Privacy Enforcement for IT Governance in Enterprises: Doing it for Real

摘要

This paper describes issues and requirements related to privacy management as an aspect of improved governance in enterprises. Most of the existing related technical work is based on auditing and reporting mechanisms. The focus of this paper is on privacy enforcement for personal data: this is still a green field. To enforce the execution of privacy policies, requests to access personal data need to be checked against data requestors' rights and intents, data subjects' consent and the stated data purposes. Being able to automate and simplify the enforcement of privacy and reduce the involved costs is important for enterprises. We describe our approach and compare it against related work. In particular, we discuss our work done to add privacy-aware access control capabilities to HP Select Access - a leading-edge access control solution. A prototype has been implemented as a proof of concept. Current results, open issues and next steps are discussed.