Compiling Personal Data and Subject Categories from App Data Models

• Published in: ICT Systems Security and Privacy Protection Vol. 625; pp. 242 - 255
• Main Authors: Burkert, Christian, Blochberger, Maximilian, Federrath, Hannes
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2021; Springer International Publishing
• Series: IFIP Advances in Information and Communication Technology
• Subjects: Data model; Data protection; Personal data identification
• ISBN: 9783030781194; 3030781194
• ISSN: 1868-4238; 1868-422X
• DOI: 10.1007/978-3-030-78120-0_16

Maintaining documentation about personal data processing is mandated by GDPR. When it comes to application software and its operation, this obligation can become challenging. Operators often do not know enough about app internals to be comprehensive in their documentation or follow changes enough to be up-to-date. We therefore propose a semi-automatic process to compile documentation from the source of truth: the app data model. Our approach uses data model entity relations to determine identifiability of data subjects. We guide app experts to add the semantic knowledge that is necessary to determine subject categories and to subsequently compile a condensed listing of personal data. We provide evidence for the real-world applicability of our proposal by evaluating the data models of five common web apps.