GDPR-Based User Stories in the Access Control Perspective

Because of GDPR's principle of "data protection by design and by default", organizations who wish to stay lawful have to re-think their data practices. Access Control (AC) can be a technical solution for them to protect access to "personal data by design", and thus to gain legal compliance, but this requires to have Access Control Policies (ACPs) expressing requirements aligned with GDPR's provisions. Provisions are however pieces of law and are not written to be immediately interpreted as technical requirements; the task is thus not straightforward. The Agile software development methodology can help untangle the problem. It has dedicated tools to describe requirements and one of such them, User Stories, seems up to task. Stories are concise yet informal descriptions telling who, what and why something is required by users; they are prioritized in lists, called backlogs. Inspired by these Agile tools this paper advances the notion of Data Protection backlogs, which are lists of User Stories about GDPR provisions told as technical requirements. For each User Story we build a corresponding ACP, so enabling the implementation of GDPR compliant AC systems.