The GDPR Compliance and Access Control Systems: Challenges and

Research Opportunities

Said Daoudagh

and Eda Marchetti

ISTI-CNR, Pisa, Italy

Keywords:

Access Control, Compliance, General Data Protection Regulation (GDPR), Privacy-by-Design.

Abstract:

The General Data Protection Regulation (GDPR) is changing how Personal Data should be processed. Using

Access Control Systems (ACSs) and their speciﬁc policies as practical means for assuring a by-design law-

fully compliance with the privacy-preserving rules and provision is currently an increasingly researched topic.

As a result, this newly born research ﬁeld raises several research questions and paves the way for different

solutions. This position paper would like to provide an overview of research challenges and questions con-

cerning activities for analyzing, designing, implementing, and testing Access Control mechanisms (systems

and policies) to guarantee compliance with the GDPR. Some possible answers to the open issues and future

research directions and topics are also provided.

1 INTRODUCTION

The General Data Protection Regulation (GDPR) is

the EU legal framework for the protection of Personal

Data of European citizens (European Union, 2016). It

aims to harmonize the different data protection laws

in Europe and strengthen the rights of individuals.

Thus, the GDPR precisely deﬁnes the involved con-

cepts and roles: Personal Data is deﬁned as any in-

formation about a Data Subject, i.e., an identiﬁed or

identiﬁable natural person; data Controller and data

Processor are deﬁned as the persons involved into the

data management and processing of Personal Data re-

spectively. The GDPR also imposes several duties,

and deﬁnes a system of ﬁnes to induce the Controller

and the Processor to be compliant with the regulation.

In particular, they need to:

i) ensure appropriate technical security level of per-

sonal data, as dictated by the “Integrity and Con-

ﬁdentiality” principle (Art. 5.1(f));

ii) demonstrate the compliance with the GDPR,

as required by the “Accountability” principle

(Art. 5.2); and

iii) adapt and rethink their data practices so as to be

aligned with the “Data protection by design and

by default” approach (Art. 25).

https://orcid.org/0000-0002-3073-6217

https://orcid.org/0000-0003-4223-8036

Despite the simplicity of these statements, their

realization is not straightforward, especially when the

roles of Controller and Processor are taken inside

are taken inside Small and Medium-sized Enterprises

(SMEs). Indeed, one of the most experienced difﬁ-

culties is the GDPR’s technical interpretation (Arfelt

et al., 2019). The simplicity of the natural language

structure of the GDPR leaves the ﬂoor to a concrete

difﬁculty for software architects, developers, and se-

curity experts in translating the GDPR ’s provisions

into technical requirements, especially in case of lack

or no sufﬁcient legal expertise

If big organizations have the economic power to

overcome this problem (e.g., by investing a large

amount of money in both technologies and legal con-

sulting), usually, this is not the same for SMEs. These

look for low-cost and easy-to-use solutions for as-

suring their compliance with the GDPR and for be-

ing prepared to comply with the legal provisions. In-

deed, for all organizations being (by-design) compli-

ant with the GDPR means having technical (and or-

ganizational) solutions that:

(1) are general-purpose;

(2) must take into consideration the regulation by-

design;

(3) must integrate with the existing business pro-

cesses; and ﬁnally,

(4) must be rooted in the GDPR principles dictated in

Art. 5.

Daoudagh, S. and Marchetti, E.

The GDPR Compliance and Access Control Systems: Challenges and Research Opportunities.

DOI: 10.5220/0010912300003120

In Proceedings of the 8th International Conference on Information Systems Security and Privacy (ICISSP 2022), pages 571-578

ISBN: 978-989-758-553-1; ISSN: 2184-4356

571

As evidenced by the data collected by the CMS

Legal Services EEIG

, initiatives for lawfully pro-

cessing personal data are still far from being sufﬁ-

ciently compliant with the regulation. Indeed, the im-

posed ﬁnes are constantly increasing within all the EU

state members (currently reaching around 900 ﬁnes),

and the most encountered type violations are still the

“Insufﬁcient legal basis for data processing” and “In-

sufﬁcient technical and organizational measures to

ensure information security.”

