Reference : Using Models to Enable Compliance Checking against the GDPR: An Experience Report
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
Security, Reliability and Trust; Law / European Law
http://hdl.handle.net/10993/39701
Using Models to Enable Compliance Checking against the GDPR: An Experience Report
English
Torre, Damiano mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Soltana, Ghanem [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Sabetzadeh, Mehrdad mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Briand, Lionel mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Auffinger, Yuri [Linklaters LLP]
Goes, Peter [Linklaters LLP]
2019
To appear in the proceeding of the IEEE / ACM 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS 19)
ACM/IEEE
Yes
No
International
ACM/IEEE INTERNATIONAL CONFERENCE ON MODEL-DRIVEN ENGINEERING LANGUAGES AND SYSTEMS
from 15-09-2019 to 20-09-2019
Munich
Germany
[en] General Data Protection Regulation ; Regulatory Compliance ; UML ; OCL
[en] The General Data Protection Regulation (GDPR) harmonizes data privacy laws and regulations across Europe. Through the GDPR, individuals are able to better control their personal data in the face of new technological developments. While the GDPR is highly advantageous to citizens, complying with it poses major challenges for organizations that control or process personal data. Since no automated solution with broad industrial applicability currently exists for GDPR compliance checking, organizations have no choice but to perform costly manual audits to ensure compliance. In this paper, we share our experience building a UML representation of the GDPR as a first step towards the development of future automated methods for assessing compliance with the GDPR. Given that a concrete implementation of the GDPR is affected by the national laws of the EU member states, GDPR’s expanding body of case laws and other contextual information, we propose a two-tiered representation of the GDPR: a generic tier and a specialized tier. The generic tier captures the concepts and principles of the GDPR that apply to all contexts, whereas the specialized tier describes a specific tailoring of the generic tier to a given context, including the contextual variations that may impact the interpretation and application of the GDPR. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it, and future directions for research.
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)
University of Luxembourg - UL ; Linklaters LLP
Researchers ; Professionals
http://hdl.handle.net/10993/39701

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
PID6018521.pdfAuthor postprint922.12 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.