Master Thesis: An Extension of Hybrid Wiki Meta-Model for ... › file › l3l7u9bjxhpt › ... · Hybrid Wiki system allows non-expert users to fill data in particular fields of

Chair of Software Engineering for Business Information Systems (sebis) Faculty of Informatics Technische Universität München wwwmatthes.in.tum.de

Master Thesis: An Extension of Hybrid Wiki Meta-Model for Management of Personal Data Ahmet Tanakol, 30.11.2018, Kick-Off Presentation, Munich

1.  Motivation

§  GDPR

§  Requirements for an Information System

§  Hybrid Wikis

2.  Research Approach

3.  Use Cases

4.  Current Progress

5.  Timeline

Outline

© sebis 2

Enforce privacy and protection over data for all individuals within the EU

Allow individuals to have control over their personal data

What is personal data?

Article 4: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person [1];

Motivation

© sebis 3

GDPR: General Data Protection Regulation

GDPR

1. "EUR-Lex – 32016L0680 – EN – EUR-Lex". eur-lex.europa.eu.

Motivation

© sebis 4

Principles of Processing

Data have to be processed

lawfully ( choose appropriate

lawful basis) , fairly and in a transparent

manner Purpose

Limitation Data can be

processed for specific purpose

Data Minimization Collect only relevant and

adequate data

Accuracy Keep data up to

date

Storage Limitation You are not

allowed to keep personal data longer than is

necessary for the purposes of processing

Integrity and Confidentiality Ensure security of the personal

data

Accountability Take

responsibility for what you do with

data

GDPR – Article 5

2. "Privacy notices under the EU General Data Protection Regulation". ico.org.uk.

Motivation

© sebis 5

Lawfulness of Processing

Consent

Contract

Legal Obligation

Vital Interests

Public Interest /

Exercise of Official

Authority

Legitimate Interests

Special Categories

Criminal Offence

GDPR – Article 6


Motivation

© sebis 6

Lawfulness of Processing

Consent

Contract

Legal Obligation

Vital Interests

Public Interest /

Exercise of Official

Authority

Legitimate Interests

Special Categories

Criminal Offence

GDPR – Article 6


1.  Motivation

§  GDPR


§  Hybrid Wikis


3.  Use Cases


5.  Timeline

Outline

© sebis 7

Motivation

© sebis 8

Requirements for an Information System


Principles System Requirements

Lawfulness, fairness and transparency •  Store lawful bases (consent, contract, legitimate interest etc..) for processing activities

•  Provide prominent description about usage of personal data

Purpose Limitation •  Store purpose of each processing activity which is used to collect personal data

Data Minimization •  Store personal data only for specified purposes

Accuracy •  Data have to be modifiable

Storage Limitation •  Data have to be removable •  Store retention period for data storage •  Store conflicting legislation (i.e. to identify which personal data

have to be stored for a long period of time)

Integrity and Confidentiality •  Limit access to personal data •  Provide access control mechanism

Accountability •  Store records of processing activities •  Store third parties that personal data are shared with •  Keep track of changes of personal data (who did what, when) •  Store information of person who is responsible for data

processing activities

1.  Motivation

§  GDPR


§  Hybrid Wikis


3.  Use Cases


5.  Timeline

Outline

© sebis 9

Hybrid Wiki system allows non-expert users to fill data in particular fields of a form or table without knowing any special knowledge about the modeling concepts in order to create structured information for unstructured contents. Semantic annotations can be created and added dynamically by users and it is possible to query structured part via user interfaces [3]. Hybrid Wiki system can be also used as model-based data repository [4].

Motivation

© sebis 171103 Matthes English Master Slide Deck (wide) 10

Figure 1: The updated Hybrid Wiki meta-model by Reschenhofer et al. [4]

Hybrid Wikis

3. Hybrid Wikis: Empowering Users to Collaboratively Structure Information

4. Lessons Learned in Aligning Data and Model Evolution in Collaborative Information Systems


Motivation How well does SocioCortex (Implementation of Hybrid Wiki Meta-Model) fit to the requirements

SocioCortex Requirements Offer data management •  Data can be stored, modified, deleted and accessed at

any time. ✔

Allow to define new data models (connecting data to models via types with a set of attributes)

•  Manage GDPR related data models in a structured way Access and query to GDPR related information in a fast and easy way (i.e. incoming references of an instance)

•  Store various processing activities and related information about these activities

•  Data models of GDPR related applications can be defined

✔

Store unstructured content •  Legal texts can be stored as wikis (i.e. description about usage of personal data)

✔

Define attributes to entity types (a predefined set of fields) •  For every personal data object, it is possible to define necessary attributes such as data collection date or retention period.