In this situation, and inspired primarily by the

“Integrity and Conﬁdentiality” principle (Art. 5.1(f)),

which calls for the adoption of Access Control (AC)

to regulate the access to Personal Data, recently a new

research ﬁeld has been deﬁned (Daoudagh, 2021):

Leverage AC systems, the de facto mecha-

nisms used to restrict data access, as a techni-

cal solution for protecting “personal data by-

design”, and gaining legal compliance with

the GDPR.

The choice of Access Control Systems (ACSs)

has two pivotal aspects: (1) their structure and (2)

their applicability. Structurally, ACSs satisfy by con-

struction the principle of Integrity and Conﬁdential-

ity (Art. 5.1(f)) because they rely on Access Control

Policies (ACPs), i.e., a set of rules that specify who

has access to which resources and under which cir-

cumstances (Sandhu and Samarati, 1994). Consider-

ing the applicability, ACSs are general-purpose mod-

els supported by a standard and a reference architec-

ture and easily integrated within the existing business

processes to decouple the business logic from autho-

rization. Consequently, we can efﬁcaciously and ef-

fectively leverage AC systems to protect personal data

(security perspective) and process them lawfully (le-

gal perspective).

For the purpose of providing researchers and prac-

titioners guidelines for facing this new ﬁeld of re-

search, in this position paper the current state of the

practice is analyzed. In particular, a classiﬁcation of

the challenges (Section 2) and feasible research ques-

tions (Section 3) and their possible answers are pro-

vided (Section 4), to focus the research activity on the

most important aspects. Finally, the conclusion and

future work are depicted (Section 5).

https://www.enforcementtracker.com/ (Last Access

2021.12.20)

2 CHALLENGES

In using AC as a technical solution for protecting

“personal data by-design” and gaining legal compli-

ance with the GDPR, several challenges have to be

faced up. By referring to (Daoudagh, 2021; Sforzin

A. et al., 2020) for a detailed description, the most im-

portant ones with respect to the data privacy aspects

are:

Performing Data Protection Impact Assessment.

Performing Data Protection Impact Assessment

(DPIA) according to the GDPR is pivotal to

promote and achieve privacy-by-design. Hence,

fulﬁlling the GDPR requirements is an integrated

part of the business of different organizations.

The challenge here is that the GDPR’s require-

ments are often too vague and open. That makes

them subject to interpretation. Therefore, it

might be challenging to correctly and completely

comply with them (Sforzin A. et al., 2020).

GDPR-based Development Life Cycle. The avail-

able development life cycles do not completely

incorporate the privacy-by-design principles, and

proposals targeting the GDPR’s demands are still

needed. Therefore, a reference GDPR-based de-

velopment life cycle - for the speciﬁcation, im-

plementation, and testing of software systems and

applications - which takes into account (Euro-

pean) legal requirements is needed.

Enforcing and Demonstrating the Privacy:

Principles Compliance. The peculiarities and

the complexity of the currently available systems

and applications call for speciﬁc automatic

approaches, facilities, and tools for enforcing

and demonstrating compliance with the privacy

principles. That is a crucial aspect for the

successful and lawful privacy-by-design process

development.

Considering, in particular, the access control as-

pects, the main challenges are:

Modeling the Law. Using Access Control elements

and extensions to address concepts related to a

given law requires formal translations to avoid

misinterpretation or errors. Thus, the necessity of

automatically enforceable matching of actual at-

tributes gathered from legal use cases and the re-

sulting policies to comply with the GDPR’s obli-

gation of “data protection by design and by de-

fault.”

Enforcing Privacy (Security) Policies. A ref-

erence access control architecture to support

context-aware security policies should be deﬁned

so as to assure the enforcement of the privacy

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

572

policies throughout different kinds of systems

and environments. Additionally, methods for

leveraging the integration of the access control

and business processes as well as mechanisms to

guarantee the GDPR compliance during business

activities of data management and analysis should

be conceived.

Veriﬁcation & Validation. The GDPR is changing

how Personal Data should be processed. Part of

the scientiﬁc and industrial worlds are replying

to these requirements by modifying the Access

Control Mechanisms (ACMs) and the way they

are managing and writing their policies. Con-

sequently, speciﬁc testing strategies or validation

approaches should be deﬁned to assure that the

generated GDPR-based policies are aligned with

the GDPR. Failing this task can lead to developing

ACPs that allows an unauthorized user to access

protected personal data (security perspective) and

consequently result in unlawful processing (legal

perspective). Therefore, the need for developing

facilities for verifying that the derived policies are

compliant with the requirements expressed in the

GDPR.

