ODRL Policy Modelling and Compliance Checking

This paper addresses the problem of constructing a policy pipeline that enables compliance checking of business processes against regulatory obligations. Towards this end, we propose an Open Digital Rights Language (ODRL) profile that can be used to capture the semantics of both business policies in the form of sets of required permissions and regulatory requirements in the form of deontic concepts, and present their translation into Answer Set Programming (via the Institutional Action Language (InstAL)) for compliance checking purposes. The result of the compliance checking is either a positive compliance result or an explanation pertaining to the aspects of the policy that are causing the noncompliance. The pipeline is illustrated using two (key) fragments of the General Data Protect Regulation, namely Articles 6 (Lawfulness of processing) and Articles 46 (Transfers subject to appropriate safeguards) and industrially-relevant use cases that involve the specification of sets of permissions that are needed to execute business processes. The core contributions of this paper are the ODRL profile, which is capable of modelling regulatory obligations and business policies, the exercise of modelling elements of GDPR in this semantic formalism, and the operationalisation of the model to demonstrate its capability to support personal data processing compliance checking, and a basis for explaining why the request is deemed compliant or not.

[1]  V. S. Costa,et al.  Theory and Practice of Logic Programming , 2010 .

[2]  Marek J. Sergot,et al.  A Formal Characterisation of Institutionalised Power , 1996, Log. J. IGPL.

[3]  Marco Colombetti,et al.  Operational Semantics of an Extension of ODRL Able to Express Obligations , 2017, EUMAS/AT.

[4]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[5]  Martin Gebser,et al.  Clingo = ASP + Control: Preliminary Report , 2014, ArXiv.

[6]  Marina De Vos,et al.  Deontic Sensors , 2018, IJCAI.

[7]  Marina De Vos,et al.  Answer Set Programming for Representing and Reasoning About Virtual Institutions , 2006, CLIMA.

[8]  Guido Governatori,et al.  LegalRuleML: XML-Based Rules and Norms , 2011, RuleML America.

[9]  Serena Villata,et al.  Semantic Business Process Regulatory Compliance Checking Using LegalRuleML , 2016, EKAW.

[10]  Marco Colombetti,et al.  Using Semantic Web Technologies and Production Rules for Reasoning on Obligations and Permissions , 2018, AT.

[11]  Marina De Vos,et al.  A model-based approach to the automatic revision of secondary legislation , 2013, ICAIL.

[12]  Mustafa Hashmi,et al.  Enabling Reasoning with LegalRuleML , 2016, RuleML.

[13]  Pieter Pauwels,et al.  Modelling and accessing regulatory knowledge for computer-assisted compliance audit , 2016, J. Inf. Technol. Constr..

[14]  Fabio Vitali,et al.  MetaLex XML and the Legal Knowledge Interchange Format , 2008, Computable Models of the Law, Languages, Dialogues, Games, Ontologies.

[15]  Guido Governatori,et al.  OASIS LegalRuleML , 2013, ICAIL.

[16]  Jeffrey M. Bradshaw,et al.  Software agents , 1997 .

[17]  Boris Motik,et al.  Can OWL and Logic Programming Live Together Happily Ever After? , 2006, International Semantic Web Conference.

[18]  Marina De Vos,et al.  InstAL: An Institutional Action Language , 2016 .

[19]  Anna Fensel,et al.  Modeling and Reasoning over Data Licenses , 2018, ESWC.

[20]  Michael Gelfond,et al.  Classical negation in logic programs and disjunctive databases , 1991, New Generation Computing.

[21]  Cristiana Santos,et al.  Using Ontologies to Model Data Protection Requirements in Workflows , 2015, JSAI-isAI Workshops.

[22]  Piero A. Bonatti,et al.  Rule-Based Policy Representation and Reasoning for the Semantic Web , 2007, Reasoning Web.

[23]  Adrian Paschke,et al.  RuleML 1.0: The Overarching Specification of Web Rules , 2010, RuleML.

[24]  Martin Gebser,et al.  Advances in gringo Series 3 , 2011, LPNMR.

[25]  Axel Polleres,et al.  Defining expressive access policies for linked data using the ODRL ontology 2.0 , 2014, SEM '14.

[26]  Radboud Winkels,et al.  METAlex: Legislation in XML , 2002 .

[27]  Declan O'Sullivan,et al.  GDPRtEXT - GDPR as a Linked Data Resource , 2018, ESWC.

[28]  Chitta Baral,et al.  Knowledge Representation, Reasoning and Declarative Problem Solving , 2003 .

[29]  Simon Steyskal,et al.  If you can't enforce it, contract it: Enforceability in Policy-Driven (Linked) Data Markets , 2015, SEMANTiCS.