Authors:
Paul Ryan
1
;
2
and
Rob Brennan
1
Affiliations:
1
ADAPT Centre, School of Computing, Dublin City University, Glasnevin, Dublin 9, Ireland
;
2
Uniphar PLC, Dublin 24, Ireland
Keyword(s):
Data Protection Officer, RegTech, Register of Processing Activities, Semantic Web.
Abstract:
The creation and maintenance of a Register of Processing Activities (ROPA) are essential to meeting the Accountability Principle of the General Data Protection Regulation (GDPR). We evaluate a semantic model CSM-ROPA to establish the extent to which it can be used to express a regulator provided accountability tracker to facilitate GDPR/ROPA compliance. We show that the ROPA practices of organisations are largely based on manual paper-based templates or non-interoperable systems, leading to inadequate GDPR/ROPA compliance levels. We contrast these current approaches to GDPR/ROPA compliance with best practice for regulatory compliance and identify four critical features of systems to support accountability. We conduct a case study to analyse the extent that CSM-ROPA, can be used as an interoperable, machine-readable mediation layer to express a regulator supplied ROPA accountability tracker. We demonstrate that CSM-ROPA can successfully express 92% of ROPA accountability terms. The ad
dition of connectable vocabularies brings the expressivity to 98%. We identify three terms for addition to the CSM-ROPA to enable full expressivity. The application of CSM-ROPA provides opportunities for demonstrable and validated GDPR compliance. This standardisation would enable the development of automation, and interoperable tools for supported accountability and the demonstration of GDPR compliance.
(More)