Secure semi‐automated GDPR compliance service with restrictive fine‐grained access control
Abstract
Sharing personal data with service providers is a contentious issue that led to the birth of data regulations such as the EU General Data Protection Regulation (GDPR) and similar laws in the US. Complying with these regulations is a must for service providers. For users, this compliance assures them that their data is handled the way the service provider says it will be via their privacy policy. Auditing service providers' compliance is usually carried out by specific authorities when there is a need to do so (e.g., data breach). Nonetheless, these irregular compliance checks could lead to non‐compliant actions being undetected for long periods. Users need an improved way to make sure their data is managed properly, giving them the ability to control and enforce detailed, restricted access to their data, in line with the policies set by the service provider. This work addresses these issues by providing a secure semi‐automated GDPR compliance service for both users and service providers using smart contracts and attribute‐based encryption with accountability. Privacy policies will be automatically checked for compliance before a service commences. Users can then upload their personal data with restrictive access controls extracted from the approved privacy policy. Operations' logs on the personal data during its full lifecycle will be immutably recorded and regularly checked for compliance to ensure the privacy policy is adhered to at all times. Evaluation results, using a real‐world organization policy and example logs, show that the proposed service achieves these goals with low time overhead and high throughput.
References
[1]
Sun J, Ren L, Wang S, Yao X. A blockchain‐based framework for electronic medical records sharing with fine‐grained access control. PLoS One. 2020;15(10):e0239946.
[2]
Guo Y, Lu Z, Ge H, Li J. Revocable blockchain‐aided attribute‐based encryption with escrow‐free in cloud storage. IEEE Trans Cloud Comput. 2023;72(7):1901‐1912.
[3]
Yan H, Li J, Han J, Zhang Y. A novel efficient remote data possession checking protocol in cloud storage. IEEE Trans Inf Forensics Secur. 2017;12(1):78‐88.
[4]
Li J, Yan H, Zhang Y. Certificateless public integrity checking of group shared data on cloud storage. IEEE Trans Serv Comput. 2021;14(1):71‐81.
[5]
Zhang R, Li J, Lu Y, Han J, Zhang Y. Key escrow‐free attribute based encryption with user revocation. Inform Sci. 2022;600:59‐72.
[6]
Makhdoom I, Zhou I, Abolhasan M, Lipman J, Ni W. PrivySharing: a blockchain‐based framework for privacy‐preserving and secure data sharing in smart cities. Comput Secur. 2020;88:101653.
[7]
Amato F, Cozzolino G, Moscato F, Moscato V, Xhafa F. A model for verification and validation of law compliance of smart contracts in IoT environment. IEEE Trans Industr Inform. 2021;17(11):7752‐7759.
[8]
Javed IT, Alharbi F, Margaria T, Crespi N, Qureshi KN. PETchain: a blockchain‐based privacy enhancing technology. IEEE Access. 2021;9:41129‐41143.
[9]
Wang Y, Su Z, Zhang N, et al. SPDS: a secure and auditable private data sharing scheme for smart grid based on blockchain. IEEE Trans Industr Inform. 2021;17(11):7688‐7699.
[10]
Heiss J, Ulbricht M‐R, Eberhardt J. Put your money where your mouth is—towards blockchain‐based consent violation detection. IEEE International Conference on Blockchain and Cryptocurrency (ICBC), Toronto, ON. IEEE; 2020.
[11]
Daudén‐Esmel C, Castellà‐Roca J, Viejo A. Blockchain‐based access control system for efficient and GDPR‐compliant personal data management. Comput Commun. 2024;214:67‐87.
[12]
Truong NB, Sun K, Lee GM, Guo Y. GDPR‐compliant personal data management: a blockchain‐based solution. IEEE Trans Inf Forensics Secur. 2019;15:1746‐1761.
