GDPR Compliance Tools: Best Practice from RegTech

Ryan, Paul; Crane, Martin; Brennan, Rob

doi:10.1007/978-3-030-75418-1_41

Cited by 14 publications

(18 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The qualitative evaluation was conducted in accordance with the TOMs. This is also a common method of privacy evaluation used by researchers such as Ryan et al [ 6 ] to assess their work using the Irish Data Protection Commission’s self-assessment checklist [ 114 ].…”

Section: Discussionmentioning

confidence: 99%

“…Ryan et al [ 6 ] present a set of requirements for GDPR compliance based on RegTech [ 14 ] and a prototype implementation of a GDPR compliance verification tool that can assist DPOs in maintaining GDPR accountability. The authors utilize semantics (the Data Privacy Vocabulary (DPV) [ 48 ] and PROV-O [ 49 ] ontologies).…”

Section: Related Workmentioning

confidence: 99%

“…However, these requirements have also posed significant challenges to companies regarding the automation of compliance verification. Several software tools for GDPR compliance have already been developed that cover some steps required for automated compliance verification (e.g., [ 3 , 4 , 5 , 6 , 7 ]). In most cases, these tools address only a specific subset of the GDPR regulations, such as audit (or auditability) [ 8 ] or only consent management.…”

Section: Introductionmentioning

confidence: 99%

“…Our tool makes extensive use of semantic technologies, specifically a knowledge graph (KG) and an ontology (both developed in collaboration with legal experts), for representing informed consent as defined by the GDPR. Semantic technology is also regarded as one of the best practices in RegTech [ 14 ] and Ryan et al [ 6 ]. Knowledge graphs, for example, provide a consistent consent representation in a machine-readable format, support data interoperability, and faster and easier knowledge discovery [ 15 ].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Data Protection by Design Tool for Automated GDPR Compliance Verification Based on Semantically Modeled Informed Consent

Chhetri

Kurteva

DeLong

et al. 2022

Sensors

View full text Add to dashboard Cite

The enforcement of the GDPR in May 2018 has led to a paradigm shift in data protection. Organizations face significant challenges, such as demonstrating compliance (or auditability) and automated compliance verification due to the complex and dynamic nature of consent, as well as the scale at which compliance verification must be performed. Furthermore, the GDPR’s promotion of data protection by design and industrial interoperability requirements has created new technical challenges, as they require significant changes in the design and implementation of systems that handle personal data. We present a scalable data protection by design tool for automated compliance verification and auditability based on informed consent that is modeled with a knowledge graph. Automated compliance verification is made possible by implementing a regulation-to-code process that translates GDPR regulations into well-defined technical and organizational measures and, ultimately, software code. We demonstrate the effectiveness of the tool in the insurance and smart cities domains. We highlight ways in which our tool can be adapted to other domains.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Data Protection by Design Tool for Automated GDPR Compliance Verification Based on Semantically Modeled Informed Consent

Chhetri

Kurteva

DeLong

et al. 2022

Sensors

View full text Add to dashboard Cite

show abstract

“…This will enable the organisation to stay informed of risks, enable regular compliance checks, and support accountability, regardless of the form of the data and the tools generating it [4]. Together the requirements for an accountability system based on machine-readable ROPAs were identified as (i) records the information necessary for the completion of an ROPA and support accountability; (ii) supports the digital exchange of data between parties (and systems) such as processors and regulators; (iii) supports automated accountability compliance verification; and (iv) integrates with privacyaware data governance processes and tools [10].…”

Section: Introductionmentioning

confidence: 99%

Support for Enhanced GDPR Accountability with the Common Semantic Model for ROPA (CSM-ROPA)

Ryan

Brennan

2022

SN COMPUT. SCI.

Self Cite

View full text Add to dashboard Cite

The creation and maintenance of Registers of Processing Activities (ROPA) are essential to meeting the General Data Protection Regulation (GDPR) and thus to demonstrate compliance based on the GDPR concept of accountability. To establish its effectiveness in meeting this obligation, we evaluate an ROPA semantic model, the Common Semantic Model–ROPA (CSM–ROPA). Semantic models and tools represent one solution to the compliance challenges faced by organisations: the heterogeneity of relevant data sources, and the lack of tool interoperability and agreed common standards. By surveying current practice and the literature we identify the requirements for GDPR accountability tools: digital exchange of data, automated accountability verification and privacy-aware data governance. A case study was conducted to analyse the expressivity and effectiveness of CSM–ROPA when used as an interoperable, machine-readable mediation layer to express the concepts in a comprehensive regulator-provided accountability framework used for GDPR compliance. We demonstrate that CSM–ROPA can express 98% of ROPA accountability terms and fully express nine of the ten European regulators' ROPA templates. We identify three terms for addition to CSM–ROPA, and we identify areas where CSM–ROPA relies on partial matches that indicate model limitations. These improvements to CSM–ROPA will provide comprehensive coverage of the regulator-supplied model. We show that tools based on CSM–ROPA can fully meet the requirements of compliance best practice when compared with either manual accountability approaches or a leading privacy software solution.

show abstract