11 research outputs found
Design Challenges for GDPR RegTech
The Accountability Principle of the GDPR requires that an organisation can
demonstrate compliance with the regulations. A survey of GDPR compliance
software solutions shows significant gaps in their ability to demonstrate
compliance. In contrast, RegTech has recently brought great success to
financial compliance, resulting in reduced risk, cost saving and enhanced
financial regulatory compliance. It is shown that many GDPR solutions lack
interoperability features such as standard APIs, meta-data or reports and they
are not supported by published methodologies or evidence to support their
validity or even utility. A proof of concept prototype was explored using a
regulator based self-assessment checklist to establish if RegTech best practice
could improve the demonstration of GDPR compliance. The application of a
RegTech approach provides opportunities for demonstrable and validated GDPR
compliance, notwithstanding the risk reductions and cost savings that RegTech
can deliver. This paper demonstrates a RegTech approach to GDPR compliance can
facilitate an organisation meeting its accountability obligations
A common semantic model of the GDPR register of processing activities
The creation and maintenance of a Register of Processing Activities (ROPA) is an essential process for the demonstration of GDPR compliance. We analyse ROPA templates from six EU Data Protection Regulators and show that template scope and granularity vary widely between jurisdictions. We then propose a flexible, consolidated data model for consistent processing of ROPAs (CSM-ROPA). We analyse the extent that the Data Privacy Vocabulary (DPV) can be used to express CSM-ROPA. We find that it does not directly address modelling ROPAs, and so needs additional concept definitions. We provide a mapping of our CSM-ROPA to an extension of the Data Privacy Vocabulary
The Role of Vocabulary Mediation to Discover and Represent Relevant Information in Privacy Policies
To date, the effort made by existing vocabularies to provide a shared representation of the data protection domain is not fully exploited. Different natural language processing (NLP) techniques have been applied to the text of privacy policies without, however, taking advantage of existing vocabularies to provide those documents with a shared semantic superstructure. In this paper we show how a recently released domain-specific vocabulary, i.e. the Data Privacy Vocabulary (DPV), can be used to discover, in privacy policies, the information that is relevant with respect to the concepts modelled in the vocabulary itself. We also provide a machine-readable representation of this information to bridge the unstructured textual information to the formal taxonomy modelled in it. This is the first approach to the automatic processing of privacy policies that relies on the DPV, fuelling further investigation on the applicability of existing semantic resources to promote the reuse of information and the interoperability between systems in the data protection domain
Demonstrating GDPR accountability with CSM-ROPA: extensions to the data privacy vocabulary
The creation and maintenance of a Register of Processing Activities (ROPA) are essential to meeting the Accountability Principle of the General Data Protection Regulation (GDPR). We evaluate a semantic model CSM-ROPA to establish the extent to which it can be used to express a regulator provided accountability tracker to facilitate GDPR/ROPA compliance. We show that the ROPA practices of organisations are largely based on manual paper-based templates or non-interoperable systems, leading to inadequate GDPR/ROPA compliance levels. We contrast these current approaches to GDPR/ROPA compliance with best practice for regulatory compliance and identify four critical features of systems to support accountability. We conduct a case study to analyse the extent that CSM-ROPA, can be used as an interoperable, machine-readable mediation layer to express a regulator supplied ROPA accountability tracker. We demonstrate that CSM-ROPA can successfully express 92% of ROPA accountability terms. The addition of connectable vocabularies brings the expressivity to 98%. We identify three terms for addition to the CSM-ROPA to enable full expressivity. The application of CSM-ROPA provides opportunities for demonstrable and validated GDPR compliance. This standardisation would enable the development of automation, and interoperable tools for supported accountability and the demonstration of GDPR compliance
GDPR Compliance tools: best practice from RegTech
Organisations can be complex entities, performing heterogeneous processing on large volumes of diverse personal data, potentially using outsourced
partners or subsidiaries in distributed geographical locations and jurisdictions.
