedural Legal Rules: Approach and a Study of Luxembourg's Tax Law , 2014, MoDELS.

[28]  Daniel Amyot,et al.  Goal-oriented compliance with multiple regulations , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[29]  Raimundas Matulevicius,et al.  Privacy-enhanced BPMN: enabling data privacy analysis in business processes models , 2019, Software and Systems Modeling.

[30]  John Mylopoulos,et al.  GaiusT: supporting the extraction of rights and obligations for regulatory compliance , 2013, Requirements Engineering.

[31]  Lionel C. Briand,et al.  PUMConf: a tool to configure product specific use case and domain models in a product line , 2016, SIGSOFT FSE.

[32]  Mehrdad Sabetzadeh,et al.  An automated framework for detection and resolution of cross references in legal texts , 2015, Requirements Engineering.

[33]  Ethem Alpaydin,et al.  Machine Learning: The New AI , 2016 .

[34]  Mehrdad Sabetzadeh,et al.  Automated Extraction of Semantic Legal Metadata using Natural Language Processing , 2018, 2018 IEEE 26th International Requirements Engineering Conference (RE).

[35]  Marcela Genero,et al.  A systematic identification of consistency rules for UML diagrams , 2018, J. Syst. Softw..

[36]  Silvio Ranise,et al.  Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information Systems , 2017, SACMAT.

[37]  Jordi Cabot,et al.  Model-Driven Software Engineering in Practice , 2017, Synthesis Lectures on Software Engineering.