Privacy by Design: On the Formal Design and Conformance Check of Personal Data Protection Policies and Architectures
This addresses the need for organizations to avoid penalties under GDPR by providing a systematic method for policy and architecture design, though it is incremental as it builds on existing formal methods for compliance.
The paper tackles the problem of misinterpretation and error-prone conformance checks in designing GDPR-compliant data protection policies and system architectures by applying a formal approach for unambiguous specification and mathematically sound conformance checks, demonstrated through a smart metering case study.
The new General Data Protection Regulation (GDPR) will take effect in May 2018, and hence, designing compliant data protection policies and system architectures became crucial for organizations to avoid penalties. Unfortunately, the regulations given in a textual format can be easily misinterpreted by the policy and system designers, which also making the conformance check error-prone for auditors. In this paper, we apply formal approach to facilitate systematic design of policies and architectures in an unambiguous way, and provide a framework for mathematically sound conformance checks against the current data protection regulations. We propose a (semi-)formal approach for specifying and reasoning about data protection policies and architectures as well as defining conformance relations between architectures and policies. The usability of our proposed approach is demonstrated on a smart metering service case study.