A compliance-based architecture for supporting GDPR accountability in cloud computing

Abstract

The implementation of the General Data Protection Regulation (GDPR) in the cloud posed technical challenges for the design of compliance solutions. In particular, the accountability principle in the GDPR requires cloud providers to demonstrate their compliance, which implies that a GDPR compliance solution should maintain tamper-proof evidence for the massive data processing activities in cloud services. Additionally, the transparency of a compliance solution is essential for improving the trust of cloud users. Most of the existing solutions implemented their compliance logic as smart contracts on a blockchain to utilize its immutable transaction history for accountability and to gain user trust through its transparency. However, this widely adopted pattern in the solutions imposed the throughput constraint of blockchains on the implementation of compliance logic. In order to address this, we first conduct a requirement analysis of the GDPR accountability principle. After the analysis, we introduce a domain model of the principle and propose a modularized architecture to support the accountability in the cloud. Then, we present a prototype implementation of the architecture, in which a blockchain-based technique is used to provide immutability and data integrity for event records (e.g., data processing activities of cloud providers), while the compliance logic is not affected by the overhead of blockchains. Finally, we evaluate the prototype using benchmarks and analyses to investigate the throughput, resource consumption, and scalability of the architecture.