Skip to main content
SpringerLink
Log in

Legislative Compliance Assessment: Framework, Model and GDPR Instantiation

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11079))

Included in the following conference series:

Abstract

Legislative compliance assessment tools are commonly used by companies to help them to understand their legal obligations. One of the primary limitations of existing tools is that they tend to consider each regulation in isolation. In this paper, we propose a flexible and modular compliance assessment framework that can support multiple legislations. Additionally, we describe our extension of the Open Digital Rights Language (ODRL) so that it can be used not only to represent digital rights but also legislative obligations, and discuss how the proposed model is used to develop a flexible compliance system, where changes to the obligations are automatically reflected in the compliance assessment tool. Finally, we demonstrate the effectiveness of the proposed approach through the development of a General Data Protection Regulatory model and compliance assessment tool.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/content-detail.html.

  2. 2.

    https://www.w3.org/P3P/.

  3. 3.

    https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/controllers-checklist.

  4. 4.

    https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/processors-checklist.

  5. 5.

    https://www.nymity.com/solutions/attestor/.

  6. 6.

    https://www.w3.org/TR/poe-ucr/.

  7. 7.

    https://www.w3.org/TR/rdf11-concepts/.

  8. 8.

    http://www.eli.fr/en/.

  9. 9.

    https://protege.stanford.edu/.

References

  1. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 0031–0050 (1995). http://data.europa.eu/eli/dir/1995/46/oj

  2. IEEE recommended practice for software requirements specifications: Approved 25 June 1998, IEEE Std, vol. 830–1998. IEEE, New York (1998)

    Google Scholar 

  3. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. OJ L 337, 35–127 (2015). http://data.europa.eu/eli/dir/2015/2366/oj

  4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 1–88 (2016). http://data.europa.eu/eli/reg/2016/679/oj

  5. Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications). COM (2017) 2017/03 (COD) (2017)

    Google Scholar 

  6. Arora, C., Sabetzadeh, M., Briand, L.C., Zimmer, F.: Requirement boilerplates: transition from manually-enforced to automatically-verifiable natural language patterns. In: 2014 IEEE 4th International Workshop on Requirements Patterns (RePa), pp. 1–8. IEEE (2014)

    Google Scholar 

  7. Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: 2006 IEEE Symposium on Security and Privacy, p. 15. IEEE (2006)

    Google Scholar 

  8. Biasiotti, M., Francesconi, E., Palmirani, M., Sartor, G., Vitali, F.: Legal informatics and management of legislative documents. In: Global Center for ICT in Parliament Working Paper 2 (2008)

    Google Scholar 

  9. Boella, G., Humphreys, L., Muthuri, R., Rossi, P., van der Torre, L.: A critical analysis of legal requirements engineering from the perspective of legal practice. In: 2014 IEEE 7th International Workshop on Requirements Engineering and Law (RELAW), pp. 14–21. IEEE (2014)

    Google Scholar 

  10. Breaux, T.D., Vail, M.W., Anton, A.I.: Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: 14th IEEE International Requirements Engineering Conference (RE 2006), pp. 49–58 (2006)

    Google Scholar 

  11. Breaux, T.D.: Legal requirements acquisition for the specification of legally compliant information systems. North Carolina State University (2009). http://www.lib.ncsu.edu/resolver/1840.16/3376

  12. Cranor, L.F.: P3P: making privacy policies more useful. IEEE Secur. Priv. 99(6), 50–55 (2003)

    Article  Google Scholar 

  13. Génova, G., Fuentes, J.M., Llorens, J., Hurtado, O., Moreno, V.: A framework to measure and improve the quality of textual requirements. Requir. Eng. 18(1), 25–41 (2013)

    Article  Google Scholar 

  14. Ghanavati, S., Amyot, D., Peyton, L.: Towards a framework for tracking legal compliance in healthcare. In: Krogstie, J., Opdahl, A., Sindre, G. (eds.) CAiSE 2007. LNCS, vol. 4495, pp. 218–232. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72988-4_16

    Chapter  Google Scholar 

  15. Grimm, R., Rossnagel, A.: P3P and the privacy legislation in Germany: can P3P help to protect privacy worldwide? In: Proceedings of the ACM Multimedia, November 2000

    Google Scholar 

  16. Holzmann, G.J.: Design and validation of protocols: a tutorial. Comput. Netw. ISDN Syst. 25(9), 981–1017 (1993)

    Article  Google Scholar 

  17. Hull, E., Jackson, K., Dick, J.: Requirements Engineering. Practitioner Series, 2nd edn. Springer, London (2005). https://doi.org/10.1007/b138335

    Book  MATH  Google Scholar 

  18. Information Commissioner’s Office (ICO) UK: Getting ready for the GDPR (2017). https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

  19. Kamsties, E., Berry, D.M., Paech, B.: Detecting ambiguities in requirements documents using inspections. In: Proceedings of the First Workshop on Inspection in Software Engineering (WISE01), pp. 68–80. Citeseer (2001)

