EDPRL: A Language for Specifying Data Privacy Requirements of Enterprises

Use of customer data, including personally identifiable information, by enterprises for business purposes raise privacy concerns. Rising incidents of privacy breaches show that there is an urgent need for designing and implementing proper privacy controls. The most important pre-requisite for this is the correct identification of data privacy requirements in a timely manner. Existence of large number of enterprise assets (that store and process customer data), and continuous changes in requirements, render such identification extremely difficult. Moreover, ad-hoc methods often lead to erroneous identification of requirements. It is important to devise a methodology for the structured representation of data privacy requirements that considers the intricate relationships between enterprise assets that handle those data. This would also enable the implementation of automated processes for privacy controls. This paper presents a structured language called Enterprise Data Privacy Requirement Language (EDPRL) for specifying privacy requirements of an enterprise.