Skip to main content
SpringerLink
Log in
Book cover

International Conference on the Quality of Information and Communications Technology

QUATIC 2019: Quality of Information and Communications Technology pp 3–17Cite as

GDPR-Based User Stories in the Access Control Perspective

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1010))

Abstract

Because of GDPR’s principle of “data protection by design and by default”, organizations who wish to stay lawful have to re-think their data practices. Access Control (AC) can be a technical solution for them to protect access to “personal data by design”, and thus to gain legal compliance, but this requires to have Access Control Policies (ACPs) expressing requirements aligned with GDPR’s provisions. Provisions are however pieces of law and are not written to be immediately interpreted as technical requirements; the task is thus not straightforward. The Agile software development methodology can help untangle the problem. It has dedicated tools to describe requirements and one of such them, User Stories, seems up to task. Stories are concise yet informal descriptions telling who, what and why something is required by users; they are prioritized in lists, called backlogs. Inspired by these Agile tools this paper advances the notion of Data Protection backlogs, which are lists of User Stories about GDPR provisions told as technical requirements. For each User Story we build a corresponding ACP, so enabling the implementation of GDPR compliant AC systems.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  2. 2.

    Note that the Subject expressed in this model is different from the one defined in the User Stories Model: the Subject in that model represents a grammatical function in the formulation of the means; while Subject in the AC domain represents an active entity which covers a role. The Subject in this model is an entity that can semantically be correlated with the Role entity in the User Stories Model.

  3. 3.

    The identifier EpicID has the following structure: GDPR.Epic.Article.[articleNumber].

  4. 4.

    The identifier UserStoryID has the following structure: [EpicID].[ParagraphNumber].[letter].US.[progressiveNumber].

References

  1. Ahola, J., et al.: Handbook of the secure agile software development life cycle. University of Oulu (2014)

    Google Scholar 

  2. Alohaly, M., Takabi, H., Blanco, E.: Automated extraction of attributes from natural language attribute-based access control (ABAC) policies. Cybersecurity 2(1), 2 (2019)

    Article  Google Scholar 

  3. Asthana, V., Tarandach, I., O’Donoghue, N., Sullivan, B., Saario, M.: Practical security stories and security tasks for agile development environments, July 2012

    Google Scholar 

  4. Azham, Z., Ghani, I., Ithnin, N.: Security backlog in scrum security practices. In: 2011 Malaysian Conference in Software Engineering, pp. 414–417. IEEE (2011)

    Google Scholar 

  5. Bartolini, C., Daoudagh, S., Lenzini, G., Marchetti, E.: Towards a lawful authorized access: a preliminary GDPR-based authorized access. In: 14th International Conference on Software Technologies (ICSOFT 2019), Prague, Czech Republic, 26–28 July 2019, pp. 331–338 (2019)

    Google Scholar 

  6. Bartolini, C., Giurgiu, A., Lenzini, G., Robaldo, L.: Towards legal compliance by correlating standards and laws with a semi-automated methodology. In: Bosse, T., Bredeweg, B. (eds.) BNAIC 2016. CCIS, vol. 765, pp. 47–62. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67468-1_4

    Chapter  Google Scholar 

  7. Cerbo, F.D., Martinelli, F., Matteucci, I., Mori, P.: Towards a declarative approach to stateful and stateless usage control for data protection. In: WEBIST, pp. 308–315. SciTePress (2018)

    Google Scholar 

  8. Cohn, M.: User Stories Applied: For Agile Software Development. Addison-Wesley Professional, Boston (2004)

    Google Scholar 

  9. Fatema, K., Debruyne, C., Lewis, D., O’Sullivan, D., Morrison, J.P., Mazed, A.: A semi-automated methodology for extracting access control rules from the European data protection directive. In: 2016 IEEE SPW, pp. 25–32, May 2016

    Google Scholar 

  10. Fowler, M., Highsmith, J., et al.: The agile manifesto. Softw. Dev. 9(8), 28–35 (2001)

    Google Scholar 

  11. Gupta, M., Benson, J., Patwa, F., Sandhu, R.: Dynamic groups and attribute-based access control for next-generation smart cars. In: CODASPY 2019, Richardson, TX, USA, 25–27 March 2019 (2019)

    Google Scholar 

  12. Hu, C.T., et al.: Guide to attribute based access control (ABAC) definition and considerations [includes updates as of 02-25-2019]. Technical report (2019)

    Google Scholar 

  13. Kassab, M.: The changing landscape of requirements engineering practices over the past decade. In: 2015 IEEE EmpiRE, pp. 1–8, August 2015

    Google Scholar 

  14. Kniberg, H.: Scrum and XP from the Trenches (2015). Lulu.com

  15. Lucassen, G., Dalpiaz, F., van der Werf, J.M.E.M., Brinkkemper, S.: Improving agile requirements: the quality user story framework and tool. Requirements Eng. 21(3), 383–403 (2016)

    Article  Google Scholar 

  16. Lucassen, G., Dalpiaz, F., Werf, J.M.E.M., Brinkkemper, S.: The use and effectiveness of user stories in practice. In: Daneva, M., Pastor, O. (eds.) REFSQ 2016. LNCS, vol. 9619, pp. 205–222. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30282-9_14

