Because of GDPR's principle of "data protection by design and by default", organizations who wish to stay lawful have to re-think their data practices. Access Control (AC) can be a technical solution for them to protect access to "personal data by design", and thus to gain legal compliance, but this requires to have Access Control Policies (ACPs) expressing requirements aligned with GDPR's provisions. Provisions are however pieces of law and are not written to be immediately interpreted as technical requirements; the task is thus not straightforward. The Agile software development methodology can help untangle the problem. It has dedicated tools to describe requirements and one of such them, User Stories, seems up to task. Stories are concise yet informal descriptions telling who, what and why something is required by users; they are prioritized in lists, called backlogs. Inspired by these Agile tools this paper advances the notion of Data Protection backlogs, which are lists of User Stories about GDPR provisions told as technical requirements. For each User Story we build a corresponding ACP, so enabling the implementation of GDPR compliant AC systems.
GDPR-Based User Stories in the Access Control Perspective
Daoudagh S;Marchetti E
2019
Abstract
Because of GDPR's principle of "data protection by design and by default", organizations who wish to stay lawful have to re-think their data practices. Access Control (AC) can be a technical solution for them to protect access to "personal data by design", and thus to gain legal compliance, but this requires to have Access Control Policies (ACPs) expressing requirements aligned with GDPR's provisions. Provisions are however pieces of law and are not written to be immediately interpreted as technical requirements; the task is thus not straightforward. The Agile software development methodology can help untangle the problem. It has dedicated tools to describe requirements and one of such them, User Stories, seems up to task. Stories are concise yet informal descriptions telling who, what and why something is required by users; they are prioritized in lists, called backlogs. Inspired by these Agile tools this paper advances the notion of Data Protection backlogs, which are lists of User Stories about GDPR provisions told as technical requirements. For each User Story we build a corresponding ACP, so enabling the implementation of GDPR compliant AC systems.| File | Dimensione | Formato | |
|---|---|---|---|
|
prod_415740-doc_150880.pdf
solo utenti autorizzati
Descrizione: GDPR-Based User Stories in the Access Control Perspective
Tipologia:
Versione Editoriale (PDF)
Dimensione
443.5 kB
Formato
Adobe PDF
|
443.5 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
