GDPR Modelling for Log-Based Compliance Checking

  • Colombe de Montety
  • Thibaud AntignacEmail author
  • Christophe Slim
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 563)


Since the entry into force of the General Data Protection Regulation (GDPR), public and private organizations face unprecedented challenges to ensure compliance with new data protection rules. To help its implementation, academics and technologists proposed innovative solutions leading to what is known today as privacy engineering. Among the main goals of these solutions are to enable compliant data processing by controllers and to increase trust in compliance by data subjects. While data protection by design (Article 25 of GDPR) constitutes a keystone of the regulation, many legacy systems are not designed and implemented with this concept in mind, but still process large quantities of personal data. Consequently, there is a need for “after design” ways to check compliance and remediate to data protection issues. In this paper, we propose to monitor and check the compliance of legacy systems through their logs. In order to make it possible, we modelled a core subset of the GDPR in the Prolog language. The approach we followed produced an operational model of the GDPR which eases the interactions with standard operational models of Information Technology (IT) systems. Different dimensions required to properly address data protection obligations have been covered, and in particular time-related properties such as retention time. The logic-based GDPR model has also been kept as close as possible to the legal wording to allow a Data Protection Officer to explore the model in case of need. Finally, even if we don’t have a completed tool yet, we created a proof-of-concept framework to use the GDPR model to detect data protection compliance violations by monitoring the IT system logs.


Privacy Logic Model Accountability Compliance 


  1. 1.
    Métayer, D.: Formal methods as a link between software code and legal rules. In: Barthe, G., Pardo, A., Schneider, G. (eds.) SEFM 2011. LNCS, vol. 7041, pp. 3–18. Springer, Heidelberg (2011). Scholar
  2. 2.
    Guarda, P., Zannone, N.: Towards the development of privacy-aware systems. Inf. Softw. Technol. 51(2), 337–350 (2009)CrossRefGoogle Scholar
  3. 3.
    EU Parliament, Council of the EU: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Official Journal of the European Union, L119/1, 4 May 2016Google Scholar
  4. 4.
    Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements: Requirements. Eng. J. 16(1), 3–32 (2011)Google Scholar
  5. 5.
    Maxwell, J.C., Antón, A.I.: Developing production rule models to aid in acquiring requirements from legal texts. In: 17th IEEE International Requirements Engineering Conference 2009, pp. 101–110 (2009)Google Scholar
  6. 6.
    Lloyd, J.W.: Foundations of Logic Programming, 1st edn. Springer, Heidelberg (1984). Scholar
  7. 7.
    Breaux, T.D., Vail, M.W., Antón, A.I.: Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: 14th IEEE International Requirements Engineering Conference 2006, pp. 46–55 (2016)Google Scholar
  8. 8.
    Article 29 Data Protection Working Party, Guidelines on transparency under Regulation 2016/679, 9 November 2017Google Scholar
  9. 9.
    Tschantz, M.C., Wing, J.M.: Formal methods for privacy. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 1–15. Springer, Heidelberg (2009). Scholar
  10. 10.
    Gürges, S., Troncoso, C., Diaz, C.: Engineering privacy by design (2011)Google Scholar
  11. 11.
    Visser, P., Bench-Capon, T., van den Herik, J.: A method for conceptualising legal domains: an example from the Dutch unemployment benefits act. Artif. Intell. Law 5, 207–242 (1997)CrossRefGoogle Scholar
  12. 12.
    Palmirano, M., Martoni, M., Rossi, A., Bartolini, C. Robaldo, L.: PrOnto privacy ontology for legal compliance. In: Proceedings of 18th European Conference on Digital Government (2018)Google Scholar
  13. 13.
    Butin, D., Chicote, M., Le Métayer, D.: Log design for accountability. In: 2013 IEEE Security and Privacy Workshops (2013)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.CEA List, Software Safety and Security Laboratory, PC174Gif-sur-YvetteFrance
  2. 2.CEA, Agreements and Intellectual Prop. Service, PC144Gif-sur-YvetteFrance
  3. 3.DANTE, UVSQGuyancourtFrance

Personalised recommendations