A Model-based Conceptualization of Requirements for Compliance Checking of Data Processing against GDPR

Amaral, Orlando; Abualhaija, Sallam; Sabetzadeh, Mehrdad; Briand, Lionel C.

doi:10.1109/rew53955.2021.00009

Cited by 9 publications

(26 citation statements)

References 12 publications

(8 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The case studies were as follows. ( 1) ALMI [17]: a system assisting elderly and disabled users in a monitoring or advisory role and with physical tasks; (2) ASPEN [10]: an autonomous agent dedicated to forest protection, providing both diagnosis and treatment of various tree pests and diseases; (3) AutoCar [3]: a system that implements emergency-vehicle priority awareness for autonomous vehicles; (4) BSN [15]: a healthcare system detecting emergencies by continuously monitoring the patient's health status; (5) Dres-sAssist [20,36]: an assistive and supportive system used to dress and provide basic care for the elderly, children, and those with disabilities; (6) CSI-Cobot [35]: a system ensuring the safe integration of industrial collaborative robot manipulators; (7) DAISY [8]: a sociotechnical AI-supported system that directs patients through an A&E triage pathway; (8) DPA [1]: a system to check the compliance of data processing agreements against the General Data Protection Regulation; (9) SafeSCAD [7]: a driver attentiveness management system to support safe shared control of autonomous vehicles. Case studies were chosen (i) to test whether our approach scales with case studies involving complex N-NFRs with numerous defeaters and time constraints (AutoCar, DAISY, DressAssist); (ii) to examine the benefits of our approach on early-stage case studies (e.g., ASPEN and AutoCar), as compared to those at a more advanced stage (e.g., ALMI, DPA, BSN); (iii) to compare case studies involving many stakeholders (DressAssist, and DAISY) with those having fewer ones (DPA and AutoCar), and (iv) to consider different domains including the environment, healthcare, and transport.…”

Section: Discussionmentioning

confidence: 99%

“…The rule 𝑟 1 is situational conflicting in the situation (𝜎 1 , *) where 𝜎 1 = (𝑟 1 , 𝑟 2 , 𝑟 3 , 𝑟 4 , M 1 , 1) because, according to 𝑟 1 and 𝑟 2 , 𝑒 2 must occur within the interval (4,5]. Additionally, based on 𝑟 3 and 𝑟 4 , the event 𝑒 3 must occur at a time 𝑡 ∈ (1,3]. For all possible values of 𝑡, according to 𝑟 2 , 𝑒 2 cannot occur within the interval (𝑡, 𝑡 + 4], which covers the interval (4, 5] and thus conflicts with 𝑟 1 .…”

Section: Discussionmentioning

confidence: 99%

“…𝑟 5 is normalized as "when OpenCurtainRequest and not underDressed then OpenCurtain within 30 minutes". 1 A translation from SLEEC DSL to the normalized form is provided in Appendix A and implemented in LEGOS-SLEEC.…”

Section: Normalized Representation Of Sleec Dslmentioning

confidence: 99%

See 2 more Smart Citations

Analyzing and Debugging Normative Requirements via Satisfiability Checking

Feng,

Marsso,

Getir Yaman

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

As software systems increasingly interact with humans in application domains such as transportation and healthcare, they raise concerns related to the social, legal, ethical, empathetic, and cultural (SLEEC) norms and values of their stakeholders. Normative non-functional requirements (N-NFRs) are used to capture these concerns by setting SLEEC-relevant boundaries for system behavior. Since N-NFRs need to be specified by multiple stakeholders with widely different, non-technical expertise (ethicists, lawyers, regulators, end users, etc.), N-NFR elicitation is very challenging. To address this difficult task, we introduce N-Check, a novel toolsupported formal approach to N-NFR analysis and debugging. N-Check employs satisfiability checking to identify a broad spectrum of N-NFR well-formedness issues, such as conflicts, redundancy, restrictiveness, and insufficiency, yielding diagnostics that pinpoint their causes in a user-friendly way that enables non-technical stakeholders to understand and fix them. We show the effectiveness and

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Analyzing and Debugging Normative Requirements via Satisfiability Checking

Feng,

Marsso,

Getir Yaman

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…For instance, software must include stronger authentication mechanisms to ensure data protection. In a recent paper, Amaral et al [29] propose eliciting DPA-related requirements from GDPR and documenting them in NL as "shall" requirements. The authors further develop a rule-based automation (referred to as DERECHA) that verifies whether DPAs satisfy GDPR requirements based on the semantics of the DPAs' textual content.…”

Section: Introductionmentioning

confidence: 99%

“…(1) We create, building on existing work in RE [29], [37], a holistic representation of DPA-related GDPR requirements in the form of a conceptual model that contains a total of 63 information types capturing any content to be expected in a GDPR-compliant DPA. We describe our model in Section IV.…”

Section: Introductionmentioning

confidence: 99%

ML-Based Compliance Verification of Data Processing Agreements against GDPR

Amaral,

Abualhaija,

Briand

2023

2023 IEEE 31st International Requirements Engineering Conference (RE)

Self Cite

View full text Add to dashboard Cite

Most current software systems involve processing personal data, an activity that is regulated in Europe by the general data protection regulation (GDPR) through data processing agreements (DPAs). Developing compliant software requires adhering to DPA-related requirements in GDPR. Verifying the compliance of DPAs entirely manually is however time-consuming and error-prone. In this paper, we propose an automation strategy based on machine learning (ML) for checking GDPR compliance in DPAs. Specifically, we create, based on existing work, a comprehensive conceptual model that describes the information types pertinent to DPA compliance. We then develop an automated approach that detects breaches of compliance by predicting the presence of these information types in DPAs. On an evaluation set of 30 real DPAs, our approach detects 483 out of 582 genuine violations while introducing 93 false violations, achieving thereby a precision of 83.9% and recall of 83.0%. We empirically compare our approach against an existing approach which does not employ ML but relies on manually-defined rules. Our results indicate that the two approaches perform on par. Therefore, to select the right solution in a given context, we discuss differentiating factors like the availability of annotated data and legal experts, and adaptation to regulation changes.

show abstract

A Multi-solution Study on GDPR AI-enabled Completeness Checking of DPAs

Azeem,

Abualhaija

2024

Empir Software Eng

View full text Add to dashboard Cite

Specifying legal requirements for software systems to ensure their compliance with the applicable regulations is a major concern of requirements engineering. Personal data which is collected by an organization is often shared with other organizations to perform certain processing activities. In such cases, the General Data Protection Regulation (GDPR) requires issuing a data processing agreement (DPA) which regulates the processing and further ensures that personal data remains protected. Violating GDPR can lead to huge fines reaching to billions of Euros. Software systems involving personal data processing must adhere to the legal obligations stipulated both at a general level in GDPR as well as the obligations outlined in DPAs highlighting specific business. In other words, a DPA is yet another source from which requirements engineers can elicit legal requirements. However, the DPA must be complete according to GDPR to ensure that the elicited requirements cover the complete set of obligations. Therefore, checking the completeness of DPAs is a prerequisite step towards developing a compliant system. Analyzing DPAs with respect to GDPR entirely manually is time consuming and requires adequate legal expertise. In this paper, we propose an automation strategy that addresses the completeness checking of DPAs against GDPR provisions as a text classification problem. Specifically, we pursue ten alternative solutions which are enabled by different technologies, namely traditional machine learning, deep learning, language modeling, and few-shot learning. The goal of our work is to empirically examine how these different technologies fare in the legal domain. We computed F$$_2$$ 2 score on a set of 30 real DPAs. Our evaluation shows that best-performing solutions yield F$$_2$$ 2 score of 86.7% and 89.7% are based on pre-trained BERT and RoBERTa language models. Our analysis further shows that other alternative solutions based on deep learning (e.g., BiLSTM) and few-shot learning (e.g., SetFit) can achieve comparable accuracy, yet are more efficient to develop.

show abstract

A Model-based Conceptualization of Requirements for Compliance Checking of Data Processing against GDPR

Cited by 9 publications

References 12 publications

Analyzing and Debugging Normative Requirements via Satisfiability Checking

Analyzing and Debugging Normative Requirements via Satisfiability Checking

ML-Based Compliance Verification of Data Processing Agreements against GDPR

A Multi-solution Study on GDPR AI-enabled Completeness Checking of DPAs

Contact Info

Product

Resources

About