Many organisations appoint a Data Protection Officer (DPO) to assist them with
their demonstration of compliance with the GDPR Principle of Accountability. The
challenge for the DPO is to monitor these complex processing activities and to
advise and inform the organisation with regard to the organisations demonstration
of compliance with the Principle of Accountability. A review of GDPR compliance software solutions shows that organisations are being greatly challenged in
meeting compliance obligations as set out under the GDPR, despite the myriad of
software tools available to them. Many organisations continue to take a manual
and informal approach to GDPR compliance. Our analysis shows significant gaps
on the part of GDPR tools in their ability to demonstrate compliance in that they
lack interoperability features, and they are not supported by published methodologies or evidence to support their validity or even utility. In contrast, RegTech
has brought great success to financial compliance, using technological solutions
to facilitate compliance with, and the monitoring of regulatory requirements. A
review of the State of the Art identified the four success features of a RegTech
system to be, strong data governance, automation through technology, interoperability of systems and a proactive regulatory framework. This paper outlines a
set of requirements for GDPR compliance tools based on the RegTech experience
and evaluate how these success features could be applied to improve GDPR compliance. A proof of concept prototype GDPR compliance tool was explored using
the four success factors of RegTech, in which RegTech best practice was applied
to regulator based self-assessment checklist to establish if the demonstration of
GDPR compliance could be improved. The application of a RegTech success factors provides opportunities for demonstrable and validated GDPR compliance,
notwithstanding the risk reductions and cost savings that RegTech can deliver and
can facilitate organisations in meeting their GDPR compliance obligations
DuomenĆł apsaugos pareigĆ«no vaidmuo ir reikĆĄmÄ organizacijoje
Following the entry into force of the General Data Protection Regulation (hereafter referred to as the GDPR), organizations that process personal data must ensure and demonstrate compliance with all of its principles. A new post, known as the Data Protection Officer (hereafter referred to as the DPO), has been created. The appointment of this official may be one of the measures necessary to implement the principle of accountability. The purpose of the article is to analyze the role and significance of the DPO in the organization, and to provide generalized recommendations. The role and significance of the DPO will continue to grow, as will the tasks and activities of the DPO. It is important to emphasize that GDPR compliance is the responsibility of the data controller or data processor, not the DPO
Support for enhanced GDPR accountability with the common semantic model for ROPA (CSMâROPA)
The creation and maintenance of Registers of Processing Activities (ROPA) are essential to meeting the General Data Protection Regulation (GDPR) and thus to demonstrate compliance based on the GDPR concept of accountability. To establish
its effectiveness in meeting this obligation, we evaluate an ROPA semantic model, the Common Semantic ModelâROPA
(CSMâROPA). Semantic models and tools represent one solution to the compliance challenges faced by organisations: the
heterogeneity of relevant data sources, and the lack of tool interoperability and agreed common standards. By surveying
current practice and the literature we identify the requirements for GDPR accountability tools: digital exchange of data,
automated accountability verification and privacy-aware data governance. A case study was conducted to analyse the expressivity and effectiveness of CSMâROPA when used as an interoperable, machine-readable mediation layer to express the
concepts in a comprehensive regulator-provided accountability framework used for GDPR compliance. We demonstrate that
CSMâROPA can express 98% of ROPA accountability terms and fully express nine of the ten European regulators' ROPA
templates. We identify three terms for addition to CSMâROPA, and we identify areas where CSMâROPA relies on partial
matches that indicate model limitations. These improvements to CSMâROPA will provide comprehensive coverage of the
regulator-supplied model. We show that tools based on CSMâROPA can fully meet the requirements of compliance best
practice when compared with either manual accountability approaches or a leading privacy software solution
DPCat: Specification for an interoperable and machine-readable data processing catalogue based on GDPR
The GDPR requires Data Controllers and Data Protection Officers (DPO) to maintain a
Register of Processing Activities (ROPA) as part of overseeing the organisationâs compliance processes.
The ROPA must include information from heterogeneous sources such as (internal) departments with
varying IT systems and (external) data processors. Current practices use spreadsheets or proprietary
systems that lack machine-readability and interoperability, presenting barriers to automation. We
propose the Data Processing Catalogue (DPCat) for the representation, collection and transfer of
ROPA information, as catalogues in a machine-readable and interoperable manner. DPCat is based
on the Data Catalog Vocabulary (DCAT) and its extension DCAT Application Profile for data portals
in Europe (DCAT-AP), and the Data Privacy Vocabulary (DPV). It represents a comprehensive
semantic model developed from GDPRâs Article and an analysis of the 17 ROPA templates from
EU Data Protection Authorities (DPA). To demonstrate the practicality and feasibility of DPCat,
we present the European Data Protection Supervisorâs (EDPS) ROPA documents using DPCat,
verify them with SHACL to ensure the correctness of information based on legal and contextual
requirements, and produce reports and ROPA documents based on DPA templates using SPARQL.
DPCat supports a data governance process for data processing compliance to harmonise inputs from
heterogeneous sources to produce dynamic documentation that can accommodate differences in
regulatory approaches across DPAs and ease investigative burdens toward efficient enforcement
JURI SAYS:An Automatic Judgement Prediction System for the European Court of Human Rights
In this paper we present the web platform JURI SAYS that automatically predicts decisions of the European Court of Human Rights based on communicated cases, which are published by the court early in the proceedings and are often available many years before the final decision is made. Our system therefore predicts future judgements of the court. The platform is available at jurisays.com and shows the predictions compared to the actual decisions of the court. It is automatically updated every month by including the prediction for the new cases. Additionally, the system highlights the sentences and paragraphs that are most important for the prediction (i.e. violation vs. no violation of human rights)