DPL: A Language for GDPR Enforcement

The General Data Protection Regulation (GDPR) regulates the handling of personal data, including that personal data may be collected and stored only with the data subject's consent, that data is used only for the explicit purposes for which it is collected, and that is deleted after the purpose...

Full description

Saved in:
Bibliographic Details
Published in2022 IEEE 35th Computer Security Foundations Symposium (CSF) pp. 112 - 129
Main Authors Karami, Farzane, Basin, David, Johnsen, Einar Broch
Format Conference Proceeding
LanguageEnglish
Published IEEE 01.08.2022
Subjects
Buildings
Computer languages
GDPR enforcement
General Data Protection Regulation
Privacy
Programming
Runtime
runtime checking
Semantics
Online AccessGet full text

Cover

More Information
Summary:The General Data Protection Regulation (GDPR) regulates the handling of personal data, including that personal data may be collected and stored only with the data subject's consent, that data is used only for the explicit purposes for which it is collected, and that is deleted after the purposes are served. We propose a programming language called DPL (Data Protection Language) with constructs for enforcing these central GDPR requirements and provide the language's runtime operational semantics. DPL is designed so that GDPR violations cannot occur: potential violations instead result in runtime errors. Moreover, DPL provides constructs to perform privacy-relevant checks, which enable programmers to avoid these errors. Finally, we formalize DPL in Maude, yielding an environment for program simulation, and verify our claims that DPL programs cannot result in privacy violations.
DOI:10.1109/CSF54842.2022.9919687