Design Challenges for GDPR RegTech

The Accountability Principle of the GDPR requires that an organisation can demonstrate compliance with the regulations. A survey of GDPR compliance software solutions shows significant gaps in their ability to demonstrate compliance. In contrast, RegTech has recently brought great success to financial compliance, resulting in reduced risk, cost saving and enhanced financial regulatory compliance. It is shown that many GDPR solutions lack interoperability features such as standard APIs, meta-data or reports and they are not supported by published methodologies or evidence to support their validity or even utility. A proof of concept prototype was explored using a regulator based self-assessment checklist to establish if RegTech best practice could improve the demonstration of GDPR compliance. The application of a RegTech approach provides opportunities for demonstrable and validated GDPR compliance, notwithstanding the risk reductions and cost savings that RegTech can deliver. This paper demonstrates a RegTech approach to GDPR compliance can facilitate an organisation meeting its accountability obligations

A common semantic model of the GDPR register of processing activities

The creation and maintenance of a Register of Processing Activities (ROPA) is an essential process for the demonstration of GDPR compliance. We analyse ROPA templates from six EU Data Protection Regulators and show that template scope and granularity vary widely between jurisdictions. We then propose a flexible, consolidated data model for consistent processing of ROPAs (CSM-ROPA). We analyse the extent that the Data Privacy Vocabulary (DPV) can be used to express CSM-ROPA. We find that it does not directly address modelling ROPAs, and so needs additional concept definitions. We provide a mapping of our CSM-ROPA to an extension of the Data Privacy Vocabulary

The Role of Vocabulary Mediation to Discover and Represent Relevant Information in Privacy Policies

To date, the effort made by existing vocabularies to provide a shared representation of the data protection domain is not fully exploited. Different natural language processing (NLP) techniques have been applied to the text of privacy policies without, however, taking advantage of existing vocabularies to provide those documents with a shared semantic superstructure. In this paper we show how a recently released domain-specific vocabulary, i.e. the Data Privacy Vocabulary (DPV), can be used to discover, in privacy policies, the information that is relevant with respect to the concepts modelled in the vocabulary itself. We also provide a machine-readable representation of this information to bridge the unstructured textual information to the formal taxonomy modelled in it. This is the first approach to the automatic processing of privacy policies that relies on the DPV, fuelling further investigation on the applicability of existing semantic resources to promote the reuse of information and the interoperability between systems in the data protection domain

Demonstrating GDPR accountability with CSM-ROPA: extensions to the data privacy vocabulary

The creation and maintenance of a Register of Processing Activities (ROPA) are essential to meeting the Accountability Principle of the General Data Protection Regulation (GDPR). We evaluate a semantic model CSM-ROPA to establish the extent to which it can be used to express a regulator provided accountability tracker to facilitate GDPR/ROPA compliance. We show that the ROPA practices of organisations are largely based on manual paper-based templates or non-interoperable systems, leading to inadequate GDPR/ROPA compliance levels. We contrast these current approaches to GDPR/ROPA compliance with best practice for regulatory compliance and identify four critical features of systems to support accountability. We conduct a case study to analyse the extent that CSM-ROPA, can be used as an interoperable, machine-readable mediation layer to express a regulator supplied ROPA accountability tracker. We demonstrate that CSM-ROPA can successfully express 92% of ROPA accountability terms. The addition of connectable vocabularies brings the expressivity to 98%. We identify three terms for addition to the CSM-ROPA to enable full expressivity. The application of CSM-ROPA provides opportunities for demonstrable and validated GDPR compliance. This standardisation would enable the development of automation, and interoperable tools for supported accountability and the demonstration of GDPR compliance

GDPR Compliance tools: best practice from RegTech

Organisations can be complex entities, performing heterogeneous processing on large volumes of diverse personal data, potentially using outsourced partners or subsidiaries in distributed geographical locations and jurisdictions. Many organisations appoint a Data Protection Officer (DPO) to assist them with their demonstration of compliance with the GDPR Principle of Accountability. The challenge for the DPO is to monitor these complex processing activities and to advise and inform the organisation with regard to the organisations demonstration of compliance with the Principle of Accountability. A review of GDPR compliance software solutions shows that organisations are being greatly challenged in meeting compliance obligations as set out under the GDPR, despite the myriad of software tools available to them. Many organisations continue to take a manual and informal approach to GDPR compliance. Our analysis shows significant gaps on the part of GDPR tools in their ability to demonstrate compliance in that they lack interoperability features, and they are not supported by published methodologies or evidence to support their validity or even utility. In contrast, RegTech has brought great success to financial compliance, using technological solutions to facilitate compliance with, and the monitoring of regulatory requirements. A review of the State of the Art identified the four success features of a RegTech system to be, strong data governance, automation through technology, interoperability of systems and a proactive regulatory framework. This paper outlines a set of requirements for GDPR compliance tools based on the RegTech experience and evaluate how these success features could be applied to improve GDPR compliance. A proof of concept prototype GDPR compliance tool was explored using the four success factors of RegTech, in which RegTech best practice was applied to regulator based self-assessment checklist to establish if the demonstration of GDPR compliance could be improved. The application of a RegTech success factors provides opportunities for demonstrable and validated GDPR compliance, notwithstanding the risk reductions and cost savings that RegTech can deliver and can facilitate organisations in meeting their GDPR compliance obligations

