research-article

GDPR compliance through standard security controls: : An automated approach

Authors: Daniele Granata, Michele Mastroianni, Massimiliano Rak, Pasquale Cantiello, Giovanni SalzilloAuthors Info & Claims

Journal of High Speed Networks, Volume 30, Issue 2

Pages 147 - 174

https://doi.org/10.3233/JHS-230080

Published: 10 May 2024 Publication History

Abstract

Since 2018, the enactment of the General Data Protection Regulation (GDPR) has bestowed distinct privileges upon each person while imposing protocols to safeguard personal information. The GDPR effectively tackles an evident requirement within our interconnected, social media-driven society. However, its compliance poses a considerable challenge, particularly for small and medium-sized businesses. This work aims to identify and select the proper countermeasures in order to comply with GDPR, by using standard security controls. Thus, we designed a tool to handle some phases of the compliance process in an almost semi-automated way. The proposed approach relies on standard security control frameworks (namely NIST SP-800-53) and can be easily adapted to different frameworks. The proposed technique was validated using our university as a case study, through a simple demonstrator, although the solution can be transparently applied to different contexts.

References

[1]

A.S. Ahmadian, F. Coerschulte and J. Jürjens, Supporting the security certification and privacy level agreements in the context of clouds, in: Conference of 5th International Symposium on Business Modeling and Software Design, BMSD 2015, 6 July 2015 Through 8 July 2015, 2016, pp. 80–95. Conference Code: 176459. ISBN 978-3-319-40512-4.

[2]

A.S. Ahmadian and J. Jurjens, Supporting model-based privacy analysis by exploiting privacy level agreements, in: Conference of 8th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2016, 12 December 2016 Through 15 December 2016, IEEE Computer Society, 2016, pp. 360–365. Conference Code: 126112. ISSN 23302194. ISBN 9781509014453.

[3]

A.S. Ahmadian, D. Strüber, V. Riediger and J. Jürjens, Supporting privacy impact assessment by model-based privacy analysis, in: Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC ’18, Association for Computing Machinery, New York, NY, USA, 2018, pp. 1467–1474. ISBN 9781450351911.

Digital Library

[4]

M. Barati and O. Rana, Tracking GDPR compliance in cloud-based service delivery, IEEE Transactions on Services Computing (2020), 1–1.

[5]

M. Barati, O. Rana, I. Petri and G. Theodorakopoulos, GDPR compliance verification in Internet of things, IEEE Access 8 (2020), 119697–119709.

[6]

M. Brodin, A framework for GDPR compliance for Small- and Medium-Sized Enterprises, European Journal for Security Research 4 (2019), 243–264.

[7]

P. Cantiello, M. Mastroianni and M. Rak, A conceptual model for the general data protection regulation, in: Computational Science and Its Applications – ICCSA 2021, Lecture Notes in Computer Science, Vol. 8285, Springer International Publishing, Cham, 2021, pp. 60–77. ISBN 978-3-030-87010-2.

Digital Library

[8]

Cloud Security Alliance (CSA), Privacy level agreement outline for the sale of cloud services in the European Union, 2013, 21, https://downloads.cloudsecurityalliance.org/initiatives/pla/Privacy_Level_Agreement_Outline.pdf.

[9]

CODAU Working Group on privacy, Linee guida in materia di privacy e protezione dei dati personali in ambito universitario, 2017, 110.

[10]

Council of European Union, General data protection regulation, European Commission, 2016. https://eur-lex.europa.eu/eli/reg/2016/679/oj. https://eur-lex.europa.eu/eli/reg/2016/679/oj.

[11]

CSA, CCM v4.0 auditing guidelines, cloud security alliance, 2021, https://cloudsecurityalliance.org/artifacts/ccm-v4-0-auditing-guidelines/.

[12]

Data Protection Commission, Ireland, Guidance note: Guidance on anonymisation and pseudonymisation, 2019, 17.

[13]

M. D’Errico and S. Pearson, Towards a formalised representation for the technical enforcement of privacy level agreements, in: 2015 IEEE International Conference on Cloud Engineering, 2015, pp. 422–427.

Digital Library

[14]

B. Di Martino, M. Mastroianni, M. Campaiola, G. Morelli and E. Sparaco, Semantic techniques for validation of GDPR compliance of business processes, in: Conference of 13th International Conference on Complex, Intelligent, and Software Intensive Systems, CISIS 2019, 3 July 2019 Through 5 July 2019, Advances in Intelligent Systems and Computing, Vol. 993, 2020, pp. 847–855. Conference Code: 227709, ISBN 9783030223533.

[15]

V. Diamantopoulou, A. Androutsopoulou, S. Gritzalis and Y. Charalabidis, An assessment of privacy preservation in crowdsourcing approaches: Towards GDPR compliance, IEEE Computer Society (2018), 1–9, ISSN 21511349. ISBN 9781538665176.

