Skip to main content

Machine Understandable Policies and GDPR Compliance Checking

Abstract

The European General Data Protection Regulation (GDPR) calls for technical and organizational measures to support its implementation. Towards this end, the SPECIAL H2020 project aims to provide a set of tools that can be used by data controllers and processors to automatically check if personal data processing and sharing complies with the obligations set forth in the GDPR. The primary contributions of the project include: (i) a policy language that can be used to express consent, business policies, and regulatory obligations; and (ii) two different approaches to automated compliance checking that can be used to demonstrate that data processing performed by data controllers/processors complies with consent provided by data subjects, and business processes comply with regulatory obligations set forth in the GDPR.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2

Notes

  1. 1.

    https://www.w3.org/TR/owl2-overview/.

  2. 2.

    http://www.w3.org/TR/P3P11.

  3. 3.

    https://www.w3.org/TR/odrl/.

  4. 4.

    www.w3.org/community/dpvcg/.

  5. 5.

    We omit \(P_1\) due to space limitations; the reader may easily derive it by analogy with the above example.

  6. 6.

    We have also run sets of synthetic experiments with increasing size to assess the scalability of PLR. They are omitted here due to space limitation and will be published in a forthcoming paper. We anticipate that these experiments confirm that PLR is faster than its competitors.

  7. 7.

    https://zenodo.org/record/2545177.

References

  1. 1.

    Agarwal S, Steyskal S, Antunovic F, Kirrane S (2018) Legislative compliance assessment: framework, model and gdpr instantiation. In: Annual privacy forum. Springer, Cham, pp 131–149

  2. 2.

    Antoniou G, Dimaresis N, Governatori G (2009) A modal and deontic defeasible reasoning system for modelling policies and multi-agent systems. Expert Syst Appl 36(2):4125–4134

    Article  Google Scholar 

  3. 3.

    Athan T, Boley H, Governatori G, Palmirani M, Paschke A, Wyner A (2013) Oasis legalruleml. In: Proceedings of the fourteenth international conference on artificial intelligence and law, pp 3–12

  4. 4.

    Baader F, Calvanese D, McGuinness DL, Nardi D, Patel-Schneider PF (eds) (2003) The description logic handbook: theory, implementation, and applications. Cambridge University Press, Cambridge (ISBN 0-521-78176-0)

    MATH  Google Scholar 

  5. 5.

    Bartolini C, Muthuri R, Santos C (2015) Using ontologies to model data protection requirements in workflows. In: JSAI international symposium on artificial intelligence. Springer, Cham, pp 233–248

  6. 6.

    Bonatti PA (2010) Datalog for security, privacy and trust. In: Datalog Reloaded—First International Workshop, Datalog 2010. https://doi.org/10.1007/978-3-642-24206-9_2

  7. 7.

    Bonatti PA (2018) Fast compliance checking in an OWL2 fragment. In: Proceedings of the twenty-seventh international joint conference on artificial intelligence, IJCAI. https://doi.org/10.24963/ijcai.2018/241

  8. 8.

    Bonatti PA, Coi JLD, Olmedilla D, Sauro L (2010) A rule-based trust negotiation system. IEEE Trans Knowl Data Eng 22(11):1507–1520. https://doi.org/10.1109/TKDE.2010.83

    Article  Google Scholar 

  9. 9.

    DATA POP (1995) Directive 95/46/EC of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L, 281(23/11), 0031–0050

  10. 10.

    Gandon F, Governatori G, Villata S (2017) Normative requirements as linked data. In: Legal knowledge and information systems: Jurix 2017: the thirtieth annual conference, vol 302. IOS Press

  11. 11.

    Glimm B, Horrocks I, Motik B, Stoilos G, Wang Z (2014) Hermit: an OWL 2 reasoner. J Autom Reason 53(3):245–269. https://doi.org/10.1007/s10817-014-9305-1

    Article  MATH  Google Scholar 

  12. 12.

    Governatori G, Olivieri F, Rotolo A, Scannapieco S (2013) Computing strong and weak permissions in defeasible logic. J Philos Logic 42(6):2013. https://doi.org/10.1007/s10992-013-9295-1

    MathSciNet  Article  MATH  Google Scholar 

  13. 13.

    Governatori G, Hashmi M, Lam H-P, Villata S, Palmirani M (2016) Semantic business process regulatory compliance checking using LegalRuleML. In: European knowledge acquisition workshop. Springer, Cham, pp 746–751

  14. 14.

    Horty JF (2001) Agency and deontic logic. Oxford University Press, Oxford

    Book  Google Scholar 

  15. 15.

    Information Commissioner’s Office (ICO) UK (2017) Getting ready for the GDPR. https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

  16. 16.

    Jajodia S, Samarati P, Sapino ML, Subrahmanian VS (2001) Flexible support for multiple access control policies. ACM Trans Database Syst (TODS) 26(2):214–260

  17. 17.

