Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Modelling Technique for GDPR-compliance: Toward a Comprehensive Solution (2404.13979v1)

Published 22 Apr 2024 in cs.CR

Abstract: Data-driven applications and services have been increasingly deployed in all aspects of life including healthcare and medical services in which a huge amount of personal data is collected, aggregated, and processed in a centralised server from various sources. As a consequence, preserving the data privacy and security of these applications is of paramount importance. Since May 2018, the new data protection legislation in the EU/UK, namely the General Data Protection Regulation (GDPR), has come into force and this has called for a critical need for modelling compliance with the GDPR's sophisticated requirements. Existing threat modelling techniques are not designed to model GDPR compliance, particularly in a complex system where personal data is collected, processed, manipulated, and shared with third parties. In this paper, we present a novel comprehensive solution for developing a threat modelling technique to address threats of non-compliance and mitigate them by taking GDPR requirements as the baseline and combining them with the existing security and privacy modelling techniques (i.e., \textit{STRIDE} and \textit{LINDDUN}, respectively). For this purpose, we propose a new data flow diagram integrated with the GDPR principles, develop a knowledge base for the non-compliance threats, and leverage an inference engine for reasoning the GDPR non-compliance threats over the knowledge base. Finally, we demonstrate our solution for threats of non-compliance with legal basis and accountability in a telehealth system to show the feasibility and effectiveness of the proposed solution.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (22)
  1. P. Voigt and A. Von dem Bussche, “The eu general data protection regulation (gdpr),” A Practical Guide, 1st Ed., Cham: Springer International Publishing, vol. 10, no. 3152676, pp. 10–5555, 2017.
  2. N. Azam, L. Michala, S. Ansari, and N. B. Truong, “Data privacy threat modelling for autonomous systems: A survey from the gdpr’s perspective,” IEEE Transactions on Big Data, 2022.
  3. K. Wuyts and W. Joosen, “Linddun privacy threat modeling: a tutorial,” CW Reports, no. CW685, 2015. [Online]. Available: https://lirias.kuleuven.be/retrieve/331950
  4. R. Scandariato, K. Wuyts, and W. Joosen, “A descriptive study of microsoft’s threat modeling technique,” Requirements Engineering, vol. 20, no. 2, pp. 163–180, 2015.
  5. R. Khan, K. McLaughlin, D. Laverty, and S. Sezer, “Stride-based threat modeling for cyber-physical systems,” in 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe).   IEEE, 2017, pp. 1–6.
  6. S. G. Abbas, I. Vaccari, F. Hussain, S. Zahid, U. U. Fayyaz, G. A. Shah, T. Bakhshi, and E. Cambiaso, “Identifying and mitigating phishing attack threats in iot use cases using a threat modelling approach,” Sensors, vol. 21, no. 14, p. 4816, 2021.
  7. D. Van Landuyt and W. Joosen, “A descriptive study of assumptions in stride security threat modeling,” Software and Systems Modeling, pp. 1–18, 2021.
  8. K. Wuyts, L. Sion, and W. Joosen, “Linddun go: A lightweight approach to privacy threat modeling,” in IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).   IEEE, 2020, pp. 302–309.
  9. D. Van Landuyt and W. Joosen, “A descriptive study of assumptions made in linddun privacy threat elicitation,” in Proceedings of the 35th Annual ACM Symposium on Applied Computing, 2020, pp. 1280–1287.
  10. M. Budrytė, “General data protection regulation (gdpr) in european union: from proposal to implementation,” B.S. thesis, 2021.
  11. N. B. Truong, K. Sun, G. M. Lee, and Y. Guo, “Gdpr-compliant personal data management: A blockchain-based solution,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 1746–1761, 2019.
  12. M. Hintze, “Data controllers, data processors, and the growing use of connected products in the enterprise: Managing risks, understanding benefits, and complying with the gdpr,” Journal of Internet Law (Wolters Kluwer), August, 2018.
  13. M. Surridge, K. Meacham, J. Papay, S. C. Phillips, J. B. Pickering, A. Shafiee, and T. Wilkinson, “Modelling compliance threats and security analysis of cross border health data exchange,” in New Trends in Model and Data Engineering: MEDI 2019 International Workshops, DETECT, DSSGA, TRIDENT, Toulouse, France, October 28–31, 2019, Proceedings 9.   Springer, 2019, pp. 180–189.
  14. M. Robol, M. Salnitri, and P. Giorgini, “Toward gdpr-compliant socio-technical systems: modeling language and reasoning framework,” in The Practice of Enterprise Modeling: 10th IFIP WG 8.1. Working Conference, PoEM 2017, Leuven, Belgium, November 22-24, 2017, Proceedings 10.   Springer, 2017, pp. 236–250.
  15. H. Pandit, D. O’Sullivan, and D. Lewis, “Queryable provenance metadata for gdpr compliance,” Procedia Computer Science, vol. 137, pp. 262–268, 2018.
  16. H. Pandit, K. Fatema, D. O’Sullivan, and D. Lewis, “Gdprtext-gdpr as a linked data resource,” in European Semantic Web Conference.   Springer, 2018, pp. 481–495.
  17. H. Boley, A. Paschke, and M. O. Shafiq, “Ruleml 1.0: The overarching specification of web rules.” in RuleML.   Springer, 2010, pp. 162–178.
  18. I. Horrocks, P. F. Patel-Schneider, H. Boley, S. Tabet, B. Grosof, M. Dean et al., “Swrl: A semantic web rule language combining owl and ruleml,” W3C Member submission, vol. 21, no. 79, pp. 1–31, 2004.
  19. H. J. Pandit, D. O’Sullivan, and D. Lewis, “Gdpr data interoperability model,” in 23rd EURAS Annual Standardisation Conference, Dublin, Ireland, 2018.
  20. M. Abomhara, M. Gerdes, and G. M. Køien, “A stride-based threat model for telehealth systems,” Norsk informasjonssikkerhetskonferanse (NISK), vol. 8, no. 1, pp. 82–96, 2015.
  21. S. K. Vashist, E. M. Schneider, and J. H. Luong, “Commercial smartphone-based devices and smart applications for personalized healthcare monitoring and management,” Diagnostics, vol. 4, no. 3, pp. 104–128, 2014.
  22. A. J. García and G. R. Simari, “Defeasible logic programming: An argumentative approach,” Theory and practice of logic programming, vol. 4, no. 1-2, pp. 95–138, 2004.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Naila Azam (1 paper)
  2. Anna Lito Michala (2 papers)
  3. Shuja Ansari (5 papers)
  4. Nguyen Truong (4 papers)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets