Secure semi-automated GDPR compliance service with restrictive fine-grained access control

Max Hashem Eiza, VINH-THONG TA, Qi Shi, Yue Cao

Research output: Contribution to journalArticle (journal)peer-review

2 Downloads (Pure)

Abstract

Sharing personal data with service providers is a contentious issue that led to the birth of data regulations such as the EU General Data Protection Regulation (GDPR) and similar laws in the US. Complying with these regulations is a must for service providers. For users, this compliance assures them that their data is handled the way the service provider says it will be via their privacy policy. Auditing service providers' compliance is usually carried out by specific authorities when there is a need to do so (e.g., data breach). Nonetheless, these irregular compliance checks could lead to non-compliant actions being undetected for long periods. Users need an improved way to make sure their data is managed properly, giving them the ability to control and enforce detailed, restricted access to their data, in line with the policies set by the service provider. This work addresses these issues by providing a secure semi-automated GDPR compliance service for both users and service providers using smart contracts and attribute-based encryption with accountability. Privacy policies will be automatically checked for compliance before a service commences. Users can then upload their personal data with restrictive access controls extracted from the approved privacy policy. Operations' logs on the personal data during its full lifecycle will be immutably recorded and regularly checked for compliance to ensure the privacy policy is adhered to at all times. Evaluation results, using a real-world organization policy and example logs, show that the proposed service achieves these goals with low time overhead and high throughput.
Original languageEnglish
Article number2024;e451
Pages (from-to)1-30
Number of pages30
JournalSecurity and Privacy
Volume2024
Issue numbere451
DOIs
Publication statusPublished - 14 Aug 2024

Keywords

  • GDPR Compliance
  • Fine-Grained Access Control
  • Secure Service
  • Data Privacy
  • Semi-Automated Compliance
  • Data Protection
  • Access Management
  • Security Automation
  • Legal Compliance
  • Privacy Regulations

Research Centres

  • Data and Complex Systems Research Centre

Fingerprint

Dive into the research topics of 'Secure semi-automated GDPR compliance service with restrictive fine-grained access control'. Together they form a unique fingerprint.

Cite this