Data regulations, such as GDPR, are increasingly being adopted globally to protect against unsafe data management practices. Such regulations are, often ambiguous (with multiple valid interpretations) when it comes to defining the expected dynamic behavior of data processing systems. This paper argues that it is possible to represent regulations such as GDPR formally as invariants using a (small set of) data processing concepts that capture system behavior. When such concepts are grounded, i.e., they are provided with a single unambiguous interpretation, systems can achieve compliance by demonstrating that the system-actions they implement maintain the invariants (representing the regulations). To illustrate our vision, we propose Data-CASE, a simple yet powerful model that (a) captures key data processing concepts (b) a set of invariants that describe regulations in terms of these concepts. We further illustrate the concept of grounding using "deletion" as an example and highlight several ways in which end-users, companies, and software designers/engineers can use Data-CASE.

翻译：数据法规（如GDPR）正日益在全球范围得到采纳，以防范不安全的数据管理实践。此类法规在定义数据处理系统预期的动态行为时，往往存在歧义（包括多种合理解释）。本文指出，通过一组捕捉系统行为的数据处理概念，可以将GDPR等法规形式化表示为不变量。当这些概念被具体化（即赋予单一明确解释）时，系统可通过证明其实施的系统操作维护了表征法规的不变量，从而实现合规性。为阐明这一愿景，我们提出Data-CASE——一种简洁而强大的模型，其（a）捕捉关键数据处理概念，（b）定义一组基于这些概念描述法规的不变量。我们进一步以“删除”为例阐释具体化概念，并强调终端用户、企业及软件设计/工程师可运用Data-CASE的多种途径。