Duomenų apsaugos pareigūno vaidmuo ir reikšmė organizacijoje

Following the entry into force of the General Data Protection Regulation (hereafter referred to as the GDPR), organizations that process personal data must ensure and demonstrate compliance with all of its principles. A new post, known as the Data Protection Officer (hereafter referred to as the DPO), has been created. The appointment of this official may be one of the measures necessary to implement the principle of accountability. The purpose of the article is to analyze the role and significance of the DPO in the organization, and to provide generalized recommendations. The role and significance of the DPO will continue to grow, as will the tasks and activities of the DPO. It is important to emphasize that GDPR compliance is the responsibility of the data controller or data processor, not the DPO

Support for enhanced GDPR accountability with the common semantic model for ROPA (CSM‑ROPA)

The creation and maintenance of Registers of Processing Activities (ROPA) are essential to meeting the General Data Protection Regulation (GDPR) and thus to demonstrate compliance based on the GDPR concept of accountability. To establish its effectiveness in meeting this obligation, we evaluate an ROPA semantic model, the Common Semantic Model–ROPA (CSM–ROPA). Semantic models and tools represent one solution to the compliance challenges faced by organisations: the heterogeneity of relevant data sources, and the lack of tool interoperability and agreed common standards. By surveying current practice and the literature we identify the requirements for GDPR accountability tools: digital exchange of data, automated accountability verification and privacy-aware data governance. A case study was conducted to analyse the expressivity and effectiveness of CSM–ROPA when used as an interoperable, machine-readable mediation layer to express the concepts in a comprehensive regulator-provided accountability framework used for GDPR compliance. We demonstrate that CSM–ROPA can express 98% of ROPA accountability terms and fully express nine of the ten European regulators' ROPA templates. We identify three terms for addition to CSM–ROPA, and we identify areas where CSM–ROPA relies on partial matches that indicate model limitations. These improvements to CSM–ROPA will provide comprehensive coverage of the regulator-supplied model. We show that tools based on CSM–ROPA can fully meet the requirements of compliance best practice when compared with either manual accountability approaches or a leading privacy software solution

DPCat: Specification for an interoperable and machine-readable data processing catalogue based on GDPR

The GDPR requires Data Controllers and Data Protection Officers (DPO) to maintain a Register of Processing Activities (ROPA) as part of overseeing the organisation’s compliance processes. The ROPA must include information from heterogeneous sources such as (internal) departments with varying IT systems and (external) data processors. Current practices use spreadsheets or proprietary systems that lack machine-readability and interoperability, presenting barriers to automation. We propose the Data Processing Catalogue (DPCat) for the representation, collection and transfer of ROPA information, as catalogues in a machine-readable and interoperable manner. DPCat is based on the Data Catalog Vocabulary (DCAT) and its extension DCAT Application Profile for data portals in Europe (DCAT-AP), and the Data Privacy Vocabulary (DPV). It represents a comprehensive semantic model developed from GDPR’s Article and an analysis of the 17 ROPA templates from EU Data Protection Authorities (DPA). To demonstrate the practicality and feasibility of DPCat, we present the European Data Protection Supervisor’s (EDPS) ROPA documents using DPCat, verify them with SHACL to ensure the correctness of information based on legal and contextual requirements, and produce reports and ROPA documents based on DPA templates using SPARQL. DPCat supports a data governance process for data processing compliance to harmonise inputs from heterogeneous sources to produce dynamic documentation that can accommodate differences in regulatory approaches across DPAs and ease investigative burdens toward efficient enforcement

JURI SAYS:An Automatic Judgement Prediction System for the European Court of Human Rights

In this paper we present the web platform JURI SAYS that automatically predicts decisions of the European Court of Human Rights based on communicated cases, which are published by the court early in the proceedings and are often available many years before the final decision is made. Our system therefore predicts future judgements of the court. The platform is available at jurisays.com and shows the predictions compared to the actual decisions of the court. It is automatically updated every month by including the prediction for the new cases. Additionally, the system highlights the sentences and paragraphs that are most important for the prediction (i.e. violation vs. no violation of human rights)