✔

Access Control •  Limit access to personal data •  Set read/write permissions for different kind of users

✔

Version History •  Keep track of changes in data ✔


Motivation Hybrid Wikis – GDPR Compliant Hybrid Wikis

Research Goal:

The goal of this research is to extend Hybrid Wikis in a way that data models become readily

conformant to GDPR processing principles

Hybrid Wikis do not provide interface for addressing GDPR information requirements

There is a need for defining rules which can be used to evaluate some conditions and apply an effect, once the condition is met (i.e. add default attributes if user enables GDPR fields)

1.  Motivation

§  GDPR


§  Hybrid Wikis


3.  Use Cases


5.  Timeline

Outline

© sebis 13

Research Approach


System Requirements

•  Different lawful bases for processing will be used for this purpose (contract, consent, legitimate interest)

•  Starting from these 3 specific domains, relevant parts will be extracted to define data models

Hybrid Wikis

•  Understand structuring concepts •  Review Access Control extension •  Examine example scenarios and identify requirements for an interface that conforms to GDPR

Interface

•  SocioCortex API (endpoints, available query parameters, authorization etc.) •  Learning how to work on SocioCortex Server (creating workspace, entity types, attribute definitions,

entities etc.)

Evaluation •  Both concept and prototype will be evaluated in expert interviews.

1.  Motivation

§  GDPR


§  Hybrid Wikis


3.  Use Cases


5.  Timeline

Outline

© sebis 15

Use Cases


Example 1 Consent – Newsletter Subscription Requirements for GDPR compliance Conflicting Legislation Immutable Until Processing Activity Lawful Basis Contact Info Storage Duration Opt-in Third Parties Update Request Delete Request

Use Cases


Example 2 Contract – Placing Order Requirements for GDPR compliance Conflicting Legislation Immutable Until Processing Activity Lawful Basis Contact Info Storage Duration Opt-in Third Parties Update Request Delete Request

Use Cases


Example 3 Legitimate Interest – IP logging to detect Denial-of-Service attacks Requirements for GDPR compliance Conflicting Legislation Immutable Until Processing Activity Lawful Basis Contact Info Storage Duration Opt-in Third Parties Update Request Delete Request

1.  Motivation

§  GDPR


§  Hybrid Wikis


3.  Use Cases


5.  Timeline

Outline

© sebis 19


Current Progress

Data models are improved iteratively and incrementally

Model requirements for GDPR compliance are identified from the use

cases and created proper attributes, entities and entity

types

EntityTypes, Entities, TypeConstraints are created

on SocioCortex Server based on the use cases

UML view of GDPR workspace on SocioCortex Server

1.  Motivation

§  GDPR


§  Hybrid Wikis


3.  Use Cases


5.  Timeline

Outline

© sebis 21

Timeline


30.11.18

2018

KICK-OFFPRESENTATION

0Ovt17

Literature Review

2019

Understanding Hybrid Wikis

Analyzing Legal Requirements of GDPR Deriving System Requirements for GDPR Interface

GDPR Mock Interface Implementation Learning SocioCortex

Concept and Prototype Evaluation by Experts

Writing and Reviewing Master Thesis

Oct Nov Dec Jan Feb Mar Apr

15.10.2018 – 31.12.2018

01.12.2018 – 28.0.2019

08.11.2019 – 15.02.2019

15.01.2019 – 15.02.2019

15.12.2018 – 15.04.2019

PROJECTKICK-OFF

15.10.18SUBMISSION

15.04.19

Technische Universität München Faculty of Informatics Chair of Software Engineering for Business Information Systems Boltzmannstraße 3 85748 Garching bei München Tel +49.89.289. Fax +49.89.289.17136 wwwmatthes.in.tum.de

Ahmet Tanakol

[email protected]

References

© sebis 24

1.  “EUR-Lex – 32016L0680 – EN – EUR-Lex”. eur-lex.europa.eu. Retrieved 02 November 2018.

2.  “Guide to the General Data Protection Regulation (GDPR)”. ico.org.uk. 19 January 2018. Retrieved 02 November 2018.

3.  Matthes F.; Neubert C.; Steinhoff A.: Hybrid Wikis: Empowering Users to Collaboratively Structure

Information. In: 6th International Conference on Software and Data Technologies (ICSOFT), Seville, 2011 4.  Reschenhofer, T.; Bhat, M.; Hernandez-Mendez, A.; Matthes, F.: Lessons Learned in Aligning Data and Model

Evolution in Collaborative Information Systems. In: Proceedings of the International Conference on Software Engineering (ICSE), Austin, Texas USA, 2016.

Documents

Master Thesis: An Extension of Hybrid Wiki Meta-Model for ... › file › l3l7u9bjxhpt › ... · Hybrid Wiki system allows non-expert users to fill data in particular fields of