Abstract
The European Union (EU) General Data Protection Regulation (GDPR) has expanded data privacy regulations regarding personal data for over half a billion EU citizens. Given the regulation’s effectively global scope and its significant penalties for non-compliance, systems that store or process personal data in increasingly complex workflows will need to demonstrate how data were generated and used. In this paper, we analyze the GDPR text to explicitly identify a set of central challenges for GDPR compliance for which data provenance is applicable; we introduce a data provenance model for representing GDPR workflows; and we present design patterns that demonstrate how data provenance can be used realistically to help in verifying GDPR compliance. We also discuss open questions about what will be practically necessary for a provenance-driven system to be suitable under the GDPR.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Council of the European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). Official J. Eur. Union L 119, 1–88 (2016)
Tankard, C.: What the GDPR means for businesses. Netw. Secur. 2016(6), 5–8 (2016)
Bartolini, C., Muthuri, R., Santos, C.: Using ontologies to model data protection requirements in workflows. In: Otake, M., Kurahashi, S., Ota, Y., Satoh, K., Bekki, D. (eds.) New Frontiers in Artificial Intelligence. JSAI-isAI 2015. LNCS, vol. 10091, pp. 233–248. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-50953-2_17
Vijayan, J.: 6 ways to prepare for the EU’s GDPR. InformationWeek, September 2016
Ashford, W.: Much GDPR prep is a waste of time, warns PwC, ComputerWeekly, October 2017
Martin, A., Lyle, J., Namilkuo, C.: Provenance as a security control. In: Proceedings of the Theory and Practice of Provenance 2012. USENIX (2012)
Bonatti, P., Kirrane, S., Polleres, A., Wenning, R.: Transparent personal data processing: the road ahead. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 337–349. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66284-8_28
Pandit, H.J., Lewis, D.: Modelling provenance for GDPR compliance using linked open data vocabularies. In: Proceedings of Society, Privacy and the Semantic Web - Policy and Technology 2017 (2017)
World Wide Web Consortium, PROV-DM: The PROV data model, April 2013. https://www.w3.org/TR/prov-dm/
Council of the European Union, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (Data Protection Directive), Official J. Eur. Union L 281, 31–50 (1995)
Basin, D., Debois, S., Hildebrandt, T.: On purpose and by necessity: compliance under the GDPR. In: Proceedings of Financial Cryptography and Data Security 2018, March 2018
Gjermundrød, H., Dionysiou, I., Costa, K.: privacyTracker: a privacy-by-design GDPR-compliant framework with verifiable data traceability controls. In: Casteleyn, S., Dolog, P., Pautasso, C. (eds.) ICWE 2016. LNCS, vol. 9881, pp. 3–15. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46963-8_1
Aldeco-Pérez, R., Moreau, L.: Provenance-based auditing of private data use. In: Proceedings of Visions of Computer Science 2008, pp. 141–152 (2008)
Bier, C.: How usage control and provenance tracking get together - A data protection perspective. In: Proceedings of IEEE 4th International Workshop on Data Usage Management, pp. 13–17, May 2013
Bates, A., Tian, D., Butler, K.R.B., Moyer, T.: Trustworthy whole-system provenance for the Linux kernel. In: Proceedings of USENIX Security 2015, pp. 319–334 (2015)
Pasquier, T., Singh, J., Eyers, D., Bacon, J.: CamFlow: managed data-sharing for cloud services. IEEE Trans. Cloud Comput. 5(3), 472–484 (2017)
Bates, A., et al.: Transparent web service auditing via network provenance functions. In: Proceedings of the 26th International Conference on World Wide Web, pp. 887–895 (2017)
Acknowledgements
The authors would like to thank Jenny Applequist for her editorial assistance, the members of the PERFORM and STS research groups at the University of Illinois at Urbana-Champaign for their advice, and the anonymous reviewers for their helpful comments. This material is based upon work supported by the Maryland Procurement Office under Contract No. H98230-18-D-0007 and by the National Science Foundation under Grant Nos. CNS-1657534 and CNS-1750024. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Ujcich, B.E., Bates, A., Sanders, W.H. (2018). A Provenance Model for the European Union General Data Protection Regulation. In: Belhajjame, K., Gehani, A., Alper, P. (eds) Provenance and Annotation of Data and Processes. IPAW 2018. Lecture Notes in Computer Science(), vol 11017. Springer, Cham. https://doi.org/10.1007/978-3-319-98379-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-98379-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-98378-3
Online ISBN: 978-3-319-98379-0
eBook Packages: Computer ScienceComputer Science (R0)