Abstract
The European General Data Protection Regulation (GDPR) calls for technical and organizational measures to support its implementation. Towards this end, the SPECIAL H2020 project aims to provide a set of tools that can be used by data controllers and processors to automatically check if personal data processing and sharing complies with the obligations set forth in the GDPR. The primary contributions of the project include: (i) a policy language that can be used to express consent, business policies, and regulatory obligations; and (ii) two different approaches to automated compliance checking that can be used to demonstrate that data processing performed by data controllers/processors complies with consent provided by data subjects, and business processes comply with regulatory obligations set forth in the GDPR.
Similar content being viewed by others
Notes
We omit \(P_1\) due to space limitations; the reader may easily derive it by analogy with the above example.
We have also run sets of synthetic experiments with increasing size to assess the scalability of PLR. They are omitted here due to space limitation and will be published in a forthcoming paper. We anticipate that these experiments confirm that PLR is faster than its competitors.
References
Agarwal S, Steyskal S, Antunovic F, Kirrane S (2018) Legislative compliance assessment: framework, model and gdpr instantiation. In: Annual privacy forum. Springer, Cham, pp 131–149
Antoniou G, Dimaresis N, Governatori G (2009) A modal and deontic defeasible reasoning system for modelling policies and multi-agent systems. Expert Syst Appl 36(2):4125–4134
Athan T, Boley H, Governatori G, Palmirani M, Paschke A, Wyner A (2013) Oasis legalruleml. In: Proceedings of the fourteenth international conference on artificial intelligence and law, pp 3–12
Baader F, Calvanese D, McGuinness DL, Nardi D, Patel-Schneider PF (eds) (2003) The description logic handbook: theory, implementation, and applications. Cambridge University Press, Cambridge (ISBN 0-521-78176-0)
Bartolini C, Muthuri R, Santos C (2015) Using ontologies to model data protection requirements in workflows. In: JSAI international symposium on artificial intelligence. Springer, Cham, pp 233–248
Bonatti PA (2010) Datalog for security, privacy and trust. In: Datalog Reloaded—First International Workshop, Datalog 2010. https://doi.org/10.1007/978-3-642-24206-9_2
Bonatti PA (2018) Fast compliance checking in an OWL2 fragment. In: Proceedings of the twenty-seventh international joint conference on artificial intelligence, IJCAI. https://doi.org/10.24963/ijcai.2018/241
Bonatti PA, Coi JLD, Olmedilla D, Sauro L (2010) A rule-based trust negotiation system. IEEE Trans Knowl Data Eng 22(11):1507–1520. https://doi.org/10.1109/TKDE.2010.83
DATA POP (1995) Directive 95/46/EC of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L, 281(23/11), 0031–0050
Gandon F, Governatori G, Villata S (2017) Normative requirements as linked data. In: Legal knowledge and information systems: Jurix 2017: the thirtieth annual conference, vol 302. IOS Press
Glimm B, Horrocks I, Motik B, Stoilos G, Wang Z (2014) Hermit: an OWL 2 reasoner. J Autom Reason 53(3):245–269. https://doi.org/10.1007/s10817-014-9305-1
Governatori G, Olivieri F, Rotolo A, Scannapieco S (2013) Computing strong and weak permissions in defeasible logic. J Philos Logic 42(6):2013. https://doi.org/10.1007/s10992-013-9295-1
Governatori G, Hashmi M, Lam H-P, Villata S, Palmirani M (2016) Semantic business process regulatory compliance checking using LegalRuleML. In: European knowledge acquisition workshop. Springer, Cham, pp 746–751
Horty JF (2001) Agency and deontic logic. Oxford University Press, Oxford
Information Commissioner’s Office (ICO) UK (2017) Getting ready for the GDPR. https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/