    Google Scholar 

  20. Kiyavitskaya, N., Krausová, A., Zannone, N.: Why eliciting and managing legal requirements is hard. In: 2008 Requirements Engineering and Law, RELAW 2008, pp. 26–30. IEEE (2008)

    Google Scholar 

  21. Kiyavitskaya, N., et al.: Automating the extraction of rights and obligations for regulatory compliance. In: Li, Q., Spaccapietra, S., Yu, E., Olivé, A. (eds.) ER 2008. LNCS, vol. 5231, pp. 154–168. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87877-3_13

    Chapter  Google Scholar 

  22. Korba, L., Kenny, S.: Towards meeting the privacy challenge: adapting DRM. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 118–136. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-44993-5_8

    Chapter  Google Scholar 

  23. Massacci, F., Prest, M., Zannone, N.: Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation. Comput. Stand. Interfaces 27(5), 445–455 (2005)

    Article  Google Scholar 

  24. Mavin, A., Wilkinson, P., Harwood, A., Novak, M.: Easy approach to requirements syntax (EARS). In: 17th IEEE International Requirements Engineering Conference, pp. 317–322. IEEE (2009)

    Google Scholar 

  25. May, M.J., Gunter, C.A., Lee, I.: Privacy APIs: access control techniques to analyze and verify legal privacy policies. In: 19th IEEE Computer Security Foundations Workshop, p. 13. IEEE (2006)

    Google Scholar 

  26. Microsoft Trust Center: Detailed GDPR Assessment (2017). http://aka.ms/gdprdetailedassessment

  27. Nissenbaum, H.: Privacy as contextual integrity symposium - technology, values, and the justice system. Wash. Law Rev. 79, 119 (2004)

    Google Scholar 

  28. Nymity: GDPR Compliance Toolkit. https://www.nymity.com/gdpr-toolkit.aspx

  29. Otto, P.N., Anton, A.I.: Addressing legal requirements in requirements engineering. In: 15th IEEE International Requirements Engineering Conference (RE 2007), pp. 5–14. IEEE (2007)

    Google Scholar 

  30. Schwartz, A.: Looking back at P3P: lessons for the future. Center for Democracy & Technology (2009). https://www.cdt.org/files/pdfs/P3P_Retro_Final_0.pdf

  31. Agarwal, S., Kirrane, S., Scharf, J.: Modelling the general data protection regulation. In: 20. Internationales Rechtsinformatik Symposion (IRIS) 2017, 23–25 Feb 2017, Salzburg (2017)

    Google Scholar 

  32. Toval, A., Olmos, A., Piattini, M.: Legal requirements reuse: a critical success factor for requirements quality and personal data protection. In: Proceedings IEEE Joint International Conference on Requirements Engineering, pp. 95–103. IEEE (2002)

    Google Scholar 

  33. van Lamsweerde, A.: Requirements Engineering: From System Goals to UML Models to Software Specifications, vol. 10. Wiley, Chichester and Hoboken (2009)

    Google Scholar 

  34. W3C ODRL Community Group: ODRL Information Model 2.2 (2018). https://www.w3.org/TR/odrl-model/

Download references

Acknowledgments

Partially supported by the European Unions Horizon 2020 research and innovation programme under grant 731601 and the Austrian Federal Ministry of Transport, Innovation and Technology (BMVIT) DALICC. For Figs. 1, 4 and 6, icons have been taken from icons8 (https://icons8.com/).

Author information

Authors and Affiliations

  1. Vienna University of Economics and Business, Vienna, Austria

    Sushant Agarwal, Simon Steyskal, Franjo Antunovic & Sabrina Kirrane

Authors
  1. Sushant Agarwal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon Steyskal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Franjo Antunovic
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sabrina Kirrane
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Sushant Agarwal , Simon Steyskal , Franjo Antunovic or Sabrina Kirrane .

Editor information

Editors and Affiliations

  1. Universitat Politècnica de Catalunya, Barcelona, Spain

    Manel Medina

  2. ENISA, Maroussi, Greece

    Andreas Mitrakas

  3. Goethe University Frankfurt, Frankfurt am Main, Germany

    Kai Rannenberg

  4. University of Vienna, Vienna, Austria

    Erich Schweighofer

  5. Telefónica, Madrid, Spain

    Nikolaos Tsouroulas

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Agarwal, S., Steyskal, S., Antunovic, F., Kirrane, S. (2018). Legislative Compliance Assessment: Framework, Model and GDPR Instantiation. In: Medina, M., Mitrakas, A., Rannenberg, K., Schweighofer, E., Tsouroulas, N. (eds) Privacy Technologies and Policy. APF 2018. Lecture Notes in Computer Science(), vol 11079. Springer, Cham. https://doi.org/10.1007/978-3-030-02547-2_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-02547-2_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-02546-5

  • Online ISBN: 978-3-030-02547-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation