The SPECIAL-K Personal Data Processing Transparency and Compliance Platform

The European General Data Protection Regulation (GDPR) brings new challenges for companies, who must provide transparency with respect to personal data processing and sharing within and between organisations. Additionally companies need to demonstrate that their systems and business processes comply with usage constraints specified by data subjects. This paper first presents the Linked Data ontologies and vocabularies developed within the SPECIAL EU H2020 project, which can be used to represent data usage policies and data processing and sharing events, including the consent provided by the data subject and subsequent changes to or revocation of said consent. Following on from this, we propose a concrete transparency and compliance architecture, referred to as SPECIAL-K, that can automatically verify that data processing and sharing complies with the relevant usage control policies. Our evaluation, based on a new transparency and compliance benchmark, shows the efficiency and scalability of the system with increasing number of events and users, covering a wide range of real-world streaming and batch processing scenarios.

[1]  Andrew Sutton,et al.  Blockchain Enabled Privacy Audit Logs , 2017, International Semantic Web Conference.

[2]  Declan O'Sullivan,et al.  GDPRtEXT - GDPR as a Linked Data Resource , 2018, ESWC.

[3]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[4]  Roel Peeters,et al.  Distributed privacy-preserving transparency logging , 2013, WPES.

[5]  Reza Samavi,et al.  Publishing privacy logs to facilitate transparency and accountability , 2018, J. Web Semant..

[6]  Axel-Cyrille Ngonga Ngomo,et al.  HOBBIT: Holistic Benchmarking of Big Linked Data , 2016, ERCIM News.

[7]  Boris Motik,et al.  OWL 2 Web Ontology Language: structural specification and functional-style syntax , 2008 .

[8]  Lorrie Faith Cranor,et al.  Web privacy with P3P - the platform for privacy preferences , 2002 .

[9]  Deborah L. McGuinness,et al.  PROV-O: The PROV Ontology , 2013 .

[10]  James A. Hendler,et al.  Analyzing web access control policies , 2007, WWW '07.

[11]  Axel Polleres,et al.  Transparent Personal Data Processing: The Road Ahead , 2017, SAFECOMP Workshops.

[12]  James Cheney,et al.  PROV-O: The PROV ontology:W3C recommendation 30 April 2013 , 2013 .

[13]  Alex Pentland,et al.  Decentralizing Privacy: Using Blockchain to Protect Personal Data , 2015, 2015 IEEE Security and Privacy Workshops.

[14]  Rafael Accorsi,et al.  Personalization in privacy-aware highly dynamic systems , 2006, CACM.

[15]  Josep-Lluís Larriba-Pey,et al.  The linked data benchmark council: a graph and RDF industry benchmarking effort , 2014, SGMD.

[16]  Hassan Chafi,et al.  The LDBC Social Network Benchmark: Interactive Workload , 2015, SIGMOD Conference.

[17]  Eva Blomqvist,et al.  Event Processing in RDF , 2013, WOP.

[18]  Jeffrey M. Bradshaw,et al.  KAoS policy and domain services: toward a description-logic approach to policy representation, deconfliction, and enforcement , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[19]  Piero A. Bonatti,et al.  A Rule-Based Trust Negotiation System , 2010, IEEE Transactions on Knowledge and Data Engineering.

[20]  Marco Montali,et al.  Compliance monitoring in business processes: Functionalities, application, and tool-support , 2015, Inf. Syst..

[21]  Axel Polleres,et al.  Creating a Vocabulary for Data Privacy - The First-Year Report of Data Privacy Vocabularies and Controls Community Group (DPVCG) , 2019, OTM Conferences.

[22]  Marina De Vos,et al.  ODRL Policy Modelling and Compliance Checking , 2019, RuleML+RR.

[23]  Mihir Bellare,et al.  Forward Integrity For Secure Audit Logs , 1997 .