Download This PaperThe Seven Sins of Personal-Data Processing Systems under GDPR
USENIX Workshop on Hot Topics in Cloud Computing, 2019
7 Pages Posted: 25 Jul 2019 Last revised: 31 Jul 2019
Date Written: July 8, 2019
Abstract
In recent years, our society is being plagued by unprecedented levels of privacy and security breaches. To rein in this trend, the European Union, in 2018, introduced a comprehensive legislation called the General Data Protection Regulation (GDPR). In this paper, we review GDPR from a system design perspective, and identify how its regulations conflict with the design, architecture, and operation of modern systems. We illustrate these conflicts via the seven GDPR sins: storing data forever; reusing data indiscriminately; walled gardens and black markets; risk-agnostic data processing; hiding data breaches; making unexplainable decisions; treating security as a secondary goal. Our findings reveal a deep-rooted tussle between GDPR requirements and how modern systems have evolved.We believe that achieving compliance requires comprehensive, grounds up solutions, and anything short would amount to fixing a leaky faucet in a sinking ship.
Keywords: GDPR, Seven Sins, Digital Privacy
Suggested Citation: Suggested Citation
Melissa F. Wasserman
University of Texas at Austin - School of Law ( email )
727 East Dean Keeton Street
Austin, TX 78705
United States