Machine Understandable Policies and GDPR Compliance Checking
- PDF / 1,501,467 Bytes
- 13 Pages / 595.276 x 790.866 pts Page_size
- 34 Downloads / 206 Views
TECHNICAL CONTRIBUTION
Machine Understandable Policies and GDPR Compliance Checking Piero A. Bonatti1 · Sabrina Kirrane2 · Iliana M. Petrova1 · Luigi Sauro1 Received: 4 November 2019 / Accepted: 18 June 2020 © Gesellschaft für Informatik e.V. and Springer-Verlag GmbH Germany, part of Springer Nature 2020
Abstract The European General Data Protection Regulation (GDPR) calls for technical and organizational measures to support its implementation. Towards this end, the SPECIAL H2020 project aims to provide a set of tools that can be used by data controllers and processors to automatically check if personal data processing and sharing complies with the obligations set forth in the GDPR. The primary contributions of the project include: (i) a policy language that can be used to express consent, business policies, and regulatory obligations; and (ii) two different approaches to automated compliance checking that can be used to demonstrate that data processing performed by data controllers/processors complies with consent provided by data subjects, and business processes comply with regulatory obligations set forth in the GDPR. Keywords GDPR · Policies · Compliance checking
1 Introduction The European General Data Protection Regulation (GDPR), which came into force on the 25th of May 2018, defines legal requirements concerning the processing and sharing of personally identifiable data. In addition, the legislation calls for technical and organizational measures to support its implementation. When it comes to legal informatics there is a large body of work on legal knowledge representation and reasoning (cf. [3, 5, 13, 20, 24, 26]), however said approaches are usually foundational in nature and as such are not readily accessible for companies looking for technical means to demonstrate GDPR compliance. Recently we have seen the emergence of GDPR compliance tools (cf., [1, 15, 22, 23]) in the form of predefined questionnaires that enable data controllers and processors to assess the compliance of services and products that process personal data. The primary limitation of said tools is their lack of support for automated compliance checking. * Piero A. Bonatti [email protected] Sabrina Kirrane [email protected] 1
Università di Napoli Federico II, Naples, Italy
Vienna University of Economics and Business, Vienna, Austria
2
In order to fill this gap, SPECIAL builds upon a rich history of policy language research from the Semantic Web community (cf., [8, 16, 18, 32, 33]), and shows how together machine understandable policies and automated compliance checking can be used to demonstrate compliance with legal requirements set forth in the GDPR. In particular, we introduce the SPECIAL policy language and discuss how it can be used to express consent, business policies, and regulatory obligations. In addition, we describe two different approaches to automated compliance checking used to demonstrate that: (i) data processing performed by data controllers / processors complies with consent provided by data subjects; a
Data Loading...
