Towards an Enforceable GDPR Specification
- URL: http://arxiv.org/abs/2402.17350v1
- Date: Tue, 27 Feb 2024 09:38:51 GMT
- Title: Towards an Enforceable GDPR Specification
- Authors: Fran\c{c}ois Hublet and Alexander Kvamme and Sr{\dj}an Krsti\'c
- Abstract summary: Privacy by Design (PbD) is prescribed by modern privacy regulations such as the EU's.
One emerging technique to realize PbD is enforcement (RE)
We present a set of requirements and an iterative methodology for creating formal specifications of legal provisions.
- Score: 49.1574468325115
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: While Privacy by Design (PbD) is prescribed by modern privacy regulations
such as the EU's GDPR, achieving PbD in real software systems is a notoriously
difficult task. One emerging technique to realize PbD is Runtime enforcement
(RE), in which an enforcer, loaded with a specification of a system's privacy
requirements, observes the actions performed by the system and instructs it to
perform actions that will ensure compliance with these requirements at all
times. To be able to use RE techniques for PbD, privacy regulations first need
to be translated into an enforceable specification. In this paper, we report on
our ongoing work in formalizing the GDPR. We first present a set of
requirements and an iterative methodology for creating enforceable formal
specifications of legal provisions. Then, we report on a preliminary case study
in which we used our methodology to derive an enforceable specification of part
of the GDPR. Our case study suggests that our methodology can be effectively
used to develop accurate enforceable specifications.
Related papers
- Model-Checking the Implementation of Consent [0.0]
We propose a method to inform consent into low-level computational models.
We mechanize our models in TLA+ and use model-checking to prove that the models implement high-level privacy requirements.
We demonstrate our method in two real world scenarios: an implementation of cookie banners and a system communicating via Bluetooth low energy.
arXiv Detail & Related papers (2024-09-18T08:40:28Z) - RegNLP in Action: Facilitating Compliance Through Automated Information Retrieval and Answer Generation [51.998738311700095]
Regulatory documents, characterized by their length, complexity and frequent updates, are challenging to interpret.
RegNLP is a multidisciplinary subfield aimed at simplifying access to and interpretation of regulatory rules and obligations.
ObliQA dataset contains 27,869 questions derived from the Abu Dhabi Global Markets (ADGM) financial regulation document collection.
arXiv Detail & Related papers (2024-09-09T14:44:19Z) - Keeping Behavioral Programs Alive: Specifying and Executing Liveness Requirements [2.4387555567462647]
We propose an idiom for tagging states with "must-finish," indicating that tasks are yet to be completed.
We also offer semantics and two execution mechanisms, one based on a translation to B"uchi automata and the other based on a Markov decision process (MDP)
arXiv Detail & Related papers (2024-04-02T11:36:58Z) - Provable Privacy with Non-Private Pre-Processing [56.770023668379615]
We propose a general framework to evaluate the additional privacy cost incurred by non-private data-dependent pre-processing algorithms.
Our framework establishes upper bounds on the overall privacy guarantees by utilising two new technical notions.
arXiv Detail & Related papers (2024-03-19T17:54:49Z) - LLM-based Privacy Data Augmentation Guided by Knowledge Distillation
with a Distribution Tutor for Medical Text Classification [67.92145284679623]
We propose a DP-based tutor that models the noised private distribution and controls samples' generation with a low privacy cost.
We theoretically analyze our model's privacy protection and empirically verify our model.
arXiv Detail & Related papers (2024-02-26T11:52:55Z) - A Multi-solution Study on GDPR AI-enabled Completeness Checking of DPAs [3.1002416427168304]
General Data Protection Regulation (DPA) requires a data processing agreement (DPA) which regulates processing and ensures personal data remains protected.
Checking completeness of DPA according to prerequisite provisions is therefore an essential to ensure that requirements are complete.
We propose an automation strategy to address the completeness checking of DPAs against stipulated provisions.
arXiv Detail & Related papers (2023-11-23T10:05:52Z) - Legal Requirements Analysis [2.3349787245442966]
We explore a variety of methods for analyzing legal requirements and exemplify them on representations.
We describe possible alternatives for creating machine-analyzable representations from regulations.
arXiv Detail & Related papers (2023-11-23T09:31:57Z) - Validation-Driven Development [54.50263643323]
This paper introduces a validation-driven development (VDD) process that prioritizes validating requirements in formal development.
The effectiveness of the VDD process is demonstrated through a case study in the aviation industry.
arXiv Detail & Related papers (2023-08-11T09:15:26Z) - Distributed Machine Learning and the Semblance of Trust [66.1227776348216]
Federated Learning (FL) allows the data owner to maintain data governance and perform model training locally without having to share their data.
FL and related techniques are often described as privacy-preserving.
We explain why this term is not appropriate and outline the risks associated with over-reliance on protocols that were not designed with formal definitions of privacy in mind.
arXiv Detail & Related papers (2021-12-21T08:44:05Z) - Design Challenges for GDPR RegTech [0.3867363075280544]
The Accountability Principle of the methodologies requires that an organisation can demonstrate compliance with the regulations.
A survey of compliance software solutions shows significant gaps in their ability to demonstrate compliance.
RegTech has brought great success to financial compliance, resulting in reduced risk, cost saving and enhanced financial regulatory compliance.
arXiv Detail & Related papers (2020-05-21T18:55:11Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.