Skip to main content
SpringerLink
Log in

Modeling data protection and privacy: application and experience with GDPR

  • Special Section Paper
  • Published:
Software and Systems Modeling Aims and scope Submit manuscript

Abstract

In Europe and indeed worldwide, the General Data Protection Regulation (GDPR) provides protection to individuals regarding their personal data in the face of new technological developments. GDPR is widely viewed as the benchmark for data protection and privacy regulations that harmonizes data privacy laws across Europe. Although the GDPR is highly beneficial to individuals, it presents significant challenges for organizations monitoring or storing personal information. Since there is currently no automated solution with broad industrial applicability, organizations have no choice but to carry out expensive manual audits to ensure GDPR compliance. In this paper, we present a complete GDPR UML model as a first step toward designing automated methods for checking GDPR compliance. Given that the practical application of the GDPR is influenced by national laws of the EU Member States, we suggest a two-tiered description of the GDPR, generic and specialized. In this paper, we provide (1) the GDPR conceptual model we developed with complete traceability from its classes to the GDPR, (2) a glossary to help understand the model, (3) the plain-English description of 35 compliance rules derived from GDPR along with their encoding in OCL and (4) the set of 20 variations points derived from GDPR to specialize the generic model. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it and future directions for research.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. Art. 29 WP is the independent European working party that dealt with issues relating to the protection of privacy and personal data until May 25, 2018 (date at which the GDPR took effect). All archives from Art. 29 WP are available at: https://ec.europa.eu/newsroom/article29/news-overview.cfm. Art. WP 29 has been replaced by the European Data Protection Board; see https://edpb.europa.eu

References

  1. Alpaydin, E.: Machine Learning: The New AI. MIT Press (2016)

  2. Arora, C., Sabetzadeh, M., Briand, L.C., Zimmer, F.: Extracting domain models from natural-language requirements: Approach and industrial evaluation. In: Proceedings of the 19th IEEE/ACM International Conference on Model Driven Engineering Languages and Systems (MoDELS’16), pp. 250–260 (2016)

  3. Ayala-Rivera, V., Pasquale, L.: The grace period has ended: An approach to operationalize GDPR requirements. In: Proceedings of 31st IEEE International Conference on Requirements Engineering (RE’18), pp. 136–146 (2018)

  4. Brambilla, M., Cabot, J., Wimmer, M.: Model-Driven Software Engineering in Practice, 2nd edn. Morgan & Claypool Publishers (2016)

  5. Breaux, T.: Exercising due diligence in legal requirements acquisition: A tool-supported, frame-based approach. In: Proceedings of 17th IEEE International Conference on Requirements Engineering (RE’09), pp. 225–230 (2009)

  6. Burmeister, F., Drews, P., Schirmer, I.: A privacy-driven enterprise architecture meta-model for supporting compliance with the general data protection regulation. In: Bui, T. (ed.) 52nd Hawaii International Conference on System Sciences, HICSS 2019, Grand Wailea, Maui, Hawaii, USA, January 8–11, 2019, pp. 1–10. ScholarSpace (2019)

  7. Cabot, J., Clarisó, R., Riera, D.: UMLtoCSP: A tool for the formal verification of UML/OCL models using constraint programming. In: Proceedings of the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE’07), pp. 547–548 (2007)

  8. Caramujo, J., Rodrigues da Silva, A., Monfared, S., Ribeiro, A., Calado, P., Breaux, T.: RSL-IL4Privacy: A domain-specific language for the rigorous specification of privacy policies. Requir. Eng. 24(1), 1–26 (2019)

  9. Chung, P.W., Cheung, L.Y., Machin, C.H.: Compliance flow—managing the compliance of dynamic and complex processes. Knowl. Syst. 21(4), 332–354 (2008)

    Article  Google Scholar 

  10. Clements, P., Northrop, L.: Software Product Lines: Practices and Patterns. Addison-Wesley (2001)

  11. Diamantopoulou, V., Angelopoulos, K., Pavlidis, M., Mouratidis, H.: A metamodel for gdpr-based privacy level agreements. In: Cabanillas, C., España, S., Farshidi, S. (eds.) Proceedings of the ER Forum 2017 and the ER 2017 Demo Track co-located with the 36th International Conference on Conceptual Modelling (ER 2017), Valencia, Spain, - November 6–9, 2017, CEUR Workshop Proceedings, vol. 1979, pp. 285–291. http://CEUR-WS.org (2017)

