Abstract
Under the GDPR requirements and privacy-by-design guidelines, access control for personal data should not be limited to a simple role-based scenario. For the processing to be compliant, additional attributes, such as the purpose of processing or legal basis, should be verified against an established data processing agreement or policy. In this paper, we propose an automated policy-based compliance checking model and implement it using SHACL. We provide the preliminary performance evaluation results and offer optimizations. We also define the procedure for handling conflicts in policies, resulting from the natural language description of the compliance rules. Our method combines a data model with compliance checking within the Semantic Web framework, generating what we call an operational model and promoting interoperability.
Supported and funded by the Walloon region, Belgium. ASGARD project, convention number 8175.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
Obligations and related technical/organisational measures are also captured in SAVE, but, at this phase, not considered for compliance checking.
- 8.
The full SAVE model: http://rune.research.euranova.eu#resulting-model.
- 9.
- 10.
Archived version of the IMDB policy can be found here.
- 11.
The source code: https://github.com/euranova/shacl-compliance. A light demo: https://rune-278710.ew.r.appspot.com/save/compliance.
- 12.
References
Agarwal, S., Steyskal, S., Antunovic, F., Kirrane, S.: Legislative compliance assessment: framework, model and GDPR instantiation. In: Medina, M., Mitrakas, A., Rannenberg, K., Schweighofer, E., Tsouroulas, N. (eds.) APF 2018. LNCS, vol. 11079, pp. 131–149. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02547-2_8
Athan, T., Governatori, G., Palmirani, M., Paschke, A., Wyner, A.: LegalRuleML: design principles and foundations. In: Faber, W., Paschke, A. (eds.) Reasoning Web 2015. LNCS, vol. 9203, pp. 151–188. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21768-0_6
Bartolini, C., Calabró, A., Marchetti, E.: Enhancing business process modelling with data protection compliance: an ontology-based proposal. In: ICISSP, pp. 421–428 (2019). https://doi.org/10.5220/0007392304210428
Bartolini, C., Lenzini, G., Santos, C.: An agile approach to validate a formal representation of the GDPR. In: Kojima, K., Sakamoto, M., Mineshima, K., Satoh, K. (eds.) JSAI-isAI 2018. LNCS (LNAI), vol. 11717, pp. 160–176. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31605-1_13
Bonatti, P.A., Ioffredo, L., Petrova, I.M., Sauro, L., Siahaan, I.R.: Real-time reasoning in OWL2 for GDPR compliance. Artif. Intell. 103389 (2020). https://doi.org/10.1016/j.artint.2020.103389
Bonatti, P.A., Petrova, I.M., Sauro, L.: A richer policy language for GDPR compliance. In: Simkus, M., Weddell, G.E. (eds.) Proceedings of the 32nd International Workshop on Description Logics, Oslo, Norway, 18–21 June 2019. CEUR Workshop Proceedings, vol. 2373. CEUR-WS.org (2019). http://ceur-ws.org/Vol-2373/paper-5.pdf
De Vos, M., Kirrane, S., Padget, J., Satoh, K.: ODRL policy modelling and compliance checking. In: Fodor, P., Montali, M., Calvanese, D., Roman, D. (eds.) RuleML+RR 2019. LNCS, vol. 11784, pp. 36–51. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31095-0_3
Di Ciccio, C., Ekaputra, F.J., Cecconi, A., Ekelhart, A., Kiesling, E.: Finding non-compliances with declarative process constraints through semantic technologies. In: Information Systems Engineering in Responsible Information Systems, pp. 60–74 (2019). https://doi.org/10.1007/978-3-030-21297-1_6
Hamdani, R.E., Mustapha, M., Amariles, D.R., Troussel, A., Meeùs, S., Krasnashchok, K.: A combined rule-based and machine learning approach for automated GDPR compliance checking. In: Proceedings of the Eighteenth International Conference on Artificial Intelligence and Law, pp. 40–49. ICAIL 2021, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3462757.3466081
Joslyn, C.: Poset ontologies and concept lattices as semantic hierarchies. In: Wolff, K.E., Pfeiffer, H.D., Delugach, H.S. (eds.) ICCS-ConceptStruct 2004. LNCS (LNAI), vol. 3127, pp. 287–302. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27769-9_19
Kirrane, S., et al.: A scalable consent, transparency and compliance architecture. In: Gangemi, A. (ed.) ESWC 2018. LNCS, vol. 11155, pp. 131–136. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98192-5_25
Krasnashchok, K., Mustapha, M., Al Bassit, A., Skhiri, S.: Towards privacy policy conceptual modeling. In: Dobbie, G., Frank, U., Kappel, G., Liddle, S.W., Mayr, H.C. (eds.) ER 2020. LNCS, vol. 12400, pp. 429–438. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62522-1_32
Lam, H.P., Hashmi, M.: Enabling reasoning with LegalRuleML. Theory Pract. Log. Program. 19(1), 1–26 (2019). https://doi.org/10.1017/S1471068418000339
Lehmann, J., et al.: Distributed semantic analytics using the SANSA stack. In: d’Amato, C. (ed.) ISWC 2017. LNCS, vol. 10588, pp. 147–155. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68204-4_15
Lioudakis, G.V., et al.: Facilitating GDPR compliance: the H2020 BPR4GDPR approach. In: Pappas, I.O., Mikalef, P., Dwivedi, Y.K., Jaccheri, L., Krogstie, J., Mäntymäki, M. (eds.) I3E 2019. IAICT, vol. 573, pp. 72–78. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-39634-3_7
Nadal, S., Rabbani, K., Romero, O., Tadesse, S.: ODIN: a dataspace management system. In: Suárez-Figueroa, M.C., Cheng, G., Gentile, A.L., Guéret, C., Keet, C.M., Bernstein, A. (eds.) Proceedings of the ISWC 2019 Satellite Tracks (Posters & Demonstrations, Industry, and Outrageous Ideas) co-located with 18th International Semantic Web Conference (ISWC 2019), Auckland, New Zealand, 26–30 October 2019. CEUR Workshop Proceedings, vol. 2456, pp. 185–188. CEUR-WS.org (2019). http://ceur-ws.org/Vol-2456/paper48.pdf
Palmirani, M., Martoni, M., Rossi, A., Bartolini, C., Robaldo, L.: Pronto: Privacy ontology for legal reasoning. In: Ko, A., Francesconi, E. (eds.) Electronic Government and the Information Systems Perspective - 7th International Conference, EGOVIS 2018, Regensburg, Germany, September 3–5, 2018, Proceedings. Lecture Notes in Computer Science, vol. 11032, pp. 139–152. Springer (2018). https://doi.org/10.1007/978-3-319-98349-3_11
Robaldo, L.: Towards compliance checking in reified I/O logic via SHACL. In: Proceedings of the Eighteenth International Conference on Artificial Intelligence and Law, pp. 215–219. ICAIL 2021, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3462757.3466065
Sion, L., Dewitte, P., Van Landuyt, D., Wuyts, K., Valcke, P., Joosen, W.: DPMF: a modeling framework for data protection by design. Enterp. Modell. Inf. Syst. Archit. (EMISAJ) 15, 10–1 (2020). https://doi.org/10.18417/emisa.15.10
Westphal, P., Fernández, J.D., Kirrane, S., Lehmann, J.: SPIRIT: a semantic transparency and compliance stack. In: Khalili, A., Koutraki, M. (eds.) Proceedings of the Posters and Demos Track of the 14th International Conference on Semantic Systems co-located with the 14th International Conference on Semantic Systems (SEMANTiCS 2018), Vienna, Austria, 10–13 September 2018. CEUR Workshop Proceedings, vol. 2198. CEUR-WS.org (2018). http://ceur-ws.org/Vol-2198/paper_119.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Al Bassit, A., Krasnashchok, K., Skhiri, S., Mustapha, M. (2021). Policy-Based Automated Compliance Checking. In: Moschoyiannis, S., Peñaloza, R., Vanthienen, J., Soylu, A., Roman, D. (eds) Rules and Reasoning. RuleML+RR 2021. Lecture Notes in Computer Science(), vol 12851. Springer, Cham. https://doi.org/10.1007/978-3-030-91167-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-91167-6_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91166-9
Online ISBN: 978-3-030-91167-6
eBook Packages: Computer ScienceComputer Science (R0)