Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
Chair of Software Engineering for Business Information Systems (sebis) Faculty of Informatics Technische Universität München wwwmatthes.in.tum.de
Master Thesis: An Extension of Hybrid Wiki Meta-Model for Management of Personal Data Ahmet Tanakol, 30.11.2018, Kick-Off Presentation, Munich
1. Motivation
§ GDPR
§ Requirements for an Information System
§ Hybrid Wikis
2. Research Approach
3. Use Cases
4. Current Progress
5. Timeline
Outline
© sebis 2
Enforce privacy and protection over data for all individuals within the EU
Allow individuals to have control over their personal data
What is personal data?
Article 4: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person [1];
Motivation
© sebis 3
GDPR: General Data Protection Regulation
GDPR
1. "EUR-Lex – 32016L0680 – EN – EUR-Lex". eur-lex.europa.eu.
Motivation
© sebis 4
Principles of Processing
Data have to be processed
lawfully ( choose appropriate
lawful basis) , fairly and in a transparent
manner Purpose
Limitation Data can be
processed for specific purpose
Data Minimization Collect only relevant and
adequate data
Accuracy Keep data up to
date
Storage Limitation You are not
allowed to keep personal data longer than is
necessary for the purposes of processing
Integrity and Confidentiality Ensure security of the personal
data
Accountability Take
responsibility for what you do with
data
GDPR – Article 5
2. "Privacy notices under the EU General Data Protection Regulation". ico.org.uk.
Motivation
© sebis 5
Lawfulness of Processing
Consent
Contract
Legal Obligation
Vital Interests
Public Interest /
Exercise of Official
Authority
Legitimate Interests
Special Categories
Criminal Offence
GDPR – Article 6
2. "Privacy notices under the EU General Data Protection Regulation". ico.org.uk.
Motivation
© sebis 6
Lawfulness of Processing
Consent
Contract
Legal Obligation
Vital Interests
Public Interest /
Exercise of Official
Authority
Legitimate Interests
Special Categories
Criminal Offence
GDPR – Article 6
2. "Privacy notices under the EU General Data Protection Regulation". ico.org.uk.
1. Motivation
§ GDPR
§ Requirements for an Information System
§ Hybrid Wikis
2. Research Approach
3. Use Cases
4. Current Progress
5. Timeline
Outline
© sebis 7
Motivation
© sebis 8
Requirements for an Information System
2. "Privacy notices under the EU General Data Protection Regulation". ico.org.uk.
Principles System Requirements
Lawfulness, fairness and transparency • Store lawful bases (consent, contract, legitimate interest etc..) for processing activities
• Provide prominent description about usage of personal data
Purpose Limitation • Store purpose of each processing activity which is used to collect personal data
Data Minimization • Store personal data only for specified purposes
Accuracy • Data have to be modifiable
Storage Limitation • Data have to be removable • Store retention period for data storage • Store conflicting legislation (i.e. to identify which personal data
have to be stored for a long period of time)
Integrity and Confidentiality • Limit access to personal data • Provide access control mechanism
Accountability • Store records of processing activities • Store third parties that personal data are shared with • Keep track of changes of personal data (who did what, when) • Store information of person who is responsible for data
processing activities
1. Motivation
§ GDPR
§ Requirements for an Information System
§ Hybrid Wikis
2. Research Approach
3. Use Cases
4. Current Progress
5. Timeline
Outline
© sebis 9
Hybrid Wiki system allows non-expert users to fill data in particular fields of a form or table without knowing any special knowledge about the modeling concepts in order to create structured information for unstructured contents. Semantic annotations can be created and added dynamically by users and it is possible to query structured part via user interfaces [3]. Hybrid Wiki system can be also used as model-based data repository [4].
Motivation
© sebis 171103 Matthes English Master Slide Deck (wide) 10
Figure 1: The updated Hybrid Wiki meta-model by Reschenhofer et al. [4]
Hybrid Wikis
3. Hybrid Wikis: Empowering Users to Collaboratively Structure Information
4. Lessons Learned in Aligning Data and Model Evolution in Collaborative Information Systems
© sebis 171103 Matthes English Master Slide Deck (wide) 11
Motivation How well does SocioCortex (Implementation of Hybrid Wiki Meta-Model) fit to the requirements
SocioCortex Requirements Offer data management • Data can be stored, modified, deleted and accessed at
any time. ✔
Allow to define new data models (connecting data to models via types with a set of attributes)
• Manage GDPR related data models in a structured way Access and query to GDPR related information in a fast and easy way (i.e. incoming references of an instance)
• Store various processing activities and related information about these activities
• Data models of GDPR related applications can be defined
✔
Store unstructured content • Legal texts can be stored as wikis (i.e. description about usage of personal data)
✔
Define attributes to entity types (a predefined set of fields) • For every personal data object, it is possible to define necessary attributes such as data collection date or retention period.