  12. Emmerich, W., Finkelstein, A., Montangero, C., Antonelli, S., Armitage, S., Stevens, R.: Managing standards compliance. IEEE Trans. Softw. Eng. 25(6), 836–851 (1999)

    Article  Google Scholar 

  13. EU-GDPR: EU GDPR portal (2019). https://eugdpr.org

  14. European Union: The GDPR: New opportunities, new obligations. Justice and Consumers (2018)

  15. European Union: General data protection regulation. Official Journal of the European Union (2018). http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

  16. France, R., Rumpe, B.: Model-driven development of complex software: A research roadmap. In: Proceedings of 2007 Workshop on the Future of Software Engineering (FOSE ’07), pp. 37–54 (2007)

  17. Ghanavati, S., Rifaut, A., Dubois, E., Amyot, D.: Goal-oriented compliance with multiple regulations. In: Proceedings of 22nd IEEE International Conference on Requirements Engineering (RE’14), pp. 73–82 (2014)

  18. Guarda, P., Ranise, S., Siswantoro, H.: Security analysis and legal compliance checking for the design of privacy-friendly information systems. In: Proceedings o 22nd ACM on Symposium on Access Control Models and Technologies (SACMAT’17), pp. 247–254 (2017)

  19. Hajri, I., Goknil, A., Briand, L.C., Stephany, T.: PUMConf: a tool to configure product specific use case and domain models in a product line. In: Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’16), pp. 1008–1012 (2016)

  20. Hajri, I., Göknil, A., Briand, L.C., Stephany, T.: Configuring use case models in product families. Softw. Syst. Model. 17(3), 939–971 (2018)

    Article  Google Scholar 

  21. Ingolfo, S., Siena, A., Mylopoulos, J.: Nòmos 3: Reasoning about regulatory compliance of requirements. In: Proceedings of 22nd IEEE International Requirements Engineering Conference (RE’14), pp. 313–314 (2014)

  22. Manning, C.D., Schütze, H.: Foundations of Statistical Natural Language Processing. MIT Press (2001)

  23. OMG: Object Constraint Language - Version 2.4 (2017). https://www.omg.org/spec/OCL/2.4/PDF

  24. OMG: Unified Modeling Language - Superstructure Version 2.5.1 (2017). https://www.omg.org/spec/UML/2.5.1/PDF

  25. Panesar-Walawege, R.K., Sabetzadeh, M., Briand, L.C.: Supporting the verification of compliance to safety standards via model-driven engineering: approach, tool-support and empirical validation. Inf. Softw. Technol. 55(5), 836–864 (2013)

    Article  Google Scholar 

  26. Pullonen, P., Tom, J., Matulevicius, R., Toots, A.: Privacy-enhanced BPMN: enabling data privacy analysis in business processes models. Softw. Syst. Model. pp. 1–30 (2019)

  27. Rabinia, A., Ghanavati, S., Humphreys, L., Hahmann, T.: A methodology for implementing the formal legal-grl framework: a research preview. In: Madhavji, N., Pasquale, L., Ferrari, A., Gnesi, S. (eds.) Requirements Engineering: Foundation for Software Quality, pp. 124–131. Springer International Publishing, Cham (2020)

    Chapter  Google Scholar 

  28. Ranise, S., Siswantoro, H.: Automated legal compliance checking by security policy analysis. In: Computer Safety, Reliability, and Security (SAFECOMP’17 Workshops), pp. 361–372 (2017)

  29. Sannier, N., Adedjouma, M., Sabetzadeh, M., Briand, L.C.: An automated framework for detection and resolution of cross references in legal texts. Requir. Eng. 22(2), 215–237 (2017)

    Article  Google Scholar 

  30. Shum, S.B., Hammond, N.: Argumentation-based design rationale: what use at what cost? Int. J. Hum.-Comput. Stud. 40(4), 603–652 (1994)

    Article  Google Scholar 

  31. Sing, E.: A meta-model driven method for establishing business process compliance to gdpr. Master’s thesis, University of Tartu (2019)

