Legislative Compliance Assessment: Framework, Model and GDPR Instantiation

Agarwal, Sushant; Steyskal, Simon; Antunovic, Franjo; Kirrane, Sabrina

doi:10.1007/978-3-030-02547-2_8

Cited by 32 publications

(27 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, as mentioned earlier, the test-based approach can also be used with existing representations by adding semantics to the test results and reports to link them with relevant information such as the articles in GDPR. This is also applicable towards persisting outputs of reports generated from tools [1] and conformity assessments (CAP) [6].…”

Section: Discussionmentioning

confidence: 99%

“…Subset of Constraints and Assumptions regarding Given Consent are involved. For example, informed consent requires the request to be clear and unambiguous -which needs to be evaluated manually 1 .…”

Section: Generating Constraints From Requirementsmentioning

confidence: 99%

“…The approach presented in this paper acts on machine-readable metadata representation of processes and workflows associated with personal data and consent. An alternative to this is an approach that uses ODRL policies [5] for assessment of compliance using questions constructed from GDPR [1]. The ODRL policy consists of constraints classified as Feature, Discretional, and Dispensation with Rule used to specify them as Permission, Prohibition, or Duty.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Test-Driven Approach Towards GDPR Compliance

Pandit

O’Sullivan

Lewis

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

An organisation using personal data should document its data governance processes to maintain and demonstrate compliance with the General Data Protection Regulation (GDPR). As processes evolve, their documentation should reflect these changes with an assessment showing ongoing compliance. Through this paper, we show how semantic representations of processes are useful towards maintaining ongoing GDPR compliance by using a test-driven approach that generates and checks constraints for adherence to GDPR requirements. We first check whether all required information has been documented, and then whether it is compliant. We prototype our testing approach using a real-world website's consent mechanism for GDPR compliance, and persist results towards generating documentation. We use previously-published ontologies to represent processes (GDPRov), consent (GConsent), and GDPR (GDPRtEXT), with SHACL used to test requirement constraints.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Generating Constraints From Requirementsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Test-Driven Approach Towards GDPR Compliance

Pandit

O’Sullivan

Lewis

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…[30]), has demonstrated its potential as a general policy language. For instance, researchers have hinted as it how it could be used to express: access policies [33]; requests, data offers and agreements [32]; and basic regulatory policies [1]. While, Fornara and Colombetti [12] consider how to add obligations to (an earlier version) of ODRL and subsequently in Fornara et al [13] how to reason over such ODRL extensions, using additional ontologies and semantic rules.…”

Section: Related Workmentioning

confidence: 99%

ODRL Policy Modelling and Compliance Checking

Vos

Kirrane

Padget

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

This paper addresses the problem of constructing a policy pipeline that enables compliance checking of business processes against regulatory obligations. Towards this end, we propose an Open Digital Rights Language (ODRL) profile that can be used to capture the semantics of both business policies in the form of sets of required permissions and regulatory requirements in the form of deontic concepts, and present their translation into Answer Set Programming (via the Institutional Action Language (InstAL)) for compliance checking purposes. The result of the compliance checking is either a positive compliance result or an explanation pertaining to the aspects of the policy that are causing the noncompliance. The pipeline is illustrated using two (key) fragments of the General Data Protect Regulation, namely Articles 6 (Lawfulness of processing) and Articles 46 (Transfers subject to appropriate safeguards) and industrially-relevant use cases that involve the specification of sets of permissions that are needed to execute business processes. The core contributions of this paper are the ODRL profile, which is capable of modelling regulatory obligations and business policies, the exercise of modelling elements of GDPR in this semantic formalism, and the operationalisation of the model to demonstrate its capability to support personal data processing compliance checking, and a basis for explaining why the request is deemed compliant or not.

show abstract

“…From a GDPR compliance perspective, there exist several compliance tools (cf. [17], [18], [19], [20]) that enable companies to assess the compliance of their applications and business processes via predefined questionnaires. Additionally, there is a body of work that focuses on modelling the text of the GDPR in a manner that supports legal reasoning and compliance checking [21], [22], [23], [24], [25].…”

Section: Related Workmentioning

confidence: 99%

Big Data and Analytics in the Age of the GDPR

Bonatti

Kirrane

2019

2019 IEEE International Congress on Big Data (BigDataCongress)

Self Cite

View full text Add to dashboard Cite

The new European General Data Protection Regulation places stringent restrictions on the processing of personally identifiable data. The GDPR does not only affect European companies, as the regulation applies to all the organizations that track or provide services to European citizens. Free exploratory data analysis is permitted only on anonymous data, at the cost of some legal risks. We argue that for the other kinds of personal data processing, the most flexible and safe legal basis is explicit consent. We illustrate the approach to consent management and compliance with the GDPR being developed by the European H2020 project SPECIAL, and highlight some related big data aspects.

show abstract

Legislative Compliance Assessment: Framework, Model and GDPR Instantiation

Cited by 32 publications

References 19 publications

Test-Driven Approach Towards GDPR Compliance

Test-Driven Approach Towards GDPR Compliance

ODRL Policy Modelling and Compliance Checking

Big Data and Analytics in the Age of the GDPR

Contact Info

Product

Resources

About