Lawful and Accountable Personal Data Processing with GDPR-based Access and Usage Control in Distributed Systems

Abstract: Compliance with the GDPR privacy regulation places a significant burden on organisations regarding the handling of personal data. The perceived efforts and risks of complying with the GDPR further increase when data processing activities span across organisational boundaries, as is the case in both small-scale data sharing settings and in large-scale international data spaces. This paper addresses these concerns by proposing a case-generic method for automated normative reasoning that establishes legal arguments for the lawfulness of data processing activities. The arguments are established on the basis of case-specific legal qualifications made by privacy experts, bringing the human in the loop. The obtained expert system promotes transparency and accountability, remains adaptable to extended or altered interpretations of the GDPR, and integrates into novel or existing distributed data processing systems. This result is achieved by defining a formal ontology and semantics for automated normative reasoning based on an analysis of the purpose-limitation principle of the GDPR. The ontology and semantics are implemented in eFLINT, a domain-specific language for specifying and reasoning with norms. The XACML architecture standard, applicable to both access and usage control, is extended, demonstrating how GDPR-based normative reasoning can integrate into (existing, distributed) systems for data processing. The resulting system is designed and critically assessed in reference to requirements extracted from the GPDR.

• The paper introduces a framework that automates normative reasoning to verify GDPR-compliant data processing across distributed systems.
• The architecture extends XACML with a purpose-based access control, leveraging ontologies to ensure accountability and transparency.
• The study enables ex-post auditing and subject information requests by integrating legal and technical roles in data processing.

GDPR-based Access and Usage Control in Distributed Systems

Introduction

In the context of the increasing demand for compliance with the General Data Protection Regulation (GDPR), the processing of personal data across distributed systems poses several challenges. This paper proposes a framework for lawful and accountable data processing under GDPR guidelines, focusing on automated normative reasoning through an expert system. The research emphasizes transparency, adaptability, and integration within existing and novel distributed data processing systems.

System Architecture and Ontology

The proposed system architecture leverages a high-level diagrammatic representation that integrates existing policy enforcement mechanisms, aiming to ensure compliance through the automation of legal reasoning about data processing activities (Figure 1). The architecture builds upon the XACML framework, extending it to include purpose-based access control, which considers the legal bases for data processing assured by GDPR.

Figure 1: High-level diagrammatic representation of the system proposed in this paper. The system can be used in conjunction with existing policy enforcement mechanisms within a system.

The ontology established within this framework defines relations and concepts crucial to the GDPR context (Figure 2). It includes legal bases, data processing purposes, and subject-specific criteria for processing data, ensuring that the framework can assess the lawfulness of data processing activities and facilitate compliance.

Figure 2: An ontology establishing relations between concepts as defined in the purpose-limitation principle.

Purpose-Graph and Normative Reasoning

A purpose-graph is used to instantiate concepts and relations derived from the ontology, capturing the essential elements needed to establish legal arguments for data processing activities (Figure 3). This graph-based representation facilitates the implementation of normative reasoning, aiding in the determination of the lawfulness of specific processing actions and their alignment with GDPR requirements.

Figure 3: Example of a purpose-graph instantiating concepts and relations of the ontology.

Integration and Implementation Strategy

The integration of this framework within distributed systems considers various policy administration roles and technical enforcement roles. Responsibilities are delineated for roles such as Controller, Collector, Performer, and Subject, each contributing specific elements to the purpose graph. An extension of the XACML architectural pattern has been provided to highlight the relevance and placement of the purpose graph and demonstrate the procedure for adjudicating the lawfulness of processing requests (Figure 4).

Figure 4: An extension of (a simplified version) of the architectural pattern in the XACML standard that introduces the purpose graph.

Ex-post Normative Scenarios

The framework also facilitates ex-post scenarios, such as responding to information requests from data subjects and enabling audits by privacy authorities. Normative reasoning, augmented by complete purpose graphs and processing records, aids these processes, fostering transparency and accountability.

Conclusion

The paper outlines a robust and adaptable framework for GDPR-aligned data processing across distributed systems. By implementing formal ontologies and enforcing accountability through automated reasoning, the proposed system advances the goal of ensuring lawful personal data processing, facilitating compliance with GDPR, and integrating effectively with current technological infrastructures. This research presents a significant step towards harmonizing data-driven innovation with essential privacy protections.