Transparency - the provision of information about what personal data is
collected for which purposes, how long it is stored, or to which parties it is
transferred - is one of the core privacy principles underlying regulations such
as the GDPR. Technical approaches for implementing transparency in practice
are, however, only rarely considered. In this paper, we present a novel
approach for doing so in current, RESTful application architectures and in line
with prevailing agile and DevOps-driven practices. For this purpose, we
introduce 1) a transparency-focused extension of OpenAPI specifications that
allows individual service descriptions to be enriched with transparency-related
annotations in a bottom-up fashion and 2) a set of higher-order tools for
aggregating respective information across multiple, interdependent services and
for coherently integrating our approach into automated CI/CD-pipelines.
Together, these building blocks pave the way for providing transparency
information that is more specific and at the same time better reflects the
actual implementation givens within complex service architectures than current,
overly broad privacy statements.Comment: Accepted for publication at the 2021 International Workshop on
Privacy Engineering (IWPE'21). This is a preprint manuscript (authors' own
version before final copy-editing