Semantic Business Process Regulatory Compliance Checking Using LegalRuleML

International audienceLegal documents are the source of norms, guidelines, and rules that often feed into different applications. In this perspective, to foster the need of development and deployment of different applications, it is important to have a sufficiently expressive conceptual framework such that various heterogeneous aspects of norms can be modeled and reasoned with. In this paper, we investigate how to exploit Semantic Web technologies and languages, such as LegalRuleML, to model a legal document. We show how the semantic annotations can be used to empower a business process (regulatory) compliance system and discuss the challenges of adapting a semantic approach to legal domain

Proposal of a legal framework through the development of new domain specific languages (DSL) in compliance with GDPR

The adaptation of company processes to the EU Regulation represents a major opportunity to review, update and improve the internal processes and management tools used. The loss of data, in most cases, causes serious damage to the image and very often the total closure of the company. The legislation therefore represents an opportunity and a stimulus to verify the management methods applied, to define an organizational model and a code of conduct (policies, processes, rules / provisions and controls) capable of improving internal processes, defining and achieving desired objectives, ensure data and systems protection with proper risk management and assessment. This paper presents the principles of the LegalRuleML applied to the legal domain like General Data Protection Regulation (GDPR) and discusses reasons that LegalRuleML is convenient for modeling norms. We need to understand why it is important to develop a specific domain language that refers to internal GDPR privacy consulting and BPM mapping. LegalRuleML allows inconsistent renditions of a legal source to coexist in the same LegalRuleML document and provides functionality to identify and select interpretations

Modelling and accessing regulatory knowledge for computer-assisted compliance audit

The ingredients for an effective automated audit of a building design include a building model containing the design information, a computerised regulatory knowledge model, and a practical method of processing these computable representations. There have been numerous approaches to computer-aided compliance audit in the AEC/FM domain over the last four decades, but none has yet evolved into a practical solution. One reason is that they have all been isolated attempts that lack any form of industry-wide standardisation. The current research project, therefore, focuses on investigating the use of the industry standard building information model and the adoption of open standard legal knowledge interchange and executable workflow models for automating conventional compliant design processes. This paper provides a non-exhaustive overview of common approaches to model and access regulatory knowledge for a compliance audit. The strengths and weaknesses of two comparative open standard knowledge representation approaches are discussed using an example regulatory document

Legal compliance by design (LCbD) and through design (LCtD) : preliminary survey

1st Workshop on Technologies for Regulatory Compliance co-located with the 30th International Conference on Legal Knowledge and Information Systems (JURIX 2017). The purpose of this paper is twofold: (i) carrying out a preliminary survey of the literature and research projects on Compliance by Design (CbD); and (ii) clarifying the double process of (a) extending business managing techniques to other regulatory fields, and (b) converging trends in legal theory, legal technology and Artificial Intelligence. The paper highlights the connections and differences we found across different domains and proposals. We distinguish three different policydriven types of CbD: (i) business, (ii) regulatory, (iii) and legal. The recent deployment of ethical views, and the implementation of general principles of privacy and data protection lead to the conclusion that, in order to appropriately define legal compliance, Compliance through Design (CtD) should be differentiated from CbD

Spent convictions and the architecture for establishing legal semantic workflows

This research was partially funded by the Data to Decisions Cooperative Research Centre (D2D CRC, Australia), and Meta-Rule of Law (DER2016- 78108-P, Spain)Operating within the Data to Decision Cooperative Research Centre (D2D CRC), the authors are currently involved in the Integrated Law Enforcement program and the Compliance through Design project. These have the goal of developing a federated data platform for law enforcement agencies that will enable the execution of integrated analytics on data accessed from different external and internal sources, thereby providing effective support to an investigator or analyst working to evaluate evidence and manage lines of inquiries in an investigation. Technical solutions should also operate ethically, in compliance with the law and subject to good governance principles. This paper is focused on the Australian spent convictions scheme, which provide use cases to test the platform

ODRL Policy Modelling and Compliance Checking

This paper addresses the problem of constructing a policy pipeline that enables compliance checking of business processes against regulatory obligations. Towards this end, we propose an Open Digital Rights Language (ODRL) profile that can be used to capture the semantics of both business policies in the form of sets of required permissions and regulatory requirements in the form of deontic concepts, and present their translation into Answer Set Programming (via the Institutional Action Language (InstAL)) for compliance checking purposes. The result of the compliance checking is either a positive compliance result or an explanation pertaining to the aspects of the policy that are causing the noncompliance. The pipeline is illustrated using two (key) fragments of the General Data Protect Regulation, namely Articles 6 (Lawfulness of processing) and Articles 46 (Transfers subject to appropriate safeguards) and industrially-relevant use cases that involve the specification of sets of permissions that are needed to execute business processes. The core contributions of this paper are the ODRL profile, which is capable of modelling regulatory obligations and business policies, the exercise of modelling elements of GDPR in this semantic formalism, and the operationalisation of the model to demonstrate its capability to support personal data processing compliance checking, and a basis for explaining why the request is deemed compliant or not

Querying a regulatory model for compliant building design audit

The ingredients for an effective automated audit of a building design include a BIM model containing the design information, an electronic regulatory knowledge model, and a practical method of processing these computerised representations. There have been numerous approaches to computer-aided compliance audit in the AEC/FM domain over the last four decades, but none has yet evolved into a practical solution. One reason is that they have all been isolated attempts that lack any form of standardisation. The current research project therefore focuses on using an open standard regulatory knowledge and BIM representations in conjunction with open standard executable compliant design workflows to automate the compliance audit process. This paper provides an overview of different approaches to access information from a regulatory model representation. The paper then describes the use of a purpose-built high-level domain specific query language to extract regulatory information as part of the effort to automate manual design procedures for compliance audit

Modelling legal knowledge for GDPR compliance checking

In the last fifteen years, Semantic Web technologies have been successfully applied to the legal domain. By composing all those techniques and theoretical methods, we propose an integrated framework for modelling legal documents and legal knowledge to support legal reasoning, in particular checking compliance. This paper presents a proof-of-concept applied to the GDPR domain, with the aim to detect infringements of privacy compulsory norms or to prevent possible violations using BPMN and Regorous engine

Machine Understandable Policies and GDPR Compliance Checking

The European General Data Protection Regulation (GDPR) calls for technical and organizational measures to support its implementation. Towards this end, the SPECIAL H2020 project aims to provide a set of tools that can be used by data controllers and processors to automatically check if personal data processing and sharing complies with the obligations set forth in the GDPR. The primary contributions of the project include: (i) a policy language that can be used to express consent, business policies, and regulatory obligations; and (ii) two different approaches to automated compliance checking that can be used to demonstrate that data processing performed by data controllers / processors complies with consent provided by data subjects, and business processes comply with regulatory obligations set forth in the GDPR