Analysis of ontologies and policy languages to represent information flows in GDPR

Esteves, Beatriz; Rodrı́guez-Doncel, Victor

doi:10.3233/sw-223009

Cited by 14 publications

(19 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Of these, DPV was the most suitable choice to extend given that it is: (a) most comprehensive; (b) open access; (c) has a mechanism for updating through DPVCG. This finding is backed by a recent survey by Esteves et al [15] regarding modelling of GDPR related information flows that also included DPIA as a factor in investigation, with favourable reviews for DPV, though it found no suitably complete vocabulary for DPIAs.…”

Section: Models For Dpias and Risk Assessmentsmentioning

confidence: 96%

A Semantic Specification for Data Protection Impact Assessments (DPIA)

Pandit

2022

Towards a Knowledge-Aware AI

View full text Add to dashboard Cite

The GDPR requires assessing and conducting a Data Protection Impact Assessment (DPIA) for processing of personal data that may result in high risk and impact to the data subjects. Documenting this process requires information about processing activities, entities and their roles, risks, mitigations and resulting impacts, and consultations. Impact assessments are complex activities where stakeholders face difficulties to identify relevant risks and mitigations, especially for emerging technologies and specific considerations in their use-cases, and to document outcomes in a consistent and reusable manner. We address this challenge by utilising linked-data to represent DPIA related information so that it can be better managed and shared in an interoperable manner. For this, we consulted the guidance documents produced by EU Data Protection Authorities (DPA) regarding DPIA and by ENISA regarding risk management. The outcome of our efforts is an extension to the Data Privacy Vocabulary (DPV) for documenting DPIAs and an ontology for risk management based on ISO 31000 family of standards. Our contributions fill an important gap within the state of the art, and paves the way for shared impact assessments with future regulations such as for AI and Cybersecurity.

show abstract

Section: Models For Dpias and Risk Assessmentsmentioning

confidence: 96%

A Semantic Specification for Data Protection Impact Assessments (DPIA)

Pandit

2022

Towards a Knowledge-Aware AI

View full text Add to dashboard Cite

show abstract

“…It also defines an information structure providing all or some of this information to the data subject in the form of a consent receipt. To support implementations, Annex A provides examples of consent records and receipts using DPV, and Annex B provides an overview of the different states or stages in 'consent lifecycle' -which is based on DPV's consent states [14,12] and analysis of existing approaches [8,2].…”

Section: Overview Of Iso/iec Ts 27560:2023mentioning

confidence: 99%

Implementing ISO/IEC TS 27560:2023 Consent Records and Receipts for GDPR and DGA

Pandit,

Lindquist,

Krog

2024

Preprint

View full text Add to dashboard Cite

The ISO/IEC TS 27560:2023 Privacy technologies — Consent record information structure provides guidance for the creation and maintenance of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. In this article, we compare requirements regarding consent between ISO/IEC TS 27560:2023, ISO/IEC 29184:2020 Privacy Notices, and the EU's General Data Protection Regulation (GDPR) to show how these standards can be used to support GDPR compliance. We then use the Data Privacy Vocabulary (DPV) to implement ISO/IEC TS 27560:2023 and create interoperable consent records and receipts. We also discuss how this work benefits the the implementation of EU Data Governance Act (DGA), specifically for machine-readable consent forms.

show abstract

“…After the researcher completes and publishes a participation request, TIDAL structures the request form as a RDF turtle file and represents it as a digital consent using Data Privacy Vocabulary (DPV-V0.7) and Schema.org vocabulary. Several ontologies and vocabularies that use semantic technology to implement and manage consent for data privacy and protection purpose have been studied by [18,32]. Given the legal focus of TIDAL, we applied the DPV which specifically captures the relevant concepts of data processing in relation to EU GDPR.…”

Section: Researcher Publishes Participation Requestmentioning

confidence: 99%

ciTIzen-centric DAta pLatform (TIDAL): Sharing distributed personal data in a privacy-preserving manner for health research

Sun

Ocaña

Soest

et al. 2023

View full text Add to dashboard Cite

Developing personal data sharing tools and standards in conformity with data protection regulations is essential to empower citizens to control and share their health data with authorized parties for any purpose they approve. This can be, among others, for primary use in healthcare, or secondary use for research to improve human health and well-being. Ensuring that citizens are able to make fine-grained decisions about how their personal health data can be used and shared will significantly encourage citizens to participate in more health-related research. In this paper, we propose a ciTIzen-centric DatA pLatform (TIDAL) to give individuals ownership of their own data, and connect them with researchers to donate the use of their personal data for research while being in control of the entire data life cycle, including data access, storage and analysis. We recognize that most existing technologies focus on one particular aspect such as personal data storage, or suffer from executing data analysis over a large number of participants, or face challenges of low data quality and insufficient data interoperability. To address these challenges, the TIDAL platform integrates a set of components for requesting subsets of RDF (Resource Description Framework) data stored in personal data vaults based on SOcial LInked Data (Solid) technology and analyzing them in a privacy-preserving manner. We demonstrate the feasibility and efficiency of the TIDAL platform by conducting a set of simulation experiments using three different pod providers (Inrupt, Solidcommunity, Self-hosted Server). On each pod provider, we evaluated the performance of TIDAL by querying and analyzing personal health data with varying scales of participants and configurations. The reasonable total time consumption and a linear correlation between the number of pods and variables on all pod providers show the feasibility and potential to implement and use the TIDAL platform in practice. TIDAL facilitates individuals to access their personal data in a fine-grained manner and to make their own decision on their data. Researchers are able to reach out to individuals and send them digital consent directly for using personal data for health-related research. TIDAL can play an important role to connect citizens, researchers, and data organizations to increase the trust placed by citizens in the processing of personal data.

show abstract

Analysis of ontologies and policy languages to represent information flows in GDPR

Cited by 14 publications

References 48 publications

A Semantic Specification for Data Protection Impact Assessments (DPIA)

A Semantic Specification for Data Protection Impact Assessments (DPIA)

Implementing ISO/IEC TS 27560:2023 Consent Records and Receipts for GDPR and DGA

ciTIzen-centric DAta pLatform (TIDAL): Sharing distributed personal data in a privacy-preserving manner for health research

Contact Info

Product

Resources

About