Transparency is one of the most important principles of modern privacy regulations, such as the GDPR or CCPA. To be compliant with such regulatory frameworks, data controllers must provide data subjects with precise information about the collection, processing, storage, and transfer of personal data. To do so, respective facts and details must be compiled and always kept up to date. In traditional, rather static system environments, this inventory (including details such as the purposes of processing or the storage duration for each system component) could be done manually. In current circumstances of agile, DevOps-driven, and cloud-native information systems engineering, however, such manual practices do not suit anymore, making it increasingly hard for data controllers to achieve regulatory compliance. To allow for proper collection and maintenance of always up-to-date transparency information smoothly integrating into DevOps practices, we herein propose a set of novel approaches explicitly tailored to specific phases of the DevOps lifecycle most relevant in matters of privacy-related transparency and accountability at runtime: Release, Operation, and Monitoring. For each of these phases, we examine the specific challenges arising in determining the details of personal data processing, develop a distinct approach and provide respective proof of concept implementations that can easily be applied in cloud native systems. We also demonstrate how these components can be integrated with each other to establish transparency information comprising design- and runtime-elements. Furthermore, our experimental evaluation indicates reasonable overheads. On this basis, data controllers can fulfill their regulatory transparency obligations in line with actual engineering practices.

翻译：透明度是《通用数据保护条例》（GDPR）及《加州消费者隐私法案》（CCPA）等现代隐私法规的核心原则之一。为符合此类监管框架的要求，数据控制者必须向数据主体提供关于个人数据收集、处理、存储及传输的精确信息。为此，相关事实与细节需被整理并保持持续更新。在传统且相对静态的系统环境中，此类清单（包括每个系统组件的处理目的或存储时长等细节）可通过人工方式完成。然而，在当前敏捷、DevOps驱动且云原生的信息系统工程背景下，此类人工实践已不再适用，导致数据控制者越来越难以实现监管合规。为在DevOps实践中顺畅集成且持续维护始终最新的透明度信息，本文提出一套专门针对DevOps生命周期中最影响运行时隐私相关透明度与问责制的特定阶段（发布、运维与监控）的创新方法。针对每个阶段，我们分析了确定个人数据处理细节时面临的特定挑战，开发了相应方法，并提供了可轻松应用于云原生系统的概念验证实现。我们还展示了如何将这些组件相互集成，以构建包含设计时与运行时要素的透明度信息。此外，实验评估表明其开销处于合理范围。基于此，数据控制者能够遵循实际工程实践，履行其监管透明度义务。