Validating GDPR Compliance with CAIRIS

Helping you build privacy in

We’re pleased to announce new features to CAIRIS to help designers not only build security in, but also privacy as well.

For some time now, CAIRIS has supported the automatic generation of visual models, and provided some measure of model validation, e.g. generating security and usability scores based on risks and tasks, evaluating the probability of obstacles, and visualising requirements quality using Chernoff Faces. Until now, CAIRIS hasn’t explicitly supported validation across an entire model, but – with the arrival of CAIRIS 1.6.0 – we think proper model validation is now long overdue.

This feature is described in the documentation. In a nutshell, CAIRIS now has the ability to automatically check for known design problems. Although only a limited amount of validation checks are supported so far, the basis for doing some pretty sophisticated checks are now in place, so there will be more to come in the coming weeks and months.

As part of our use of CAIRIS to support a GDPR implementation we are running with a local charity, we have now started incorporating model validation checks for GDPR compliance into CAIRIS. To do this, we have introduce three new types of role to CAIRIS (Data Controller, Data Processor, and Data Subject), and steps for introducing personal data assets into a CAIRIS model.

Once these steps have been completed then, if personal data access and their processing is integrated into your model, e.g. by modelling goal dependencies, data flows, and integrating use cases and tasks with your goals, requirements, and risk models, then the model validation checks can evaluate any potential conflicts with the GDPR principles. Our hope is that this will incentive more designers to build privacy into their conceptual designs and requirements using CAIRIS; the more they do this, the more potential problems CAIRIS will be able to find for you.

At the moment, only validation against the principle of Lawfulness, Fairness, and Transparency is supported, but more checks are coming soon.

We hope these new features are useful. If you get any problems, or have requests for other model validation checks – be these related to GDPR or not – then please raise an issue.