Christos Karageorgiou Kaneen, "Methodology for designing GDPR compliant IoT applications", Diploma Work, School of Electrical and Computer Engineering, Technical University of Crete, Chania, Greece, 2019
https://doi.org/10.26233/heallink.tuc.84151
As of May 2018, the enforcement of the EU’s General Data Protection Regulation (GDPR) has introduced new standards for organizations processing personal data of EU residents. With the purpose of giving people more control over their data, as well as protecting them from potential data breaches, proving compliance with GDPR requirements, to regulators who mandate it, has become an ever-increasing priority for most organizations, with steep fines to be paid for privacy violations. Due to the difficulty of analyzing a running system for evaluating its compliance, GDPR requirements must be taken into consideration during the system’s design phase. In this work, we provide the methodology for analyzing these requirements and incorporating them into the design process of a Remote Patient Monitoring application. Since there is no universal methodology that covers all application domains and systems, we focus on a single such application domain: an IoT Service Oriented Architecture design for the cloud. By analyzing the dependencies between all system components (such as personal data, users, cloud services, etc.), we are able to create data-filled reports (related to the GDPR’s personal data demands) that can be used for evaluating compliance. In order to show proof of concept, we apply the aforementioned analysis and represent our system’s information of component properties, requirements and dependencies by means of a labeled-property graph in a graph database. The decision of whether the system is GDPR compliant can be reached once a series of questions (expressed as queries run upon the system graph) have been answered and analyzed. The rationale behind our approach deems it much easier to evaluate GDPR compliance once the designed system’s graph has been constructed. In summary, we demonstrate how such a graph can be created by taking as input both: (a) design requirements and (b) GDPR requirements. We also demonstrate how the evaluation of GDPR compliance lies within analyzing the results of queries run upon the graph in a graph database.