[16]

V. Diamantopoulou, M. Pavlidis and H. Mouratidis, Privacy level agreements for public administration information systems, 8.

[17]

V. Diamantopoulou, A. Tsohou and M. Karyda, From ISO/IEC 27002:2013 information security controls to personal data protection controls: Guidelines for GDPR compliance, in: Computer Security, S. Katsikas, F. Cuppens, N. Cuppens, C. Lambrinoudakis, C. Kalloniatis, J. Mylopoulos, A. Antón, S. Gritzalis, F. Pallas, J. Pohle, A. Sasse, W. Meng, S. Furnell and J. Garcia-Alfaro, eds, Springer International Publishing, Cham, 2020, pp. 238–257. ISBN 978-3-030-42048-2.

Digital Library

[18]

E.S. Dove, The EU general data protection regulation: Implications for international scientific research in the digital era, The Journal of Law, Medicine & Ethics 46(4) (2018), 1013–1030.

[19]

L. Elluri and K.P. Joshi, A knowledge representation of cloud data controls for EU GDPR compliance, in: 2018 IEEE World Congress on Services (SERVICES), IEEE, San Francisco, CA, 2018, pp. 45–46, https://ieeexplore.ieee.org/document/8495788/. ISBN 978-1-5386-7374-4.

[20]

L. Elluri, A. Nagar and K.P. Joshi, An integrated knowledge graph to automate GDPR and PCI DSS compliance, in: 2018 IEEE International Conference on Big Data (Big Data), IEEE, Seattle, WA, USA, 2018, pp. 1266–1271, https://ieeexplore.ieee.org/document/8622236/. ISBN 978-1-5386-5035-6.

[21]

European Parliamentary Research Service – Scientific Foresight Unit – (STOA), How the general data protection regulation changes the rules for scientific research, 2019, 104.

[22]

D. Granata and M. Rak, Design and development of a technique for the automation of the risk analysis process in IT security, in: Proceedings of the 11th International Conference on Cloud Computing and Services Science – CLOSER, SciTePress, 2021, pp. 87–98, INSTICC. ISBN 978-989-758-510-4.

[23]

D. Granata and M. Rak, Systematic analysis of automated threat modelling techniques: Comparison of open-source tools, Software Quality Journal (2023).

Digital Library

[24]

D. Granata, M. Rak and W. Mallouli, Automated generation of 5G fine-grained threat models: A systematic approach, IEEE Access 11 (2023), 129788–129804.

[25]

D. Granata, M. Rak and S. Petrillo, Automated threat modelling and risk analysis in e-government using BPMN, Connection Science 35(1) (2023), 2284645.

[26]

D. Granata, M. Rak and G. Salzillo, Risk analysis automation process in IT security for cloud applications, in: Cloud Computing and Services Science, D. Ferguson, M. Helfert and C. Pahl, eds, Springer International Publishing, Cham, 2022, pp. 47–68. ISBN 978-3-031-21637-4.

[27]

D. Granata, M. Rak and G. Salzillo, MetaSEnD: A security enabled development life cycle meta-model, in: Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES ’22, Association for Computing Machinery, New York, NY, USA, 2022. ISBN 9781450396707.

Digital Library

[28]

R.E. Hamdani, M. Mustapha, D.R. Amariles, A. Troussel, S. Meeùs and K. Krasnashchok, A combined rule-based and machine learning approach for automated GDPR compliance checking, in: Proceedings of the Eighteenth International Conference on Artificial Intelligence and Law, Association for Computing Machinery, New York, NY, USA, 2021, pp. 40–49. ISBN 9781450385268.

Digital Library

[29]

International Organization for Standardization ISO, ISO27000 – Information technology, security techniques, information security management systems, overview and vocabulary, 2018, 104.

[30]

International Organization for Standardization ISO, ISO27701 – security techniques – extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – requirements and guidelines, 2019, 104.

[31]

Joint Task Force Interagency Working Group, Security and privacy controls for information systems and organizations, Technical report, National Institute of Standards and Technology, 2020. Edition: Revision 5. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.

[32]

A. Mahindrakar and K.P. Joshi, Automating GDPR compliance using policy integrated blockchain, in: 2020 IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS), 2020, pp. 86–93.

[33]

M.M. Merlec, Y.K. Lee, S.-P. Hong and H.P. In, A smart contract-based dynamic consent management system for personal data usage under GDPR, Sensors 21(23) (2021), https://www.mdpi.com/1424-8220/21/23/7994.

