Legal Compliance by Design (LCbD) and through Design (LCtD): Preliminary Survey

The purpose of this paper is twofold: (i) carrying out a preliminary survey of the literature and research projects on Compliance by Design (CbD); and (ii) clarifying the double process of (a) extending business managing techniques to other regulatory fields, and (b) converging trends in legal theory, legal technology and Artificial Intelligence. The paper highlights the connections and differences we found across different domains and proposals. We distinguish three different policydriven types of CbD: (i) business, (ii) regulatory, (iii) and legal. The recent deployment of ethical views, and the implementation of general principles of privacy and data protection lead to the conclusion that, in order to appropriately define legal compliance, Compliance through Design (CtD) should be differentiated from CbD.

[1]  Mike P. Papazoglou,et al.  Formalizing and appling compliance patterns for business process compliance , 2016, Software & Systems Modeling.

[2]  Ronald Leenes,et al.  Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law , 2014 .

[3]  Robert Winter,et al.  Regulatory Compliance in Information Systems Research - Literature Analysis and Research Agenda , 2009, BMMDS/EMMSAD.

[4]  Sepideh Ghanavati,et al.  Privacy Shielding by Design — A Strategies Case for Near-Compliance , 2016, 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW).

[5]  Louis de Koker Aligning anti‐money laundering, combating of financing of terror and financial inclusion: Questions to consider when FATF standards are clarified , 2011 .

[6]  Guido Governatori,et al.  A methodological framework for aligning business processes and regulatory compliance , 2010 .

[7]  Guido Governatori,et al.  LegalRuleML: Design Principles and Foundations , 2015, Reasoning Web.

[8]  Serena Villata,et al.  Combining NLP Approaches for Rule Extraction from Legal Documents , 2016 .

[9]  Sherif Sakr,et al.  A framework for querying graph-based business process models , 2010, WWW '10.

[10]  P. Harmon The State of Business Process Management , 2013 .

[11]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[12]  John Mylopoulos,et al.  Capturing Variability of Law with Nómos 2 , 2012, ER.

[13]  Andrea Giovanni Nuzzolese,et al.  The Role of Ontology Design Patterns in Linked Data Projects , 2016, ER.

[14]  Joris Hulstijn,et al.  Control Automation to Reduce Costs of Control , 2012, Int. J. Inf. Syst. Model. Des..

[15]  Jörg Becker,et al.  Generalizability and Applicability of Model-Based Business Process Compliance-Checking Approaches — A State-of-the-Art Analysis and Research Roadmap , 2012 .

[16]  Tom Butler,et al.  Legal Patterns for Different Constitutive Rules , 2017, AICOL.

[17]  Asunción Gómez-Pérez,et al.  License Linked Data Resources Pattern , 2013, WOP.

[18]  Marta Indulska,et al.  A Compliance Management Ontology: Developing Shared Understanding through Models , 2012, CAiSE.

[19]  Sherif Sakr,et al.  On efficient processing of BPMN-Q queries , 2012, Comput. Ind..

[20]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[21]  Niels Lohmann Compliance by design for artifact-centric business processes , 2013, Inf. Syst..

[22]  Daniel Amyot,et al.  A systematic review of goal-oriented requirements management frameworks for business process compliance , 2011, 2011 Fourth International Workshop on Requirements Engineering and Law.

[23]  Daniel Amyot,et al.  Information Technology Artifacts in the Regulatory Compliance of Business Processes: A Meta-Analysis , 2015, MCETECH.

[24]  Mike P. Papazoglou,et al.  On the Formal Specification of Regulatory Compliance: A Comparative Analysis , 2010, ICSOC Workshops.

[25]  Aaron Alva,et al.  L-SQUARE: Preliminary extension of the SQUARE methodology to address legal compliance , 2014, 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[26]  Enrico Francesconi,et al.  A knowledge organization system for e-participation in law-making , 2017, ICAIL.

[27]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[28]  Louis de Koker,et al.  Regulation of Big Data: Perspectives on strategy, policy, law and privacy , 2017, Health and Technology.

[29]  Daniel Amyot,et al.  Legal goal-oriented requirement language (legal GRL) for modeling regulations , 2014, MiSE 2014.

[30]  Sherif Sakr,et al.  Compliance Monitoring as a Service: Requirements, Architecture and Implementation , 2015, 2015 International Conference on Cloud Computing (ICCC).

[31]  Jaap-Henk Hoepman,et al.  A Critical Analysis of Privacy Design Strategies , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[32]  Michael Fellmann,et al.  State-of-the-art of Business Process Compliance Approaches: A Survey (Extended Abstract) , 2014, EMISA.

[33]  Silvia Mara Abrahão,et al.  A systematic review of the use of requirements engineering techniques in model-driven development , 2010, MODELS'10.

[34]  Isabelle Comyn-Wattiau,et al.  Reusable knowledge in security requirements engineering: a systematic mapping study , 2015, Requirements Engineering.

[35]  Guido Governatori,et al.  Rules and Norms: Requirements for Rule Interchange Languages in the Legal Domain , 2009, RuleML.

[36]  Guido Boella,et al.  A critical analysis of legal requirements engineering from the perspective of legal practice , 2014, 2014 IEEE 7th International Workshop on Requirements Engineering and Law (RELAW).

[37]  Jan Vanthienen,et al.  Designing Compliant Business Processes with Obligations and Permissions , 2006, Business Process Management Workshops.

[38]  Serena Villata,et al.  Semantic Business Process Regulatory Compliance Checking Using LegalRuleML , 2016, EKAW.

[39]  John Mylopoulos,et al.  From Laws to Requirements , 2008, 2008 Requirements Engineering and Law.

[40]  Fabio Vitali,et al.  Special Issue on The Semantic Web for the Legal Domain - Guest Editors’ Editorial: The Next Step , 2016 .

[41]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[42]  Nasser Modiri,et al.  An Approach to Map COBIT Processes to ISO/IEC 27001 Information Security Management Controls , 2012 .

[43]  Diego Reforgiato Recupero,et al.  Framester: A Wide Coverage Linguistic Linked Data Hub , 2016, EKAW.

[44]  Guido Boella,et al.  Managing legal interpretation in regulatory compliance , 2013, ICAIL.

[45]  James L. Peterson,et al.  Petri Nets , 1977, CSUR.

[46]  Acklesh Prasad,et al.  On Governing Collaborative Information Technology (IT): A Relational Perspective , 2013, J. Inf. Syst..

[48]  Livio Robaldo,et al.  Eunomos, a legal document and knowledge management system for the Web to provide relevant, reliable and up-to-date information on the law , 2016, Artificial Intelligence and Law.

[49]  Louis de Koker,et al.  Conservative Corporate Compliance: Reflections on a Study of Compliance Responses by South African Banks , 2011 .

[50]  Marta Indulska,et al.  Formal Models of Business Process Compliance , 2009 .

[51]  Pompeu Casanovas,et al.  A Linked Term Bank of Copyright-Related Terms , 2015, JURIX.

[52]  Marcello Ceci,et al.  Making Sense of Regulations with SBVR , 2016, RuleML.

[53]  Aldo Gangemi,et al.  Ontology Design Patterns , 2005 .

[54]  Guido Boella,et al.  Integrating Legal-URN and Eunomos: Towards a Comprehensive Compliance Management Solution , 2013, AICOL.

[55]  John Mylopoulos,et al.  A Meta-Model for Modelling Law-Compliant Requirements , 2009, 2009 Second International Workshop on Requirements Engineering and Law.