3 RESEARCH QUESTIONS

In replying to the challenges mentioned in the pre-

vious section, software engineering research activi-

ties are focusing on the deﬁnition of procedures and

best practices for joining together Access Control

(AC), Data Protection by-Design, and AC Testing

into a unique Privacy-By-Design methodology. How-

ever, due to the variety of aspects included in those

research activities, we have structured our investi-

gation into the following open Research Questions

(RQs) (Daoudagh, 2021).

Research Question 1 (RQ 1)

How can authorization systems, and in partic-

ular AC, be used for guaranteeing compliance

with the GDPR?

Authorization systems are a cornerstone of secu-

rity, and they are being used for a long time to protect

classiﬁed resources. They have also been used for

dealing with different privacy concepts such as pur-

pose and consent. Consequently, they can be lever-

aged for protecting personal data and satisfying com-

pliance with the GDPR. However, practical solutions

need to face several open questions. Are there com-

prehensive methodologies or set of guidelines to fa-

cilitate the adoption of AC in the state of the practice?

Are there concepts and knowledge belonging to other

disciplines that can be exploited to customize system-

atically existing authorization systems? And how to

encode the GDPR’s obligations in the authorization

systems? Additionally, to provide a systematic ap-

proach for designing and using authorization systems

in the context of the GDPR, accurate analysis of their

current adoption in other legal frameworks and into

the industry needs to be also performed.

Research Question 2 (RQ 2)

To what extent can the GDPR’s obligations be

represented and enforced using Access Con-

trol Technologies?

Legal requirements are expressed in natural lan-

guage, and they are agnostic to the available technolo-

gies presented in our time. Therefore, they can be too

vague to be automatically implemented within a refer-

ence system or technology. However, by deﬁning the

”Integrity and Conﬁdentiality” principle, the GDPR

implicitly calls for adopting ACSs. Indeed, ACSs

are usually regulated by ACPs, which specify who,

what, when, where, how, and why (i.e., the 5W1H) a

user is denied or allowed to access to a given asset.

This information also includes Personal Data. Thus,

the question of how to identify, extract and deﬁne the

ACPs that are by-design compliant with the GDPR is

not straightforward. Therefore, proposals need to an-

swer the following questions. How to model AC poli-

cies according to the GDPR? How to identify AC re-

quirements from the GDPR? How many AC require-

ments can the GDPR encode?

Research Question 3 (RQ 3)

Is it possible to gather technical requirements

from the legal speciﬁcations deﬁned in the

GDPR?

The GDPR, as any other law, is intrinsically ex-

pressed in legal jargon, even if it targets the organi-

zations that process personal data. Even though its

natural language provisions are far from being im-

mediately interpreted as technical requirements, the

“personal data by design” obligation the GDPR forces

organizations to implement system by-design aligned

with the GDPR. That causes a general re-think of

the organizations’ data practices and continuous and

expensive research of ad-hoc technical solutions to

guarantee compliance with the GDPR’s obligations.

Therefore, a key aspect is the availability of facilities

able to automatically extract, from the legal speciﬁ-

The GDPR Compliance and Access Control Systems: Challenges and Research Opportunities

573

cations, all and only the required information and in-

terpret them into technical requirements that can be

easily implemented.

Research Question 4 (RQ 4)

For accomplishing compliance with the

GDPR, which are the supporting technologies

that could be integrated with AC?

The continuous growth of interest for compliance

with the GDPR is fostering the realization of differ-

ent solutions in both industry and academia contexts.

Therefore, accurate analysis of the available propos-

als and an evaluation of their effectiveness in achiev-

ing compliance with the GDPR are necessary to pro-

vide solutions able to be proﬁtably integrated into the

ACS. Additionally, to promote the adoption of the

solutions into real context, further research questions

are: is the proposal based on open standards? Can

available solutions for achieving compliance with the

GDPR’s demands be integrated? And in case, how is

this possible?

Research Question 5 (RQ 5)

Which are the most suitable application do-

mains for applying Access Control Technolo-

gies able to achieve the GDPR compliance?

The GDPR is potentially applicable to every

domain: any context processing personal data are

obliged to obey the GDPR’s principles. At the

same time, in Information and Communication Tech-

nologies (ICTs) systems, also the ACSs is having

a widespread adoption for ruling the resources and

data access. Thus, the synergistic union between the

GDPR and ACSs could be the crucial point for devel-

oping adaptable solutions everywhere. In evaluating

the feasibility of the different proposals, the following

questions should also be considered: are AC really

suitable for different application domains? Can ACSs

be easily integrated in preexisting processes/environ-

ments? Is it possible to enable the authorization as a

service paradigm? And more speciﬁc, is it possible to

decouple business logic from the authorization one?

Research Question 6 (RQ 6)

Is it possible to realize an integrated test envi-

ronment for the validation of (GDPR-aware)

access control systems?

The high-security level is a crucial attribute for

many environments. Thus, discovering the critical-

ities of a system is always an effective means for

putting in practice efﬁcacious and corrective actions

to improve its overall security. That is very true and

important for ACSs (both ACPs and Access Control

Mechanisms (ACMs)) because their security and pri-

vacy vulnerabilities could insert either the risk of re-

leasing inadequate security solutions. These could

allow unauthorized access (security perspective) or

to enable unlawful processing of personal data (le-

gal perspective). At the state of the practice, most of

the time, the criticalities detection is achieved through

the application of effective and efﬁcient testing ap-

proaches. Therefore, the testing solutions should be

guided by the following research questions: is it pos-

sible to realize a test environment speciﬁcally con-

ceived for ACSs? Is it possible to develop speciﬁc

test strategies? Is it possible to provide facilities for

test cases generation and selection? Is it possible to

develop an integrated environment for the automatic

test cases execution and results collections? Is it pos-

sible to deﬁne an oracle for speeding up the test results

evaluation? Is it possible to statistically evaluate the

effectiveness of the applied testing strategies?

4 POSSIBLE ANSWERS TO RQs

In this section, without claiming to provide a com-

plete survey of all available proposals, we provide an

overview of a selection of possible solutions answer-

ing the research questions presented in the previous

section. We refer to (Daoudagh, 2021) for a complete

state-of-the-art survey and additional details.

4.1 Answering RQ 1

Inspired by the “Data Protection by Design” obliga-

tion (Art. 25), one of the most promising answers to

this question is focusing on by-design proposals. In

the literature, both by-design GDPR-based Life Cycle

for developing access control systems in compliance

with the GDPR (Daoudagh and Marchetti, 2020b) and

reference architectures for its (semi)-automation are

available (Davari and Bertino, 2019; Daoudagh and

Marchetti, 2020b; Dernaika et al., 2020). The intent

is to provide support for deﬁning GDPR-based use

cases, developing, testing, deploying, and reviewing

both ACPs and ACMs (Daoudagh, 2021).

4.2 Answering RQ 2

Systematic approaches to gathering access control

requirements from the GDPR are currently avail-

able (Davari and Bertino, 2019; Bartolini et al.,

2019b). Usually, they focus on improving and joining

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

574

academic proposals with methods adopted in the in-

dustrial environment. From a practical point of view,

these proposals include three phases: the translation

of the most suited GDPR’s articles into GDPR-based

ACP templates; the deﬁnition of a customized legal

use case for each GDPR article related to ACP; and

ﬁnally, the generation of enforceable ACPs in a given

language. The adaptation of the different proposals

to other AC models (e.g., Role-Based Access Control

(RBAC)) and other AC languages, and the representa-

tion through AC technologies of any legal text that en-

codes data protection speciﬁcations, still remain cru-

cial challenges.

4.3 Answering RQ 3

Among the proposal trying to answer this ques-

tion, the most promising ones rely on Agile

methodologies to gather AC requirements from the

GDPR (Daoudagh, 2021). Indeed, Agile method-

ologies yield a more broad spectrum since they can

be applied to different data protection frameworks

that encode ACPs speciﬁcation (Chowdhury et al.,

2012). These proposals use the concept of User

Stories (Lucassen et al., 2016) for data protection

requirements representations. In parallel, solutions

providing conceptual models of GDPR-based User

Stories are emerging (Douglas Teodoro and Morley-

Fletcher, 2017; Bartolini et al., 2019a; Miri et al.,

2018). In this case, the GDPR’s structure of the

mandatory articles is unfolded into basic and concrete

elements and used to automatically translate the User

Stories into AC policies.

4.4 Answering RQ 4

Thanks to the peculiarity of the AC, supporting facil-

ities to perform speciﬁc functionalities can be easily

integrated into the different available proposals. Usu-

ally, for accomplishing compliance with the GDPR,

the widespread considered are Semantic Web (in par-

ticular legal ontologies) (Palmirani et al., 2018; Pan-

dit et al., 2019; Davari and Bertino, 2019) and Con-

sent Management (Kurteva et al., 2021). The for-

mer is used to express GDPR concepts and relation-

ships among them, whereas the latter is usually con-

sidered for managing the consent given by the data

subject. To this purpose, some of the available pro-

posals are currently leveraging the Kantara GDPR Ex-

plicit Consent Record (Group., 2018) as a reference

format for collecting, managing, and classifying the

GDPR’s concepts. Other proposals that can be ex-

ploited for this purpose use the Model-Driven Engi-

neering (MDE) approach for modeling data protec-

tion regulations such as the GDPR (Torre et al., 2020).

4.5 Answering RQ 5

The widespread adoption of ACSs in ICTs made

them ideal candidates for being adopted in differ-

ent application domains. Currently, Smart ICT Sys-

tems, Business Processes and Indoor Localization

Systems (ILSs) are the most promising application

domains (Basin et al., 2018; Zaman and Hassani,

2020; Daoudagh et al., 2021). In particular, in Smart

ICT Systems, appropriate supports to aid controllers

in developing Privacy-By-Design Smart Services are

provided. In this case, the generic architecture of

Smart ICT Systems is enhanced with a new layer.

That allows (i) a user-friendly interaction with the

end-users of the Smart ICT system (i.e., Interested

and Smart Services), (ii) the management of activities

dependent on the domain, and ﬁnally, (iii) the auto-

matic derivation of ACPs according to the collected

consents.

Considering the Business Processes, they can be

leveraged to automatically enforce the GDPR pro-

visions during the activities related to data manage-

ment and analysis (Arfelt et al., 2019; Calabr

o et al.,

2019). In some cases, the business process includes a

GDPR-based access control mechanism that protects

personal data during the Business Process Model and

Notation (BPMN) modeling and execution.

Finally, considering the ILSs, reference architec-

tures able to guarantee compliance with the GDPR

through the integration of specialized access control

systems enforcing the GDPR provisions are currently

under development (Lopes et al., 2020; Daoudagh and

Marchetti, 2021). The adoption of this GDPR-aware

ILSs for the social distancing purpose is also an on-

going activity (Barsocchi et al., 2021).

4.6 Answering RQ 6

Recently, testing frameworks capable to formally

validate both ACPs and ACMs have been pre-

sented (Zhang and Zhang, 2017; Khamaiseh et al.,

2018; Daoudagh et al., 2020b). In some cases

Controlled Experiments (CEs) in the context of AC

have been also proposed (Daoudagh et al., 2020a;

Daoudagh and Marchetti, 2020a). Usually, the dif-

ferent proposals focus on: test strategy selection

and derivation, test case execution and result evalu-

ation, and ﬁnally, Oracle deﬁnition (Felderer et al.,

2016; Xu et al., 2020). Additionally, for assessing

GDPR-based test cases generation strategies, generic

methodology based on mutation analysis have also

been proposed (Daoudagh and Marchetti, 2021).

The GDPR Compliance and Access Control Systems: Challenges and Research Opportunities

575

5 CONCLUSION AND FUTURE

WORK

Pairing up Data Privacy and Data Security is becom-

ing pivotal for promoting trustworthiness in services

and products managing personal data and for guar-

anteeing the data subject’s rights (Daoudagh, 2021).

By deﬁning the “Integrity and Conﬁdentiality” prin-

ciple (Art. 5.1(f)), the European legislator poses secu-

rity at the heart of the GDPR. It dictates that personal

data must be protected from unauthorized or unlawful

processing. One of the cornerstones of security is ac-

cess control, which is ruled by access control policies

specifying who is allowed to access Personal Data.

However, the security of processing is not an iso-

lated obligation but comes together with the GDPR’s

“Accountability” principle (Art. 5.2). Indeed, accord-

ing to this principle, security measures are at the same

time an obligation and a technical means to imple-

ment other data protection obligations. Additionally,

the GDPR imposes to the controllers and processors

to adopt the Data Protection by Design and by De-

fault (Art. 25), highlighting the necessity of engineer-

ing solutions for enforcing data privacy requirements

into ICT services.

According to the challenges presented in this pa-

per (see Section 2), leveraging the AC systems, the

de facto mechanisms used to restrict data access, as

a technical means for protecting “personal data by-

design” and gaining legal compliance with the GDPR,

promote several research activities. Those activities

contributed to:

1. deﬁne a GDPR-based Life Cycle for authorization

systems and a reference architecture, enabling

data protection by-design;

2. leverage the state-of-the-art about legal ontology

by deﬁning a GDPR-based AC ontology useful

for building ACPs in compliance with the GDPR;

3. deﬁne a GDPR proﬁle for a standardized AC lan-

guage;

4. deﬁne a systematic approach for gathering and de-

veloping ACPs compliant-by-design with the reg-

ulation;

5. advance the notion of Data Protection Backlogs

by introducing speciﬁc User Stories focused on

the GDPR’s provisions and their technical re-

quirements;

6. enable an Agile development of ACSs;

7. deﬁne a comprehensive testing framework for

validating both the GDPR-based and traditional

ACSs;

8. promote the application of ACSs in different con-

texts.

However, despite the accuracy devoted to investi-

gating the challenges and the related research ques-

tions, future works are still possible:

Standardization of the XACML GDPR Policy Pro-

ﬁle. In its original structure, the proﬁle is not suf-

ﬁciently adequate for representing all the GDPR’s

requirements: indeed, it targets just the concept of

purpose. A possible extension of the attributes of

the XACML Privacy Proﬁle for encoding GDPR’s

concepts in XACML policies needs to be deﬁned.

For this aim, recently, we have already advanced

an XACML GDPR Policy Proﬁle proposal that pro-

vides standard attributes according to the GDPR con-

cepts (Daoudagh, 2021).

Discussions with Legal Experts. All the available

and future proposals should be guided by, and some-

times developed together with, data protection legal

experts to guarantee internal and external validation.

Speciﬁcally, independent legal experts should be put

in the loop to validate whether the developed ACPs

can capture and express the legal meaning of the re-

lated GDPR’s provisions. That will also quantify the

completeness and the correctness of the translation of

the norms.

Methodology to Verify and Demonstrate the Com-

pliance with the GDPR. The accountability prin-

ciple dictates that “controller shall be responsible

for, and be able to demonstrate compliance with”

the other principles of the regulation. However, fu-

ture works involve providing tools, methodologies,

and strategies for demonstrating compliance with the

GDPR. Furthermore, there is still the necessity to pro-

vide solutions dealing with the auditability and ac-

countability demands.

Release the Reference Architecture. Even if dif-

ferent implementations of architectures have been

provided, a standardized reference architecture that

could be easily customized for different applications

(e.g., Calling and Messaging, Networking Applica-

tions (Kalapodi and Sklavos, 2021)) is still necessary.

User Stories Templates in Other Contexts. Inves-

tigating a comprehensive Data Protection Impact As-

sessment (DPIA) methodology (which is one of the

legal requirements of the GDPR (Art. 35)) for lever-

aging the conceived Data Protection Backlog is also

part of our future work.

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

576

Other Legal Frameworks. Applying and adapting

the different proposals to other legal requirements,

such as the new coming ePrivacy regulation as well

as to the eIDAS regulation, seems to be an interesting

future development.

ACKNOWLEDGEMENTS

This work is partially supported by the following

research projects: CyberSec4Europe H2020 Grant

Agreement No. 830929, BIECO H2020 Grant Agree-

ment No. 952702, and COVR H2020 Agreement No.

779966.

REFERENCES

Arfelt, E., Basin, D., and Debois, S. (2019). Monitoring the

gdpr. In European Symposium on Research in Com-

puter Security, pages 681–699. Springer.

Barsocchi, P., Calabr

o, A., Crivello, A., Daoudagh, S.,

Furfari, F., Girolami, M., and Marchetti, E. (2021).

COVID-19 & privacy: Enhancing of indoor localiza-

tion architectures towards effective social distancing.

Array, 9:100051.

Bartolini, C., Daoudagh, S., Lenzini, G., and Marchetti, E.