[34]

M. Mourby, E. Mackey, M. Elliot, H. Gowans, S.E. Wallace, J. Bell, H. Smith, S. Aidinlis and J. Kaye, Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK, Computer Law & Security Review 34(2) (2018), 222–233, http://www.sciencedirect.com/science/article/pii/S0267364918300153.

[35]

NIST, Framework for improving critical infrastructure cybersecurity, National Institute of Standards and Technology, 2018, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

[36]

P.-G. Noé, A. Nautsch, N. Evans, J. Patino, J.-F. Bonastre, N. Tomashenko and D. Matrouf, Towards a unified assessment framework of speech pseudonymisation, Computer Speech & Language 72 (2022), 101299, https://www.sciencedirect.com/science/article/pii/S0885230821001005.

Digital Library

[37]

M. Palmirani and G. Governatori, Modelling legal knowledge for GDPR compliance checking, in: JURIX, Vol. 313, 2018, pp. 101–110.

[38]

M. Palmirani, M. Martoni, A. Rossi, C. Bartolini and L. Robaldo, PrOnto: Privacy ontology for legal reasoning, in: Electronic Government and the Information Systems Perspective, A. Kő and E. Francesconi, eds, Springer International Publishing, Cham, 2018, pp. 139–152. ISBN 978-3-319-98349-3.

[39]

M. Rak, D. Granata, B. Di Martino and L. Colucci Cante, A semantic methodology for security controls verification in public administration business processes, in: Complex, Intelligent and Software Intensive Systems, L. Barolli, ed., Springer International Publishing, Cham, 2022, pp. 456–466. ISBN 978-3-031-08812-4.

[40]

S. Ranise and H. Siswantoro, Automated legal compliance checking by security policy analysis, in: International Conference on Computer Safety, Reliability, and Security, Springer, 2017, pp. 361–372.

[41]

M. Rhahla, S. Allegue and T. Abdellatif, Guidelines for GDPR compliance in big data systems, Journal of Information Security and Applications 61 (2021), 102896, https://www.sciencedirect.com/science/article/pii/S221421262100123X arXiv:.

Digital Library

[42]

E. Rios, E. Iturbe, X. Larrucea, M. Rak, W. Mallouli, J. Dominiak, V. Muntés, P. Matthews and L. Gonzalez, Service level agreement-based GDPR compliance and security assurance in (multi)cloud-based systems, IET Software 13(3) (2019), 213–222.

Digital Library

[43]

E.-B. van Veen, Observational health research in Europe: Understanding the general data protection regulation and underlying debate, European Journal of Cancer 104 (2018), 70–80, http://www.sciencedirect.com/science/article/pii/S0959804918314023.

Cited By

Laudadio LVetrò ACoppola RDe Martin JTorchiano M(2024)Personal Data Transfers to Non-EEA Domains: A Tool for Citizens and An Analysis on Italian Public Administration WebsitesProceedings of the 2024 International Conference on Information Technology for Social Good10.1145/3677525.3678632(1-4)Online publication date: 4-Sep-2024
https://dl.acm.org/doi/10.1145/3677525.3678632

Recommendations

GDPR Compliance: Proposed Guidelines for Cloud-Based Health Organizations
Computer Security
Abstract
In this paper, we investigate the implications of the General Data Protection Regulation (GDPR) on the design of a Cloud-based Health System. Keeping secure healthcare information and protecting patients’ privacy is a major responsibility of all ...
A Framework for Investigating GDPR Compliance Through the Lens of Security
Mobile Web and Intelligent Information Systems
Abstract
The General Data Protection Regulation (GDPR) was widely seen as a significant step towards enhancing data protection and privacy. Unlike previous legislation, adherence to GDPR required organizations to assume greater responsibility for ...
GDPR – Challenges for Reconciling Legal Rules with Technical Reality
Computer Security – ESORICS 2020
Abstract
The main real impact of the GDPR regulation of the EU should be improving the protection of data concerning physical persons. The sharp GDPR rules have to create a controllable information environment, and to prevent misuse of personal data. The ...

Comments

Information & Contributors

Information

Published In

cover image Journal of High Speed Networks

Journal of High Speed Networks Volume 30, Issue 2

2024

145 pages

Issue’s Table of Contents

© 2024 – IOS Press. All rights reserved.

This is a free to read article. Copyright IOS Press and the authors.

Publisher

IOS Press

Netherlands

Publication History

Published: 10 May 2024

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Laudadio LVetrò ACoppola RDe Martin JTorchiano M(2024)Personal Data Transfers to Non-EEA Domains: A Tool for Citizens and An Analysis on Italian Public Administration WebsitesProceedings of the 2024 International Conference on Information Technology for Social Good10.1145/3677525.3678632(1-4)Online publication date: 4-Sep-2024
https://dl.acm.org/doi/10.1145/3677525.3678632

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents