1.
Introduction ^
The new EU General Data Protection Regulation (GDPR) has more than 80 pages of legal text with 99 articles. These 99 articles have many interconnections defined in the text, illustrated in figure 1. For instance, the obligation to ensure that information given to data subjects is transparent as defined in Article 12 para 11 cannot be checked in isolation as it is related to other obligations defined in Article 15-22 and 34. Thus articles cannot be analysed in solitude for ascertaining the compliance level. In total, there are approximately 350 interconnections defined, making it quite difficult and time-consuming to consider the applicable obligations as well as all the defined interconnections in order to check the compliance. Figure 1 shows a graph that illustrates all of the defined interconnections. Currently, a lot of human-readable reports have been prepared to provide a high-level list of requirements for the compliance checking process. However, to best of our knowledge no tool for filtering out applicable obligations defined in the interconnected mesh of the 99 articles of the GDPR exists. A software based tool can process all these interdependencies and can dynamically filter out the applicable obligations, easing the process of understanding the obligations as well as checking compliance. One of the primary objectives of our work is to translate the regulation’s knowledge base (obligations defined in the articles) into machine readable rules such that the process for compliance checking can be assisted by the software tools. The rest of this paper is structured as follows: in section 2 we discuss the basic modelling of controller and processor obligations. Then in section 3, we translate the model into a machine readable form by extending the ODRL ontology. In section 4, we discuss related work which use the ODRL ontology and then lastly in section 5 we present our conclusions and discuss future work.
2.
Modelling the obligations ^
3.
Translating the model in a machine-readable format ^
4.
Related Work ^
5.
Conclusions and Future Work ^
6.
References ^
Alapan Arnab/Andrew Hutchison (2007), DRM use license negotiation using ODRL v2.0, in: Proceedings of the 5th International Workshop for Technical, Economic and Legal Aspects of Business Models for Virtual Goods.
Zeki Çelikbaş (2011), EPUB use in digital libraries: Developing an online epub creator application, in: Digital Publishing and Mobile Technologies, 120.
Dominik Dahlem/Ivana Dusparic/Jim Dowling (2004), A Pervasive Application Rights Management Architecture (PARMA) based on ODRL, in: ODRL Workshop, 45–63.
W3C ODRL Group (2015), ODRL Version 2.1 Core Model. www.w3.org/community/odrl/two/model/.
Larry Korba/Steve Kenny (2002), Towards Meeting the Privacy Challenge: Adapting DRM, in: Digital Rights Management: ACM CCS-9 Workshop, DRM 2002.
Silvia Llorente/Eva Rodriguez/Jaime Delgado (2010), Secure Management of Social Networks Applications Data, in: Proceedings of the 8th International Workshop for Technical, Economic and Legal Aspects of Business Models for Virtual Goods.
Simon Steyskal/Axel Polleres (2014), Defining Expressive Access Policies for Linked Data Using ODRL Ontology 2.0, in: Proceedings of the 10th International Conference on Semantic Systems, 20–23. SEM’14.
Radboud Winkels/Alexander W.F. Boer/Joost Breuker/Doeko Bosscher (eds.) (1998), Assessment based legal information serving and cooperative dialogue, in: CLIME vol 98.
- 1 Art. 12 para. 1:«The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language»