An Efficient GDPR-Compliant Data Management for IoHT Applications

The rapid rise of Internet of Health Things (IoHT) makes preserving data privacy become a critical task. In 2016, European Union has published General Data Protection Regulation (GDPR) which urges service providers to protect user privacy. Existing fine-grained encryption methods, such as key-policy attribute-based encryption (KP-ABE), belong to pairing-based cryptography which is impractical in resource-constraint IoHT devices. Also, habitual data-sharing systems fail to satisfy the right to access, the right to data portability, and the right to erasure claimed by GDPR at the same time. Thus, this paper proposes the GDPR-compliant Data Management (GCDM) composed of pairing-free KP-ABE (PF-KP-ABE) and GDPR-compliant Revocable Blockchain (GRBC) to provide IoHT applications efficient and secure data-sharing service. PF-KP-ABE exploits the pairing-free mechanism to improve the performance of fine-grained access control on IoHT devices. GRBC applies the special-designed Create/ Read/ Update/ Delete (CRUD) operations to comply with GDPR. Security analysis demonstrates the GDPR compliance of GRBC as well as the correctness of PF-KP-ABE. Then, the Perfect Forward Secrecy of PF-KP-ABE is also proved. Experiment results show that the proposed PF-KP-ABE outperforms existing KP-ABE on both Control Centre and IoHT devices. Hence, GCDM is the most practical data management for various IoHT applications.