A Methodology for Eliciting Data Privacy Requirements and Resolving Conflicts

Abstract

Privacy is one of the major concerns of data protection where personal data of individuals are used by enterprises for providing services. To ensure the rights of citizens, different legal authorities, including European Union, have made it mandatory for enterprises to implement certain privacy principles. An enterprise may also have its own set of privacy principles that help provide customized privacy experience to its customers, with the motive of retaining its customer base and weaning away customers from its competitors. To ensure privacy compliance with legal policies, enterprise privacy principles and expectations of customers, the system design should consider the privacy requirements emanating from all these sources. However, the requirements are often expressed in natural languages, which are difficult to interpret for system designers. In this paper, a logic-based methodology is proposed to formally express privacy requirements emanating from all three different sources. The methodology also includes an algorithm to identify and resolve conflicts among elicited privacy requirements. The proposed approach can be considered as the first step towards ensuring privacy compliance. This would help an enterprise to identify conflicting privacy requirements, resolve conflicts as per pre-defined rules and identify implementable privacy principles to enable the management of privacy compliance.