DiálogoP - A Language and a Graphical Tool for Formally Defining GDPR Purposes

Vanezi, Evangelia; Kapitsaki, Georgia M.; Kouzapas, Dimitrios; Philippou, Anna; Papadopoulos, George Α.

doi:10.1007/978-3-030-50316-1_40

Cited by 4 publications

(5 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Torre et al [12] present an artificial intelligence-enabled automation for compliance checking of privacy policies based on a conceptual model that characterizes the privacy requirements from the GDPR. Vanezi et al [13] propose a graphical modeling language for GDPR privacy policies and a methodology for transforming them into formal definitions. Pullonen et al [14] present a multi-level model to be used as an extension of the Business Process Model and Notation to enable the visualization, analysis, and communication of the privacy-policy characteristics of business processes.…”

Section: Related Workmentioning

confidence: 99%

A Model-based Conceptualization of Requirements for Compliance Checking of Data Processing against GDPR

Amaral

Abualhaija

Sabetzadeh

et al. 2021

2021 IEEE 29th International Requirements Engineering Conference Workshops (REW)

View full text Add to dashboard Cite

The General Data Protection Regulation (GDPR) has been recently introduced to harmonize the different data privacy laws across Europe. Whether inside the EU or outside, organizations have to comply with the GDPR as long as they handle personal data of EU residents. The organizations with whom personal data is shared are referred to as data controllers. When controllers subcontract certain services that involve processing personal data to service providers (also known as data processors), then a data processing agreement (DPA) has to be issued. This agreement regulates the relationship between the controllers and processors and also ensures the protection of individuals' personal data. Compliance with the GDPR is challenging for organizations since it is large and relies on complex legal concepts. In this paper, we draw on model-driven engineering to build a machine-analyzable conceptual model that characterizes DPA-related requirements in the GDPR. Further, we create a set of criteria for checking the compliance of a given DPA against the GDPR and discuss how our work in this paper can be adapted to develop an automated compliance checking solution.

show abstract

Section: Related Workmentioning

confidence: 99%

A Model-based Conceptualization of Requirements for Compliance Checking of Data Processing against GDPR

Amaral

Abualhaija

Sabetzadeh

et al. 2021

2021 IEEE 29th International Requirements Engineering Conference Workshops (REW)

View full text Add to dashboard Cite

show abstract

“…A similar method has been applied by Governatori et al [57] to represent legal documents. Many approaches rely on model-driven engineering methods [11], [15], [16], [37], [58]- [60]. Usman et al [38] provide insights into common practices and challenges when checking and analysing regulatory compliance.…”

Section: Related Workmentioning

confidence: 99%

ML-Based Compliance Verification of Data Processing Agreements against GDPR

Amaral,

Abualhaija,

Briand

2023

2023 IEEE 31st International Requirements Engineering Conference (RE)

View full text Add to dashboard Cite

Most current software systems involve processing personal data, an activity that is regulated in Europe by the general data protection regulation (GDPR) through data processing agreements (DPAs). Developing compliant software requires adhering to DPA-related requirements in GDPR. Verifying the compliance of DPAs entirely manually is however time-consuming and error-prone. In this paper, we propose an automation strategy based on machine learning (ML) for checking GDPR compliance in DPAs. Specifically, we create, based on existing work, a comprehensive conceptual model that describes the information types pertinent to DPA compliance. We then develop an automated approach that detects breaches of compliance by predicting the presence of these information types in DPAs. On an evaluation set of 30 real DPAs, our approach detects 483 out of 582 genuine violations while introducing 93 false violations, achieving thereby a precision of 83.9% and recall of 83.0%. We empirically compare our approach against an existing approach which does not employ ML but relies on manually-defined rules. Our results indicate that the two approaches perform on par. Therefore, to select the right solution in a given context, we discuss differentiating factors like the availability of annotated data and legal experts, and adaptation to regulation changes.

show abstract

“…Vanezi et al [58] propose a graphical modeling language for GDPR privacy policies and a methodology for transforming such graphically-defined privacy policies into formal definitions. This work focuses on one (namely, PROCESSING PURPOSES) out of the 56 metadata types we consider in our work.…”

Section: Elicitation Of Privacy-related Requirementsmentioning

confidence: 99%

“…These existing works address a rather small subset of the privacy-policy metadata types considered in this article. In addition, excluding [58], all of the abovementioned papers focus on providing guidelines that are not strictly based on GDPR. In contrast, we systematically identify the requirements that, according to GDPR, must be met by privacy policies for completeness.…”

Section: Elicitation Of Privacy-related Requirementsmentioning

confidence: 99%

AI-enabled Automation for Completeness Checking of Privacy Policies

Amaral¹,

Abualhaija²,

Torre³

et al. 2021

Preprint

View full text Add to dashboard Cite

Technological advances in information sharing have raised concerns about data protection. Privacy policies contain privacy-related requirements about how the personal data of individuals will be handled by an organization or a software system (e.g., a web service or an app). In Europe, privacy policies are subject to compliance with the General Data Protection Regulation (GDPR). A prerequisite for GDPR compliance checking is to verify whether the content of a privacy policy is complete according to the provisions of GDPR. Incomplete privacy policies might result in large fines on violating organization as well as incomplete privacy-related software specifications. Manual completeness checking is both time-consuming and error-prone. In this paper, we propose AI-based automation for the completeness checking of privacy policies. Through systematic qualitative methods, we first build two artifacts to characterize the privacy-related provisions of GDPR, namely a conceptual model and a set of completeness criteria. Then, we develop an automated solution on top of these artifacts by leveraging a combination of natural language processing and supervised machine learning. Specifically, we identify the GDPR-relevant information content in privacy policies and subsequently check them against the completeness criteria. To evaluate our approach, we collected 234 real privacy policies from the fund industry. Over a set of 48 unseen privacy policies, our approach detected 300 of the total of 334 violations of some completeness criteria correctly, while producing 23 false positives. The approach thus has a precision of 92.9% and recall of 89.8%. Compared to a baseline that applies keyword search only, our approach results in an improvement of 24.5% in precision and 38% in recall.

show abstract

DiálogoP - A Language and a Graphical Tool for Formally Defining GDPR Purposes

Cited by 4 publications

References 10 publications

A Model-based Conceptualization of Requirements for Compliance Checking of Data Processing against GDPR

A Model-based Conceptualization of Requirements for Compliance Checking of Data Processing against GDPR

ML-Based Compliance Verification of Data Processing Agreements against GDPR

AI-enabled Automation for Completeness Checking of Privacy Policies

Contact Info

Product

Resources

About