Personal Data Management for Privacy Engineering: An Abstract Personal Data Lifecycle Model

It is well understood that processing personal data without effective data management models may lead to privacy violations. Such concerns have motivated the development of privacy-preserving systems and legal frameworks such as the EU General Data Protection Regulation. However, there is a disconnect between policy-makers and engineers with respect to the meaning of privacy. In addition, it is challenging to establish that a system complies with its privacy requirements, to provide technical assurances, and to meet data subjects’ expectations. In the spirit of engineering privacy, we propose an abstract personal data lifecycle (APDL) model to support the management of personal data. The APDL model represents data processing activities in a way that is amenable to analysis using an appropriate privacy risk management model. As such, it helps facilitate the identification of potentially harmful data processing activities; it also has the potential to demonstrate compliance with legal frameworks and standards.