✔
Access Control • Limit access to personal data • Set read/write permissions for different kind of users
✔
Version History • Keep track of changes in data ✔
© sebis 171103 Matthes English Master Slide Deck (wide) 12
Motivation Hybrid Wikis – GDPR Compliant Hybrid Wikis
Research Goal:
The goal of this research is to extend Hybrid Wikis in a way that data models become readily
conformant to GDPR processing principles
Hybrid Wikis do not provide interface for addressing GDPR information requirements
There is a need for defining rules which can be used to evaluate some conditions and apply an effect, once the condition is met (i.e. add default attributes if user enables GDPR fields)
1. Motivation
§ GDPR
§ Requirements for an Information System
§ Hybrid Wikis
2. Research Approach
3. Use Cases
4. Current Progress
5. Timeline
Outline
© sebis 13
Research Approach
© sebis 171103 Matthes English Master Slide Deck (wide) 14
System Requirements
• Different lawful bases for processing will be used for this purpose (contract, consent, legitimate interest)
• Starting from these 3 specific domains, relevant parts will be extracted to define data models
Hybrid Wikis
• Understand structuring concepts • Review Access Control extension • Examine example scenarios and identify requirements for an interface that conforms to GDPR
Interface
• SocioCortex API (endpoints, available query parameters, authorization etc.) • Learning how to work on SocioCortex Server (creating workspace, entity types, attribute definitions,
entities etc.)
Evaluation • Both concept and prototype will be evaluated in expert interviews.
1. Motivation
§ GDPR
§ Requirements for an Information System
§ Hybrid Wikis
2. Research Approach
3. Use Cases
4. Current Progress
5. Timeline
Outline
© sebis 15
Use Cases
© sebis 171103 Matthes English Master Slide Deck (wide) 16
Example 1 Consent – Newsletter Subscription Requirements for GDPR compliance Conflicting Legislation Immutable Until Processing Activity Lawful Basis Contact Info Storage Duration Opt-in Third Parties Update Request Delete Request
Use Cases
© sebis 171103 Matthes English Master Slide Deck (wide) 17
Example 2 Contract – Placing Order Requirements for GDPR compliance Conflicting Legislation Immutable Until Processing Activity Lawful Basis Contact Info Storage Duration Opt-in Third Parties Update Request Delete Request
Use Cases
© sebis 171103 Matthes English Master Slide Deck (wide) 18
Example 3 Legitimate Interest – IP logging to detect Denial-of-Service attacks Requirements for GDPR compliance Conflicting Legislation Immutable Until Processing Activity Lawful Basis Contact Info Storage Duration Opt-in Third Parties Update Request Delete Request
1. Motivation
§ GDPR
§ Requirements for an Information System
§ Hybrid Wikis
2. Research Approach
3. Use Cases
4. Current Progress
5. Timeline
Outline
© sebis 19
© sebis 171103 Matthes English Master Slide Deck (wide) 20
Current Progress
Data models are improved iteratively and incrementally
Model requirements for GDPR compliance are identified from the use
cases and created proper attributes, entities and entity
types
EntityTypes, Entities, TypeConstraints are created
on SocioCortex Server based on the use cases
UML view of GDPR workspace on SocioCortex Server
1. Motivation
§ GDPR
§ Requirements for an Information System
§ Hybrid Wikis
2. Research Approach
3. Use Cases
4. Current Progress
5. Timeline
Outline
© sebis 21
Timeline
© sebis 171103 Matthes English Master Slide Deck (wide) 22
30.11.18
2018
KICK-OFFPRESENTATION
0Ovt17
Literature Review
2019
Understanding Hybrid Wikis
Analyzing Legal Requirements of GDPR Deriving System Requirements for GDPR Interface
GDPR Mock Interface Implementation Learning SocioCortex
Concept and Prototype Evaluation by Experts
Writing and Reviewing Master Thesis
Oct Nov Dec Jan Feb Mar Apr
15.10.2018 – 31.12.2018
01.12.2018 – 28.0.2019
08.11.2019 – 15.02.2019
15.01.2019 – 15.02.2019
15.12.2018 – 15.04.2019
PROJECTKICK-OFF
15.10.18SUBMISSION
15.04.19
Technische Universität München Faculty of Informatics Chair of Software Engineering for Business Information Systems Boltzmannstraße 3 85748 Garching bei München Tel +49.89.289. Fax +49.89.289.17136 wwwmatthes.in.tum.de
Ahmet Tanakol
References
© sebis 24
1. “EUR-Lex – 32016L0680 – EN – EUR-Lex”. eur-lex.europa.eu. Retrieved 02 November 2018.
2. “Guide to the General Data Protection Regulation (GDPR)”. ico.org.uk. 19 January 2018. Retrieved 02 November 2018.
3. Matthes F.; Neubert C.; Steinhoff A.: Hybrid Wikis: Empowering Users to Collaboratively Structure
Information. In: 6th International Conference on Software and Data Technologies (ICSOFT), Seville, 2011 4. Reschenhofer, T.; Bhat, M.; Hernandez-Mendez, A.; Matthes, F.: Lessons Learned in Aligning Data and Model
Evolution in Collaborative Information Systems. In: Proceedings of the International Conference on Software Engineering (ICSE), Austin, Texas USA, 2016.