Jajodia S, Samarati P, Sapino ML, Subrahmanian VS (2001) Flexible support for multiple access control policies. ACM Trans Database Syst (TODS) 26(2):214–260
Jones AJI, Sergot MJ (1993) On the characterization of law and computer systems: the normative systems perspective. In: Meyer J-JC, Wieringa RJ (eds) Deontic logic in computer science: normative system specification, chapter 8. Wiley, USA
Kagal L, Finin T, Joshi A (2003) A policy language for a pervasive computing environment. In: Proceedings POLICY 2003. IEEE 4th international workshop on policies for distributed systems and networks. IEEE, pp 63–74
Kazakov Y, Krötzsch M, Simancik F (2014) The incredible ELK—from polynomial procedures to efficient reasoning with EL ontologies. J Autom Reason 53(1):1–61. https://doi.org/10.1007/s10817-013-9296-3
Lam HP, Hashmi M (2019) Enabling reasoning with LegalRuleML. Theory Practice Logic Program 19(1):1–26
Makinson D, van der Torre L (2003) What is input/output logic?. Springer, Berlin
Microsoft Trust Center (2017) Detailed GDPR Assessment. http://aka.ms/gdprdetailedassessment
Nymity. GDPR Compliance Toolkit. https://www.nymity.com/gdpr-toolkit.aspx
Palmirani M, Governatori G, Rotolo A, Tabet S, Boley H, Paschke A (2011) LegalRuleML: XML-based rules and norms. In: International workshop on rules and rule markup languages for the semantic web. Springer, Berlin, Heidelberg, pp 298–312
Palmirani M, Martoni M, Rossi A, Bartolini C, Robaldo L (2018) PrOnto: privacy ontology for legal reasoning. In: International conference on electronic government and the information systems perspective. Springer, Cham, pp 139–152
Pandit HJ, Fatema K, O’Sullivan D, Lewis D (2018) GDPRtEXT-GDPR as a linked data resource. In: European semantic web conference. Springer, Cham, pp 481–495
Pandit HJ, Polleres A, Bos B, Brennan R, Bruegger BP, Ekaputra FJ, Fernández JD, Hamed RG, Kiesling E, Lizar M, Schlehahn E, Steyskal S, Wenning R (2019) Creating a vocabulary for data privacy—the first-year report of data privacy vocabularies and controls community group (DPVCG). In: OTM, Conferences - Confederated International Conferences: CoopIS. ODBASE, C&TC, p 2019
Pearson S, Casassa-Mont M (2011) Sticky policies: an approach for managing privacy across multiple parties. IEEE Comput 44(9):60–68
Prakken H, Sartor G (2015) Law and logic: a review from an argumentation perspective. Artif Intell. https://doi.org/10.1016/j.artint.2015.06.005
Sergot MJ, Sadri F, Kowalski RA, Kriwaczek F, Hammond P, Cory HT (1986) The British nationality act as a logic program. Commun ACM. https://doi.org/10.1145/5689.5920
Steigmiller A, Liebig T, Glimm B (2014) Konclude: system description. J Web Semant 27–28:78–85. https://doi.org/10.1016/j.websem.2014.06.003
Uszok A, Bradshaw JM, Jeffers R, Suri N, Hayes PJ, Breedy MR, Bunch L, Johnson M, Kulkarni S, Lott J (2003) KAoS policy and domain services: toward a description-logic approach to policy representation, deconfliction, and enforcement. In: Proceedings POLICY 2003. IEEE 4th international workshop on policies for distributed systems and networks. IEEE, pp 93–96
Woo TYC, Lam SS (1993) Authorizations in distributed systems: a new approach. J Comput Secur 2(2–3):107–136. https://doi.org/10.3233/JCS-1993-22-304
Zarri GP (2009) Representation and Management of Narrative Information - Theoretical Principles and Implementation. Springer, Advanced Information and Knowledge Processing. ISBN 978-1-84800-077-3
Acknowledgements
This research is funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement N. 731601. The authors are grateful to all of SPECIAL’s partners; without their contribution this project and its results would not have been possible.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bonatti, P.A., Kirrane, S., Petrova, I.M. et al. Machine Understandable Policies and GDPR Compliance Checking. Künstl Intell 34, 303–315 (2020). https://doi.org/10.1007/s13218-020-00677-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13218-020-00677-4