Refine
Year of publication
- 2020 (3) (remove)
Document Type
- Bachelor Thesis (1)
- Doctoral Thesis (1)
- Master's Thesis (1)
Keywords
- DMN (1)
- GDPR (1)
- Verification (1)
- data protection (1)
- model-based (1)
- privacy by design (1)
- privacy impact assessment (1)
The industry standard Decision Model and Notation (DMN) has enabled a new way for the formalization of business rules since 2015. Here, rules are modeled in so-called decision tables, which are defined by input columns and output columns. Furthermore, decisions are arranged in a graph-like structure (DRD level), which creates dependencies between them. With a given input, the decisions now can be requested by appropriate systems. Thereby, activated rules produce output for future use. However, modeling mistakes produces erroneous models, which can occur in the decision tables as well as at the DRD level. According to the Design Science Research Methodology, this thesis introduces an implementation of a verification prototype for the detection and resolution of these errors while the modeling phase. Therefore, presented basics provide the needed theoretical foundation for the development of the tool. This thesis further presents the architecture of the tool and the implemented verification capabilities. Finally, the created prototype is evaluated.
Nowadays, almost any IT system involves personal data processing. In
such systems, many privacy risks arise when privacy concerns are not
properly addressed from the early phases of the system design. The
General Data Protection Regulation (GDPR) prescribes the Privacy by
Design (PbD) principle. As its core, PbD obliges protecting personal
data from the onset of the system development, by effectively
integrating appropriate privacy controls into the design. To
operationalize the concept of PbD, a set of challenges emerges: First, we need a basis to define privacy concerns. Without such a basis, we are not able to verify whether personal data processing is authorized. Second, we need to identify where precisely in a system, the controls have to be applied. This calls for system analysis concerning privacy concerns. Third, with a view to selecting and integrating appropriate controls, based on the results of system analysis, a mechanism to identify the privacy risks is required. Mitigating privacy risks is at the core of the PbD principle. Fourth, choosing and integrating appropriate controls into a system are complex tasks that besides risks, have to consider potential interrelations among privacy controls and the costs of the controls.
This thesis introduces a model-based privacy by design methodology to handle the above challenges. Our methodology relies on a precise definition of privacy concerns and comprises three sub-methodologies: model-based privacy analysis, modelbased privacy impact assessment and privacy-enhanced system design modeling. First, we introduce a definition of privacy preferences, which provides a basis to specify privacy concerns and to verify whether personal data processing is authorized. Second, we present a model-based methodology to analyze a system model. The results of this analysis denote a set of privacy design violations. Third, taking into account the results of privacy analysis, we introduce a model-based privacy impact assessment methodology to identify concrete privacy risks in a system model. Fourth, concerning the risks, and taking into account the interrelations and the costs of the controls, we propose a methodology to select appropriate controls and integrate them into a system design. Using various practical case studies, we evaluate our concepts, showing a promising outlook on the applicability of our methodology in real-world settings.
Regarding the rising amount of legal regulations, businesses should get the opportunity to use software to fulfill their Compliance Management with the usage of compliance pattern. These patterns are used to represent substantive and structural parts of the processes. This means companies can increase their efficiency and react to new regulations quickly to avoid possible violation which can lead to monetary losses or legal consequences. In the literature are many approaches that deal with compliance pattern but currently there does not exist any list with necessary compliance pattern that companies should face at (Delfmann and Hübers, 2015). The following bachelor thesis classifies 80 research contributions regarding their different approaches of compliance pattern. For that a systematic literature review was executed. As a result, the author developed a graphical classification context that provides an overview of connections between different compliance approaches. Furthermore, an appendix with 32 compliance patterns of the analyzed papers was developed that contains real-world patterns with the classification of the previous sections.