  32. Sleimi, A., Sannier, N., Sabetzadeh, M., Briand, L.C., Dann, J.: Automated extraction of semantic legal metadata using natural language processing. In: Proceedings of 26th IEEE International Requirements Engineering Conference (RE’18), pp. 124–135 (2018)

  33. Soltana, G., Fourneret, E., Adedjouma, M., Sabetzadeh, M., Briand, L.C.: Using UML for modeling procedural legal rules: Approach and a study of luxembourg’s tax law. In: Dingel, J., Schulte, W., Ramos, I., Abrahão, E. Insfrán (eds.) Model-Driven Engineering Languages and Systems - 17th International Conference, MODELS 2014, Valencia, Spain, September 28 - October 3, 2014. Proceedings, Lecture Notes in Computer Science, vol. 8767, pp. 450–466. Springer (2014)

  34. Soltana, G., Sabetzadeh, M., Briand, L.C.: Practical model-driven data generation for system testing. arXiv preprint (arXiv:1902.00397) (2019). https://arxiv.org/pdf/1902.00397.pdf

  35. Soltana, G., Sannier, N., Sabetzadeh, M., Briand, L.C.: Model-based simulation of legal policies: framework, tool support, and validation. Softw. Syst. Model. 17(3), 851–883 (2018)

    Article  Google Scholar 

  36. Tankard, C.: What the GDPR means for businesses. Netw. Secur. 6, 5–8 (2016)

    Article  Google Scholar 

  37. Tom, J., Sing, E., Matulevičius, R.: Conceptual representation of the GDPR: model and application directions. In: Perspectives in Business Informatics Research, pp. 18–28 (2018)

  38. Torre, D., Abualhaija, S., Sabetzadeh, M., Briand, L.C., Baetens, K., Goes, P., Forastie, S.: An AI-assisted approach for checking the completeness of privacy policies against GDPR. In: Proceedings of 28th IEEE International Conference on Requirements Engineering (RE’20) (2020)

  39. Torre, D., Alferez, M., Soltana, G., Sabetzadeh, M., Briand, L.: Model Driven Engineering for Data Protection and Privacy: Application and Experience with GDPR - Appendix (2021). https://doi.org/10.5281/zenodo.4564856

  40. Torre, D., Labiche, Y., Genero, M., Elaasar, M.: A systematic identification of consistency rules for UML diagrams. J. Syst. Softw. 144, 121–142 (2018)

    Article  Google Scholar 

  41. Torre, D., Soltana, G., Sabetzadeh, M., Briand, L.C., Auffinger, Y., Goes, P.: Using models to enable compliance checking against the GDPR: an experience report. In: 22nd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS 2019, Munich, Germany, September 15-20, 2019, pp. 1–11 (2019)

  42. van Lamsweerde, A.: Requirements Engineering - From System Goals to UML Models to Software Specifications. Wiley (2009)

  43. Zeni, N., Kiyavitskaya, N., Mich, L., Cordy, J.R., Mylopoulos, J.: GaiusT: supporting the extraction of rights and obligations for regulatory compliance. Requir. Eng. 20(1), 1–22 (2015)

    Article  Google Scholar 

Download references

Acknowledgements

This paper was supported by Linklaters, Luxembourg’s National Research Fund (FNR), under grant BRIDGES/19/IS/13759068/ARTAGO and NSERC of Canada under the Discovery, Discovery Accelerator and CRC programs.

Author information

Authors and Affiliations

  1. SnT Centre for Security, Reliability and Trust, University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Damiano Torre, Mauricio Alferez, Ghanem Soltana, Mehrdad Sabetzadeh & Lionel Briand

  2. School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, Canada

    Mehrdad Sabetzadeh & Lionel Briand

  3. Department of Computer Information Systems, Texas A&M University Central Texas, Killeen, USA

    Damiano Torre

Authors
  1. Damiano Torre
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mauricio Alferez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ghanem Soltana
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mehrdad Sabetzadeh
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lionel Briand
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Damiano Torre.

Additional information

Communicated by Tao Yue, Man Zhang and Silvia Abrahao.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Torre, D., Alferez, M., Soltana, G. et al. Modeling data protection and privacy: application and experience with GDPR. Softw Syst Model 20, 2071–2087 (2021). https://doi.org/10.1007/s10270-021-00935-5

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10270-021-00935-5

Keywords

Search

Navigation