An Overview of Runtime Data Protection Enforcement Approaches

A regulatory framework such as the GDPR succeeds in (i) providing clarity about the nature and the reach of fundamental rights to data privacy and the sovereign role of the data subject, (ii) raising broader awareness of the substantial impact of large-scale, contemporary software-intensive data processing operations on these rights and freedoms, and (iii) creating urgency and imposing gravity, by forcing organizations to take these rights and fundamental principles seriously in a proactive manner. However, regulatory frameworks lack clarity on how these concerns are to be enacted. For example, guidance is lacking on how software should be constructed to consider these data protection principles by design and by default. In this paper, we argue how the direct translation of the GDPR data protection principles into design or code falls short in the context of contemporary software systems, which are both more dynamic and nature and rely on an increasing number of complex inter-organizational collaborations. This means that in such a system, data protection decisions cannot be `hard-coded' but will have to be decided at run time. In addition, we provide an overview of promising existing approaches that contribute to the accomplishment of these fundamental data protection principles in a runtime, operational context.

ISBN:978-1-6654-1012-0

Publication year:2021

Accessibility:Open