    Jones AJI, Sergot MJ (1993) On the characterization of law and computer systems: the normative systems perspective. In: Meyer J-JC, Wieringa RJ (eds) Deontic logic in computer science: normative system specification, chapter 8. Wiley, USA

    Google Scholar 

  18. 18.

    Kagal L, Finin T, Joshi A (2003) A policy language for a pervasive computing environment. In: Proceedings POLICY 2003. IEEE 4th international workshop on policies for distributed systems and networks. IEEE, pp 63–74

  19. 19.

    Kazakov Y, Krötzsch M, Simancik F (2014) The incredible ELK—from polynomial procedures to efficient reasoning with EL ontologies. J Autom Reason 53(1):1–61. https://doi.org/10.1007/s10817-013-9296-3

    MathSciNet  Article  MATH  Google Scholar 

  20. 20.

    Lam HP, Hashmi M (2019) Enabling reasoning with LegalRuleML. Theory Practice Logic Program 19(1):1–26

  21. 21.

    Makinson D, van der Torre L (2003) What is input/output logic?. Springer, Berlin

    Book  Google Scholar 

  22. 22.

    Microsoft Trust Center (2017) Detailed GDPR Assessment. http://aka.ms/gdprdetailedassessment

  23. 23.

    Nymity. GDPR Compliance Toolkit. https://www.nymity.com/gdpr-toolkit.aspx

  24. 24.

    Palmirani M, Governatori G, Rotolo A, Tabet S, Boley H, Paschke A (2011) LegalRuleML: XML-based rules and norms. In: International workshop on rules and rule markup languages for the semantic web. Springer, Berlin, Heidelberg, pp 298–312

  25. 25.

    Palmirani M, Martoni M, Rossi A, Bartolini C, Robaldo L (2018) PrOnto: privacy ontology for legal reasoning. In: International conference on electronic government and the information systems perspective. Springer, Cham, pp 139–152

  26. 26.

    Pandit HJ, Fatema K, O’Sullivan D, Lewis D (2018) GDPRtEXT-GDPR as a linked data resource. In: European semantic web conference. Springer, Cham, pp 481–495

  27. 27.

    Pandit HJ, Polleres A, Bos B, Brennan R, Bruegger BP, Ekaputra FJ, Fernández JD, Hamed RG, Kiesling E, Lizar M, Schlehahn E, Steyskal S, Wenning R (2019) Creating a vocabulary for data privacy—the first-year report of data privacy vocabularies and controls community group (DPVCG). In: OTM, Conferences - Confederated International Conferences: CoopIS. ODBASE, C&TC, p 2019

  28. 28.

    Pearson S, Casassa-Mont M (2011) Sticky policies: an approach for managing privacy across multiple parties. IEEE Comput 44(9):60–68

    Article  Google Scholar 

  29. 29.

    Prakken H, Sartor G (2015) Law and logic: a review from an argumentation perspective. Artif Intell. https://doi.org/10.1016/j.artint.2015.06.005

    MathSciNet  Article  MATH  Google Scholar 

  30. 30.

    Sergot MJ, Sadri F, Kowalski RA, Kriwaczek F, Hammond P, Cory HT (1986) The British nationality act as a logic program. Commun ACM. https://doi.org/10.1145/5689.5920

    Article  Google Scholar 

  31. 31.

    Steigmiller A, Liebig T, Glimm B (2014) Konclude: system description. J Web Semant 27–28:78–85. https://doi.org/10.1016/j.websem.2014.06.003

    Article  MATH  Google Scholar 

  32. 32.

    Uszok A, Bradshaw JM, Jeffers R, Suri N, Hayes PJ, Breedy MR, Bunch L, Johnson M, Kulkarni S, Lott J (2003) KAoS policy and domain services: toward a description-logic approach to policy representation, deconfliction, and enforcement. In: Proceedings POLICY 2003. IEEE 4th international workshop on policies for distributed systems and networks. IEEE, pp 93–96

  33. 33.

    Woo TYC, Lam SS (1993) Authorizations in distributed systems: a new approach. J Comput Secur 2(2–3):107–136. https://doi.org/10.3233/JCS-1993-22-304

    Article  Google Scholar 

  34. 34.

    Zarri GP (2009) Representation and Management of Narrative Information - Theoretical Principles and Implementation. Springer, Advanced Information and Knowledge Processing. ISBN 978-1-84800-077-3

Download references

Acknowledgements

This research is funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement N. 731601. The authors are grateful to all of SPECIAL’s partners; without their contribution this project and its results would not have been possible.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Piero A. Bonatti.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Bonatti, P.A., Kirrane, S., Petrova, I.M. et al. Machine Understandable Policies and GDPR Compliance Checking. Künstl Intell 34, 303–315 (2020). https://doi.org/10.1007/s13218-020-00677-4

Download citation

Keywords

  • GDPR
  • Policies
  • Compliance checking