[13]
Dauden‐Esmel C, Castella‐Roca J, Viejo A, Domingo‐Ferrer J. Lightweight blockchain‐based platform for GDPR‐compliant personal data management. 2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP). IEEE; 2021:68‐73.
[14]
BC_GDPR‐Compliant_PDManagement_System. Accessed November 8, 2021. https://github.com/toful/BC_GDPR‐Compliant_PDManagement_System
[15]
Thong Ta V, Hashem Eiza M. DataProVe: fully automated conformance verification between data protection policies and system architectures. Proc Priv Enhanc Technol. 2022;2022(1):565‐585.
[16]
Hu B, Zhang Z, Liu J, et al. A comprehensive survey on smart contract construction and execution: paradigms, tools, and systems. Patterns. 2021;2(2):100179.
[17]
Hyperledger Fabric. 2020. Accessed November 13, 2021. https://www.hyperledger.org/wp‐content/uploads/2020/03/hyperledger_fabric_whitepaper.pdf
[18]
Hearn M, Brown RG. Corda: a distributed ledger. August 2019. Accessed November 13, 2021. https://www.r3.com/wp‐content/uploads/2019/08/corda‐technical‐whitepaper‐August‐29‐2019.pdf
[19]
Androulaki E, Barger A, Bortnikov V, et al. Hyperledger fabric: a distributed operating system for permissioned blockchains. Proceedings of the Thirteenth EuroSys Conference. ACM; 2018:1‐15.
[20]
Boneh D, Crescenzo GD, Ostrovsky R, Persiano G. Public key encryption with keyword search. Advances in Cryptology‐EUROCRYPT. Springer‐Verlag; 2004.
[21]
Bethencourt J, Sahai A, Waters B. Ciphertext‐policy attribute based encryption. 2007 IEEE Symposium on Security and Privacy. IEEE; 2007:300‐314.
[22]
Li J, Zhang Y, Ning J, Huang X, Sen Poh G, Wang D. Attribute based encryption with privacy protection and accountability for CloudIoT. IEEE Trans Cloud Comput. 2022;10(2):762‐773.
[23]
Ge C, Susilo W, Liu Z, Xia J, Szalachowski P, Fang L. Secure keyword search and data sharing mechanism for cloud computing. IEEE Trans Dependable Secure Comput. 2021;18(6):2787‐2800.
[24]
Li J, Shi Y, Zhang Y. Searchable ciphertext‐policy attribute‐based encryption with revocation in cloud storage. Int J Commun Syst. 2017;30(1):e2942.
[26]
Crypto++ Library 8.7, Crypto++ community. Accessed May 13, 2023. https://www.cryptopp.com
[27]
Bethencourt J, Sahai A, Waters B. Advanced crypto software collection—ciphertext‐policy attribute‐based encryption. Accessed May 13, 2023. https://acsc.cs.utexas.edu/cpabe/
[28]
Hyperledger Caliper, Fabric v0.5.0. Accessed May 13, 2023. https://hyperledger.github.io/caliper/v0.5.0//fabric‐config/new/
Recommendations
Compliance to personal data protection principles
We examined how organizations' privacy policy meet the compliance requirement.We found privately-owned organizations have higher compliance level.Sectors with more personal sensitive data have significantly higher compliance score.Government sectors ...
A posteriori compliance control
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologiesWhile preventative policy enforcement mechanisms can provide theoretical guarantees that policy is correctly enforced, they have limitations in practice. They are inflexible when unanticipated circumstances arise, and most are either inflexible with ...
Analyzing GDPR Compliance Through the Lens of Privacy Policy
Heterogeneous Data Management, Polystores, and Analytics for HealthcareAbstractWith the arrival of the European Union’s General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems ...
Comments
Information & Contributors
Information
Published In
© 2024 The Author(s). Security and Privacy published by John Wiley & Sons Ltd.
This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.
Publisher
John Wiley & Sons, Inc.
United States
Publication History
Published: 14 August 2024
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 31 Jan 2025