(2019a). Gdpr-based user stories in the access control

perspective. In Quality of Information and Communi-

cations Technology - 12th International Conference,

QUATIC 2019, Ciudad Real, Spain, September 11-13,

2019, Proceedings, pages 3–17.

Bartolini, C., Daoudagh, S., Lenzini, G., and Marchetti,

E. (2019b). Towards a lawful authorized access: A

preliminary gdpr-based authorized access. In 14th In-

ternational Conference on Software Technologies (IC-

SOFT 2019), Prague, Czech Republic, July 26-28,

2019., pages 331–338.

Basin, D., Debois, S., and Hildebrandt, T. (2018). On pur-

pose and by necessity. In Proceedings of the Twenty-

Second International Conference on Financial Cryp-

tography and Data Security (FC).

Calabr

o, A., Daoudagh, S., and Marchetti, E. (2019). Inte-

grating access control and business process for GDPR

compliance: A preliminary study. In Proceedings of

the Third Italian Conference on Cyber Security, Pisa,

Italy, February 13-15, 2019.

Chowdhury, O., Chen, H., Niu, J., Li, N., and Bertino, E.

(2012). On xacml’s adequacy to specify and to enforce

hipaa. In Proceedings of the 3rd USENIX Conference

on Health Security and Privacy, HealthSec’12, pages

11–11, Berkeley, CA, USA. USENIX Association.

Daoudagh, S. (2021). The GDPR Compliance Through

Access Control Systems. [PhD Dissertation, Univer-

sity of Pisa]. https://etd.adm.unipi.it/theses/available/

etd-07112021-124810/.

Daoudagh, S., Lonetti, F., and Marchetti, E. (2020a). As-

sessing testing strategies for access control systems:

A controlled experiment. In Proceedings of ICISSP

2020, Valletta, Malta, February 25-27, 2020.

Daoudagh, S., Lonetti, F., and Marchetti, E. (2020b).

XACMET: XACML testing & modeling. Softw. Qual.

J., 28(1):249–282.

Daoudagh, S. and Marchetti, E. (2020a). Deﬁning con-

trolled experiments inside the access control environ-

ment. In Hammoudi, S., Pires, L. F., and Selic, B., ed-

itors, Proceedings of the 8th International Conference

on Model-Driven Engineering and Software Develop-

ment, MODELSWARD 2020, Valletta, Malta, Febru-

ary 25-27, 2020, pages 167–176. SCITEPRESS.

Daoudagh, S. and Marchetti, E. (2020b). A life cycle for

authorization systems development in the GDPR per-

spective. In Loreti, M. and Spalazzi, L., editors, Pro-

ceedings of the Fourth Italian Conference on Cyber

Security, Ancona, Italy, February 4th to 7th, 2020,

volume 2597 of CEUR Workshop Proceedings, pages

128–140. CEUR-WS.org.

Daoudagh, S. and Marchetti, E. (2021). Graduation: A

gdpr-based mutation methodology. In Quality of In-

formation and Communications Technology - 14th In-

ternational Conference, QUATIC 2021, Faro, Portu-

gal, September 8-11, 2021, Proceedings, pages –.

Daoudagh, S., Marchetti, E., Savarino, V., Bernabe, J. B.,

Garc

ıa-Rodr

ıguez, J., Moreno, R. T., Martinez, J. A.,

and Skarmeta, A. F. (2021). Data protection by design

in the context of smart cities: A consent and access

control proposal. Sensors, 21(21).

Davari, M. and Bertino, E. (2019). Access control model

extensions to support data privacy protection based on

gdpr. In 2019 IEEE International Conference on Big

Data (Big Data), pages 4017–4024.

Dernaika, F., Cuppens-Boulahia, N., Cuppens, F., and Ray-

naud, O. (2020). Accountability in the A posteriori

access control: A requirement and a mechanism. In

Quality of Information and Communications Technol-

ogy - 13th International Conference, QUATIC 2020,

Faro, Portugal, September 9-11, 2020, Proceedings,

volume 1266 of Communications in Computer and In-

formation Science, pages 332–342. Springer.

Douglas Teodoro, Emilie Pasche, P. R. and Morley-

Fletcher, E. (2017). Deliverable 1.1 initial list of

main requirements. http://www.myhealthmydata.eu/

wp-content/themes/Parallax-One/deliverables/D1.

