The European General Data Protection Regulation (GDPR) gives primacy to purpose: Data may be collected and stored only when (i) end-users have consented, often explicitly, to the purposes for which that data is collected, and (ii) the collected data is actually necessary for achieving these purposes. This development in data protection regulations begets the question: how do we audit a computer system’s adherence to a purpose? We propose an approach that identifies a purpose with a business process, and show how formal models of interprocess communication can be used to audit or even derive privacy policies. Based on this insight, we propose a methodology for auditing GDPR compliance. Moreover, we show how given a simple interprocess dataflow model, aspects of GDPR compliance can be determined algorithmically.
CITATION STYLE
Basin, D., Debois, S., & Hildebrandt, T. (2018). On Purpose and by Necessity: Compliance Under the GDPR. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 10957 LNCS, pp. 20–37). Springer Verlag. https://doi.org/10.1007/978-3-662-58387-6_2
Mendeley helps you to discover research relevant for your work.