With the introduction of the General Data Protection Regulation (GDPR) and its requirements for privacy by design and privacy by default, business operators have started to review the available options for integrating appropriate Access Control mechanisms into their products. In particular, designers and developers of data intensive applications running on DITAS need to make sure their applications are GDPR compliant, and if they manage data of European data subjects – one of the implications for access control is the purpose limitation principle. That means that the data of these data subjects can only be collected for a specified purpose and used in accordance with specific consent given by the data subjects to specific usage purposes.

The full article by Roee Shlomo, Maya Anderson and Ety Khaitzin from IBM Research continues here, with a discussion of the access control models that are relevant to implementing a solution that satisfies GDPR requirements for purpose limitation.