1 Initial-List-of-Main-Requirements.pdf.

European Union (2016). Regulation (EU) 2016/679 of the

European Parliament and of the Council of 27 April

2016 (General Data Protection Regulation). Ofﬁcial

Journal of the European Union, L119:1–88.

Felderer, M., B

uchler, M., Johns, M., Brucker, A. D., Breu,

R., and Pretschner, A. (2016). Chapter one - security

testing: A survey. volume 101 of Advances in Com-

puters, pages 1–51. Elsevier.

Group., K. I. C. . I. S. W. (2018). Consent

receipt speciﬁcation 1.1.0. kantara initia-

tive technical speciﬁcation recommendation.

https://kantarainitiative.org/ﬁle-downloads/

consent-receipt-speciﬁcation-v1-1-0/.

Kalapodi, A. and Sklavos, N. (2021). The concerns of per-

sonal data privacy, on calling and messaging, network-

The GDPR Compliance and Access Control Systems: Challenges and Research Opportunities

577

ing applications. In Thampi, S. M., Wang, G., Rawat,

D. B., Ko, R., and Fan, C.-I., editors, Security in Com-

puting and Communications, pages 275–289, Singa-

pore. Springer Singapore.

Khamaiseh, S., Chapman, P., and Xu, D. (2018). Model-

based testing of obligatory abac systems. In 2018

IEEE International Conference on Software Quality,

Reliability and Security (QRS), pages 405–413.

Kurteva, A., Chhetri, T. R., Pandit, H. J., and Fensel, A.

(2021). Consent through the lens of semantics: State

of the art survey and best practices. Semantic Web,

(Preprint):1–27.

Lopes, H., Pires, I. M., S

anchez San Blas, H., Garc

ıa-

Ovejero, R., and Leithardt, V. (2020). Priada: Man-

agement and adaptation of information based on data

privacy in public environments. Computers, 9(4).

Lucassen, G., Dalpiaz, F., van der Werf, J. M. E. M., and

Brinkkemper, S. (2016). Improving agile require-

ments: the quality user story framework and tool. Re-

quirements Engineering, 21(3):383–403.

Miri, M., Foomany, F. H., and Mohammed, N. (2018).

Complying with gdpr: An agile case study. ISACA

Journal, 2.

Palmirani, M., Martoni, M., Rossi, A., Bartolini, C.,

and Robaldo, L. (2018). Legal ontology for mod-

elling gdpr concepts and norms. In Legal Knowledge

and Information Systems: JURIX 2018, volume 313,

page 91. IOS Press.

Pandit, H. J., Debruyne, C., O’Sullivan, D., and Lewis, D.

(2019). Gconsent - a consent ontology based on the

gdpr. In Hitzler, P., Fern

andez, M., Janowicz, K., Za-

veri, A., Gray, A. J., Lopez, V., Haller, A., and Ham-

mar, K., editors, The Semantic Web, pages 270–282,

Cham. Springer International Publishing.

Sandhu, R. S. and Samarati, P. (1994). Access control: prin-

ciple and practice. IEEE Communications Magazine,

32(9):40–48.

Sforzin A. et al. (2020). Deliverable D3.11: Deﬁnition of

Privacy by Design and Privacy Preserving Enablers.

https://cybersec4europe.eu/publications/deliverables/.

Torre, D., Alferez, M., Soltana, G., Sabetzadeh, M., and

Briand, L. (2020). Model driven engineering for data

protection and privacy: Application and experience

with gdpr. arXiv preprint arXiv:2007.12046.

Xu, D., Shrestha, R., and Shen, N. (2020). Automated

strong mutation testing of xacml policies. In Pro-

ceedings of the 25th ACM Symposium on Access Con-

trol Models and Technologies, SACMAT ’20, page

105–116, New York, NY, USA. Association for Com-

puting Machinery.

Zaman, R. and Hassani, M. (2020). On enabling gdpr com-

pliance in business processes through data-driven so-

lutions. SN Computer Science, 1(4):1–15.

Zhang, Y. and Zhang, B. (2017). A new testing method

for xacml 3.0 policy based on abac and data ﬂow. In

2017 13th IEEE International Conference on Control

& Automation (ICCA), pages 160–164. IEEE.

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

578