Test-driven approach for GDPR Compliance
An organisation using personal data should document its data governance processes to maintain and demonstrate compliance with the General Data Protection Regulation (GDPR). As processes evolve, their documentation should reflect these changes with an assessment showing ongoing compliance. Through this project, we show how semantic representations of processes are useful towards maintaining ongoing GDPR compliance by using a test-driven approach that generates and checks constraints for adherence to GDPR requirements. We first check whether all required information has been documented, and then whether it is compliant. We prototype our testing approach using a real-world website’s consent mechanism for GDPR compliance, and persist results towards generating documentation. We use previously-published ontologies to represent processes (GDPRov), consent (GConsent), and GDPR (GDPRtEXT), with SHACL used to test requirement constraints.
view paper
accepted for publication at SEMANTiCS 2019.
Read more about:
- overview of approach
- creation of data graph from quantcast.com website
- creating constraints from requirements for given consent
- validating constraints using SHACL
- generating reports using SPARQL queries
- example report and documentation
The Irish DPC openened a statutory inquiry into Quantcast on 02-MAY-2019.
Resources
- data graph
- combined data graph (data + ontologies + test results + inference using HermiT)
- combined data graph (data + ontologies)
- consent
- given-consent
- processes
- steps
- third-parties
- rights
- personal-data
- manual test data
- constraints & results
- bash script