    Chapter  Google Scholar 

  17. McCaffery, F., et al.: A process framework combining safety and security in practice. In: Larrucea, X., Santamaria, I., O’Connor, R.V., Messnarz, R. (eds.) EuroSPI 2018. CCIS, vol. 896, pp. 173–180. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-97925-0_14

    Chapter  Google Scholar 

  18. OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0, January 2013. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

  19. Palmirani, M., Martoni, M., Rossi, A., Bartolini, C., Robaldo, L.: Legal ontology for modelling GDPR concepts and norms. In: Legal Knowledge and Information Systems: JURIX 2018, vol. 313, p. 91. IOS Press (2018)

    Google Scholar 

  20. Palmirani, M., Martoni, M., Rossi, A., Bartolini, C., Robaldo, L.: PrOnto: privacy ontology for legal reasoning. In: Kő, A., Francesconi, E. (eds.) EGOVIS 2018. LNCS, vol. 11032, pp. 139–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98349-3_11

    Chapter  Google Scholar 

  21. Pandit, H.J., Fatema, K., O’Sullivan, D., Lewis, D.: GDPRtEXT - GDPR as a linked data resource. In: Gangemi, A., et al. (eds.) ESWC 2018. LNCS, vol. 10843, pp. 481–495. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93417-4_31

    Chapter  Google Scholar 

  22. Pandit, H.J., Lewis, D.: Modelling provenance for GDPR compliance using linked open data vocabularies. In: PrivOn@ ISWC (2017)

    Google Scholar 

  23. Rygge, H., Jøsang, A.: Threat poker: solving security and privacy threats in agile software development. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 468–483. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_29

    Chapter  Google Scholar 

  24. Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)

    Article  Google Scholar 

  25. Siiskonen, T., Särs, C., Vähä-Sipilä, A., Pietikääinen, A.: Generic security user stories. In: Pekka, P., Juha, R. (eds.) Handbook of the Secure Agile Software Development Life Cycle. University of Oulu, Oulu (2014)

    Google Scholar 

  26. Sobieski, Ś., Zieliński, B.: User stories and parameterized role based access control. In: Bellatreche, L., Manolopoulos, Y. (eds.) MEDI 2015. LNCS, vol. 9344, pp. 311–319. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23781-7_25

    Chapter  Google Scholar 

  27. Ulbricht, M.-R., Pallas, F.: YaPPL - a lightweight privacy preference language for legally sufficient and automated consent provision in IoT scenarios. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Livraga, G., Rios, R. (eds.) DPM/CBT -2018. LNCS, vol. 11025, pp. 329–344. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00305-0_23

    Chapter  Google Scholar 

  28. Wachter, S.: Normative challenges of identification in the internet of things: privacy, profiling, discrimination, and the GDPR. Comput. Law Secur. Rev. 34(3), 436–449 (2018)

    Article  Google Scholar 

  29. Wang, W., Gupta, A., Niu, N.: Mining security requirements from common vulnerabilities and exposures for agile projects. In: 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP), pp. 6–9, August 2018

    Google Scholar 

  30. Wang, X., Zhao, L., Wang, Y., Sun, J.: The role of requirements engineering practices in agile development: an empirical study. In: Zowghi, D., Jin, Z. (eds.) Requirements Engineering. CCIS, vol. 432, pp. 195–209. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43610-3_15

    Chapter  Google Scholar 

  31. Xiao, X., Paradkar, A., Thummalapenta, S., Xie, T.: Automated extraction of security policies from natural-language software documents. In: Proceedings of the ACM SIGSOFT FSE 2012, FSE 2012, pp. 12:1–12:11. ACM, New York (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Interdisciplinary Centre for Security, Reliability and Trust (SnT), University of Luxembourg, Luxembourg City, Luxembourg

    Cesare Bartolini & Gabriele Lenzini

  2. Istituto di Scienza e Tecnologie dell’Informazione “A. Faedo” (ISTI), Consiglio Nazionale delle Ricerche (CNR), via G. Moruzzi 1, 56124, Pisa, Italy

    Said Daoudagh & Eda Marchetti

  3. Computer Science Department, University of Pisa, Pisa, Italy

    Said Daoudagh

Authors
  1. Cesare Bartolini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Said Daoudagh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gabriele Lenzini
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eda Marchetti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Said Daoudagh .

Editor information

Editors and Affiliations

  1. Department of Information Technologies and Systems, University of Castilla-La Mancha, Ciudad Real, Spain

    Mario Piattini

  2. Departamento de Engenharia Informatica, University of Coimbra, Coimbra, Portugal

    Paulo Rupino da Cunha

  3. Department of Information Technologies and Systems, University of Castilla-La Mancha, Ciudad Real, Spain

    Ignacio García Rodríguez de Guzmán

  4. Department of Information Technologies and Systems, University of Castilla-La Mancha, Ciudad Real, Spain

    Ricardo Pérez-Castillo

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bartolini, C., Daoudagh, S., Lenzini, G., Marchetti, E. (2019). GDPR-Based User Stories in the Access Control Perspective. In: Piattini, M., Rupino da Cunha, P., García Rodríguez de Guzmán, I., Pérez-Castillo, R. (eds) Quality of Information and Communications Technology. QUATIC 2019. Communications in Computer and Information Science, vol 1010. Springer, Cham. https://doi.org/10.1007/978-3-030-29238-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29238-6_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29237-9

  • Online ISBN: 978-3-030-29238-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation