跳转到主要内容

文章分类

结论

代表组织数据处理活动的数据源的异质性在完成ROPA时带来了重大挑战。我们的研究旨在确定基于DCAT-AP和DPV的可互操作和机器可读数据处理目录的DPCat规范能够在多大程度上克服源的异质性,以便于编制ROPA。

我们已经表明,DPCat规范为实际的分布式ROPA维护用例提供了更多的自动化,从而增强了法规遵从性。民主党人已经在资金和资源的匮乏中挣扎[52],他们可以从使用DPCat中受益,这可以减轻有效执法所需的调查负担。为了实现我们的第一个研究目标(RO1),以确定代表ROPA所需的信息,我们审查了31个DPA中的17个ROPA模板。我们的分析确定了47个独特的GDPR概念,模板要求至少18个概念,最多32个概念。在过去的3年中,DPV已经被增强以表达这些概念,目前,47个概念中的44个可以精确表达,1个可以部分表达。剩下的两个概念与DPVCG一起考虑。

对于第二个研究目标(RO2),我们提出了数据处理目录(DPCat)规范,该规范有助于管理和维护来自组织内和组织间异构源的数据,以实现与ROPA相关的信息表示。它在EDPS ROPA中的应用表明,当数据保存在文档中,或专有系统缺乏机器可读性和互操作性时,DPCat如何被用作机器可读解决方案,以克服传统限制。

EDPS应用程序还展示了DPCat如何使数据控制器/处理器能够使用标准化模型和词汇表来描述处理活动,从而促进了聚合、查询、验证和从异构源(RO3)导出。我们使用SHACL来确保正确性,使用SPARQL来查询和导出GDPR文章和DPA模板的信息。通过这一点,我们通过协调来自不同来源的输入并生成动态文档,以适应跨DPA监管方法的差异,建立了ROPA的数据质量治理流程。

除了制定研究问题外,我们还通过用例、应用、讨论和确定具体的未来方向,探讨了现实世界中的潜在影响,以确保从实施我们的工作中获得实际利益。此外,由于DPCat是组织个人数据处理活动的可互操作的机器可读记录,因此它提供了未来研究的途径,例如生成隐私通知、DPIA、自动供应商尽职调查检查和基于通用信息模型的国际转移合规性评估。DPCat所采取的方法虽然基于GDPR,但也有利于其他法律的文件要求和合规义务,如《加利福尼亚消费者保护法案》(CCPA)[24]。

资助:这项研究获得了Uniphar PLC和ADAPT数字内容技术中心的资助,该中心由SFI研究中心计划(赠款13/RC/2106_P2)资助,并由欧洲区域发展基金共同资助。Harshvardhan J.Pandit获得了爱尔兰研究委员会爱尔兰政府博士后研究金#GOIPD/2020/790的资助。

数据可用性声明:本工作中提供的所有资源均位于https://w3id.org/dpcat/repo包括DPCat规范、CSM-ROPA结果、代码和数据

CSM-ROPA:GDPR和DPA模板中ROPA要求的分析

下表总结了GDPR和DPA模板中信息字段的比较。“GDPR”栏指定了相关条款,“第30条”表示根据GDPR第30条,该字段是否为ROPA中的强制性字段。DPA使用国家的ISO Alpha-2代码表示。

Analysis of ROPA requirements in GDPR and DPA templates.
GDPR Field A.30 BE GR GB PL CY FR PT DE DK LU FI CZ HR IT LT SI SK
5 Personal Data Location × × × × × × × × × × × × × × × × ×
5.1 Data Sources × × × × × × × × × × × × × ×
6.1 Legal basis ×
6.1 Record of consent × × × × × × × × × × × × × × × ×
9.1 Special Personal Data Category × × × × × × × × × × × × × ×
9.1 Vulnerable Data Subject Category × × × × × × × × × × × × × × × ×
22.1 Automated decision making, profiling × × × × × × × × × × × × × × × ×
26.1 Joint Controller agreement × × × × × × × × × × × × × × × ×
28 Data Processors × × × × × × × × × × × × × × × × ×
28.3 Data Processing Contract × × × × × × × × × × ×
30.1 Processing Status × × × × × × × × × × × × × ×
32 Tech/Org measures implementation × × × × × × × × × × × × × × × × ×
32 Security measures × × × × × × × × × × × × × × × × ×
32 Technologies used × × × × × × × × × × × × × × × × ×
33.5 Data Breach × × × × × × × × × × × × × × × ×
35 Risk assessment and mitigation × × × × × × × × × × × × × × × × ×
35 Relevant DPIA × × × × × × × × × × × × × × × ×
35 DPIA Results × × × × × × × × × × × × ×
36.1 Impact Assessment, Prior Consultation × × × × × × × × × × × × × × × ×
37.6 External DPO organisation × × × × × × × × × × × × × × × × ×
× Business Process × × × × × × × × × × ×
× Owner of Process × × × × × × × × × × × × ×
× Type of Processing × × × × × × × × × × × × × × × ×
13, 14, 15 Data Subject Rights × × × × × × × × × × × × × ×
28, 30.1(c) Third Party Data Transfer × × × × × × × × × × × × × × ×
30.1(a) Data Protection Officer Contact
30.1(a) Representative
30.1(a) Representative Contact
30.1(a) Joint Controller Name
30.1(a) Joint Controller contact
30.1(b) Purposes of processing
30.1(b) Main/Auxiliary Processing × × × × × × × × × × × × × × × × ×
30.1(c) Personal Data Categories
30.1(c) Data Subject Categories
30.1(d) Recipient Categories
30.1(e) Third Countries in Data Transfer
30.1(e) Appropriate Safeguards
30.1(f) Retention/Deletion Periods ×
30.1(g) Tech/Org measures
30(1)(a) Data Controller Contact
30(1)(a) Data Protection Officer
30(1)(a) Data Protection Officer Contact
44–47 Nature of Transfer ×
6.1(f) Legitimate interests × × × × × × × × × × × × × × × ×
6.1(f) Legitimate interests assessment × × × × × × × × × × × × × × × × ×
6, 14, 30.1(b) Data Combination × × × × × × × × × × × × × × × × ×
  Nos. Fields 16 32 31 29 25 23 23 23 22 21 21 19 18 18 18 18 18 17

CSM-ROPA:DPV概念映射

下表总结了CSM-ROPA字段与DPV概念之间的映射。列“GDPR”指定了GDPR中的相关子句,“DPV”指定了DPV中用于表示字段信息的相关概念,“Map”指的是映射结果:E表示精确映射,即DPV中存在的概念,可以按原样使用,Pt表示部分映射,即该概念不完全存在,但另一个概念在上下文中类似,S表示该概念不存在,并已建议纳入。“DC”和“DP”列分别表示数据控制器和数据处理器的现场必要性,其中M表示强制性,即第30条规定的ROPA最低要求或DPCAT功能要求;C表示有条件,即第30条规定的ROPA最低要求(如适用);R表示建议,即ROPA的非法律要求,帮助组织满足DPA指南建议的问责原则;O表示可选,即ROPA模板中的一个术语,该术语没有法律要求,也没有任何直接/补充作用来证明责任。

Mapping of CSM-ROPA fields with DPV Concepts.
GDPR Field DPV Map. DC DP
5 Location of personal data dpv:StorageLocation E R R
5.1 Data Sources dpv:DataSource E R O
6.1 Legal basis dpv:LegalBasis E M O
6.1 Link to record of consent dpv:Consent E R R
9.1 Special Personal Data dpv:SpecialCategoryPersonalData E R O
9.1 Vulnerable Data Subjects dpv:VulnerableDataSubject E R O
22.1 Automated decision-making or profiling dpv:AutomatedDecisionMaking E R R
26.1 Joint Controller agreement dpv:JointDataControllersAgreement E R N/A
28 Data Processors dpv:DataProcessor E R M
28.3 Data Processing Contract dpv:DataProcessingAgreement E R R
28.3 Data processor contract dpv:ControllerProcessorAgreement E R R
30.1 Status of processing dpv:Status S M M
32 Tech/Org measures implementation dpv:Technology E R R
32 Security measures dpv:TechnicalOrganisationalMeasure E R R
32 Technologies used dpv:Technology E R R
33.5 Data Breach dpcat:DataBreachRecord S R R
35 Risk management dpv:RiskMitigationMeasure E R O
35 Relevant DPIA dpv:DPIA E R R
35 DPIA Results dpv:DPIA E R O
36.1 Impact Assessments dpv:ImpactAssessment E R R
36.1 Prior Consulatations dpv:Consultation E R R
37.6 External DPO organisation dpv:DataProtectionOfficer E R R
_ Name of Business Process dpv:PersonalDataHandling Pt O O
_ Owner of Process dct:contactPoint E M M
_ Type of Processing dpv:Processing E O O
13, 14, 15 Data Subject Rights dpv:DataSubjectRight E R O
28, 30.1(c) Data Categories Transfer to Third Parties dpv:Transfer, dpv:PersonalData E R R
30.1(a) DPO contact dpv:hasName, dpv:hasContact E MC MC
30.1(a) Representative dpv:Representative E MC N/A
30.1(a) Representative contact dpv:hasName, dpv:hasContact E MC N/A
30.1(a) Name of joint controller dpv:JointDataController E MC N/A
30.1(a) Contact details of joint controller dpv:hasName, dpv:hasContact E MC N/A
GDPR Field DPV Map. DC DP
30.1(b) Purposes of processing dpv: Purpose E M O
30.1(b) Main/Auxilary Processing dpv:Importance (Primary, Secondary) E O O
30.1(c) Personal Data Categories dpv:PersonalDataCategory E M M
30.1(c) Categories of data subjects dpv:DataSubject E M M
30.1(d) Categories of Recipients dpv:Recipient E MC MC
30.1(e) Third Countries Data Transfer dpv:ThirdCountry E MC MC
30.1(e) Appropriate Safeguards dpv:Safeguard E MC MC
30.1(f) Retention/Deletion Periods dpv:StorageDuration, E M O
30.1(g) Technical and organisational measures dpv:TechnicalOrganisationalMeasure E M M
30(1)(a) Data Controller contact dpv:hasName, dpv:hasContact E M M
30(1)(a) Data Protection Officer dpv:DataProtectionOfficer E MC MC
44–47 Nature of Transfer dpv:DataTransferLegalBasis E MC MC
6.1(f) Legitimate interests dpv:LegitimateInterest E R R
6.1(f) Legitimate interests assessment dpv:LegitimateInterestAssessment E R R
6, 14, 30.1(b) Data Combination dpv:Combine E R O

DPCat规范

下表总结了DPCat规范中的ROPA、ROPACatalog和ROPARecord字段。“卡片”列引用字段的基数,以及“Nec”列表示字段的必要性要求,其中M表示强制;C表示有条件,即,如果适用;R表示推荐;O表示可选。

DPCat ROPA and ROPACatalog fields.
Title Relation Domain Range Card. Nec.
Datasets in Catalog dcat:dataset dpcat:ROPA(Catalog) dpcat:ROPARecord 0...n M
Description dct:description dpcat:ROPA(Catalog) rdfs:Literal 1...n M
Issued dct:issued dpcat:ROPA(Catalog) rdfs:Literal (XSD date/time) 0...1 R
Publisher dct:publisher dpcat:ROPA(Catalog) foaf:Agent 1...1 M
Title dct:title dpcat:ROPA(Catalog) rdfs:Literal 1...n M
Contact Point dcat:contactPoint dpcat:ROPA(Catalog) vcard:Kind 0..n R
Temporal coverage dct:temporal dpcat:ROPA(Catalog) dct:PeriodOfTime 0...n O
Data Controller dpv:hasDataController dpcat:ROPA(Catalog) dpv:DataController 1...1 M
DPO for Catalog dpv:hasDataProtectionOfficer dpcat:ROPA(Catalog) dpv:Data ProtectionOfficer 0...1 MC
Representative dpv:hasRepresentative dpcat:ROPA(Catalog) dpv:Representative 0...1 MC
Responsible Entity dpcat:responsible Entity dpcat:ROPA(Catalog) dpv:Entity 0...n O
Catalogs dcat:catalog dcat:ROPACatalog dpv:ROPA 0...n M
DPCat ROPARecord fields.
Title Relation Domain Range Card. Nec.
Contract Point dcat:contactPoint dpcat:ROPARecord vcard:Kind 0...n R
Description dct:description dpcat:ROPARecord rdfs:Literal 1...n M
Identifier dct:identifier dpcat:ROPARecord rdfs:Literal 0...n O
Date Issued dct:issued dpcat:ROPARecord rdfs:Literal (datetime) 0...1 O
Publisher dct:publisher dpcat:ROPARecord foaf:Agent 0...1 R
Temporal coverage dct:temporal dpcat:ROPARecord dct:PeriodOfTime 0...n R
Title dct:title dpcat:ROPARecord rdfs:Literal 1...n M
Title Relation Domain Range Card. Nec.
Joint Controller dpv: hasJointDataControllers dpcat:ROPARecord dpv:LegalEntity 0...n MC
Business Process dpv:hasPersonalDataHandling dpcat:ROPARecord dpv:Personal DataHandling 0...1 R
Process Owner dcat:contactPoint dpcat:ROPARecord vcard:Kind 0...n R
Purposes dpv:hasPurpose dpcat:ROPARecord dpv:Purpose 1...n M
Legal Basis dpv:hasLegalBasis dpcat:ROPARecord dpv:LegalBasis 1...n M
Type of Processing dpv:hasProcessing dpcat:ROPARecord dpv:Processing 1...n R
Personal Data dpv:hasPersonalData dpcat:ROPARecord dpv:PersonalData 1...n M
Special Personal Data Categories rdfs:subClassOf dpv:SpecialCategory Personaldata dpv:PersonalData 1...n R
Data Subjects dpv:hasDataSubject dpcat:ROPARecord dpv:DataSubject 1...n M
Vulnerable Data Subjects rdfs:subClassOf dpv:Vulnerable DataSubject dpv:DataSubject 0...n R
Data Retention/Deletion Periods dpv:hasStorage dpcat:ROPARecord dpv:StorageDuration 1...n M
Data Combination rdfs:subClassOf dpv:Combine dpv:Processing 0...n R
Source of Data dpv:hasDataSource dpcat:ROPARecord dpv:DataSource 1...n R
Processor dpv:hasDataProcessor dpcat:ROPARecord dpv:LegalEntity 0...n M
Data Processing Contract dpv:hasOrganisationalMeasure dpcat:ROPARecord dpv: DataProcessingAgreement 0...n R
Recipients dpv:hasRecipient dpcat:ROPARecord dpv:LegalEntity 1...n MC
Third countries for Transfers dpv:hasThirdCountry dpv:Transfer dpv:ThirdCountry 0...n MC
Nature of Transfer dpv:hasLegalBasis dpv:Transfer dpv:LegalBasis 0...n MC
Safeguards dpv:hasOrganisationalMeasure dpcat:ROPARecord dpv:Safeguard 0...n MC
Risk management dpv:hasRisk, dpv:isMitigatedByMeasure dpcat:ROPARecord dpv:Risk, dpv:RiskMitigationMeasure 0...n R
Technical/Organisational measures dpv:hasTechnicalOrganisational Measure dpcat:ROPARecord dpv:TechnicalOrganistional Measure 1...n M
Data Subject Rights dpv:hasRight dpcat:ROPARecord dpv:DataSubjectRight 1...n R
Legitimate interests dpv:hasLegalBasis dpcat:ROPARecord dpv:LegitimateInterest 0...n R
Legitimate Interests Assessment dpv:hasOrganisational Measure dpv: LegitimateInterest dpv:LegitimateInterest Assessment 0...n R
Automated decision-making dpv:hasContext dpv:Processing dpv:AutomatedDecision Making 0...n R
Profiling rdfs:subClassOf dpv:Profiling dpv:Processing 0...n R
Record of Consent dpv:hasLegalBasis dpcat:ROPARecord dpv:Consent 0...n R
Location of Personal Data dpv:hasStorage dpcat:ROPARecord dpv:StorageLocation 1...n R
Status of Processing dpv:hasContext dpcat:ROPARecord dpv:Status 1...n R
Relevant Personal Data Breach dpcat:associatedWithDataBreach dpcat:ROPARecord dpcat:DataBreach 0...n R
Impact Assessment dpv:hasOrganisationalMeasure dpcat:ROPARecord dpv:ImpactAssessment 0...n R
Prior Consulatation dpv:hasOrganisationalMeasure dpcat:ROPARecord dpv:Consultation 0...n R
Main/Auxilary Processing dpv:hasContext dpcat:ROPARecord dpv:Importance 1...n R
Joint Controller Agreement dpv:hasOrganisationalMeasure dpcat:ROPARecord dpv:JointDataControllers Agreement 0...n R
Data Processor Contract dpv:hasOrganisationalMeasure dpcat:ROPARecord dpv:ControllerProcessor Agreement 0...n R
Information System for Tech/Org measure dpv: isImpementedUsingTechnology dpv: TechnicalOrganisationalMeasure dpv:Technology 1...n R
Security Measures dpv:hasTechnicalOrganisational Measure dpcat:ROPARecord dpv:TechnicalOrganisationa lMeasure 1...n R
Relevant DPIA dpv:hasOrganisationalMeasure dpcat:ROPARecord dpv:DPIA 0...n R
DPIA Results dpv:hasOrganisational Measure dpcat:ROPARecord dpv:DPIA 0...n R
System or software name dpv:isImpementedUsing Technology dpcat:ROPARecord dpv:Technology 1...n R

References

[1]

Castlebridge, “Registers Of Processing Activities (Accessed: 2022-03-10).” https://castlebridge.ie/research/2020/ropa-report/, Nov-2020.

[2]

P. Ryan, H. J. Pandit, and R. Brennan, “A Common Semantic Model of the GDPR Register of Processing Activities,” in Frontiers in Artificial Intelligence and Applications, 2020, doi: 10.3233/faia200876.

[3]

P. Ryan and R. Brennan, “Demonstrating GDPR accountability with CSM-ROPA: Extensions to the data privacy vocabulary,” in 24th International Conference Enterprise Information Systems (ICEIS ’21), 2021.

[4]

“Records of processing and lawful basis - ICO (Accessed: 2022-03-10).” https://ico.org.uk/for-organisations/accountability-framework/records-of-processing-and-lawful-basis/; ICO, Jan-2022.

[5]

P. Ryan, H. Pandit, and R. Brennan, “Building a Data Processing Activities Catalog: Representing Heterogeneous Compliance-Related Information for GDPR Using DCAT-AP and DPV,” in Further with Knowledge Graphs, 2021, pp. 169–182, doi: 10.3233/ssw210043.

[6]

H. J. Pandit, C. Debruyne, D. O’Sullivan, and D. Lewis, “An Exploration of Data Interoperability for GDPR,” International Journal of Standardization Research (IJSR), vol. 16, no. 1, pp. 1–21, 2018, doi: 10.4018/IJSR.2018010101.

[7]

R. Chiavetta, “Privacy Tech Vendor Report,” International Association of Privacy Professionals (IAPP), 2020.

[8]

OneTrust, “IDC Releases First Worldwide Data Privacy Management Software Market Shares Report - OneTrust (Accessed: 2022-03-10),” OneTrusthttps://www.onetrust.com/blog/idc-releases-first-worldwide-data-privacy-management-software-market-shares-report/, May-2020.

[9]

R. P. Buckley, D. W. Arner, D. A. Zetzsche, and R. H. Weber, “The road to RegTech: The (astonishing) example of the European Union,” Journal of Banking Regulation, vol. 21, no. 1, pp. 26–36, Mar. 2020, doi: 10.1057/s41261-019-00104-1.

[10]

T. Butler and L. O’Brien, “Understanding RegTech for Digital Regulatory Compliance,” in Disrupting Finance, T. Lynn, J. G. Mooney, P. Rosati, and M. Cummins, Eds. Cham: Springer International Publishing, 2019, pp. 85–102.

[11]

C. Labadie and C. Legner, “Understanding Data Protection Regulations from a Data Management Perspective: A Capability-Based Approach to EU-GDPR,” in Wirtschaftsinformatik, 2019, p. 15.

[12]

M. M. Martínez González, M. L. Alvite Díez, P. Casanovas, N. Casellas, D. Sanz, and A. Aparicio de la Fuente, “State of the Art and Ambition,” OntoROPA Project, D3.1, 2021.

[13]

D. Huth, A. Tanakol, and F. Matthes, “Using Enterprise Architecture Models for Creating the Record of Processing Activities (Art. 30 GDPR),” in 2019 IEEE 23rd International Enterprise Distributed Object Computing Conference (EDOC), 2019, pp. 98–104, doi: 10.1109/EDOC.2019.00021.

[14]

D. Korff and M. Georges, “The Data Protection Officer Handbook,” Social Science Research Network, Rochester, NY, {{SSRN Scholarly Paper}} ID 3428957, Jul. 2019.

[15]

H. J. Pandit et al., “Creating A Vocabulary for Data Privacy,” in The 18th International Conference on Ontologies, DataBases, and Applications of Semantics (ODBASE2019), 2019, p. 17, doi: 10.1007/978-3-030-33246-4_44.

[16]

“Data Catalog Vocabulary (DCAT) - Version 2.” https://www.w3.org/TR/vocab-dcat-2/.

[17]

S. Cox, D. Browning, R. Albertoni, A. G. Beltran, P. Winstanley, and A. Perego, “Data catalog vocabulary (DCAT) - version 2,” W3C, {{W3C}} Recommendation, Feb. 2020.

[18]

M. Dekkers, V. Peristeras, N. Loutas, N. Sofou, and B. Van Nuffelen, “DCAT Application Profile for data portals in Europe Version 2.1.0,” Directorate-General for Informatics (DIGIT), European Commission, Semantic {{Interoperability Community}} ({{SEMIC}}), Nov. 2019.

[19]

“Strategy for Data | Shaping Europe’s digital future.” https://digital-strategy.ec.europa.eu/en/policies/strategy-data, Mar-2022.

[20]

“Measuring Privacy Operations 2019 Cookies, Local vs. Global Compliance, DSARs and more - IAPP and TrustArc (Accessed: 2022-03-10).” https://iapp.org/media/pdf/resource_center/measuring_privacy_operations_2019.pdf, 2020.

[21]

J. Bracy, “Privacy Tech Vendor Report,” International Association of Privacy Professionals (IAPP), 2021.

[22]

“The value of investing in well-constructed records of processing activities - IAPP (Accessed: 2022-03-10).” https://iapp.org/news/a/the-value-of-investing-in-well-constructed-recordings-of-processing-activities/.

[23]

D. Drewer and V. Miladinova, “The canary in the data mine,” Computer Law & Security Review, vol. 34, no. 4, pp. 806–815, Aug. 2018, doi: 10.1016/j.clsr.2018.05.019.

[24]

T. Sparapani and J. Sherman, “Privacy Tech’s Third Generation A Review of the Emerging Privacy Tech Sector.” https://fpf.org/wp-content/uploads/2021/06/FPF-PTA-Report_Digital.pdf; Future of Privacy Forum and Privacy Tech Alliance, Jun-2021.

[25]

V. Khatri and C. V. Brown, “Designing data governance,” Communications of the ACM, vol. 53, no. 1, pp. 148–152, Jan. 2010, doi: 10.1145/1629175.1629210.

[26]

P. Rozehnal and V. Novák, “The Core Of Enterprise Architecture As A Management Tool: Gdpr Implementation Case Study,” in 26th Interdisciplinary Information Management Talks, 2020.

[27]

F. Burmeister, P. Drews, and I. Schirmer, “A Privacy-driven Enterprise Architecture Meta-Model for Supporting Compliance with the General Data Protection Regulation,” in Hawaii International Conference on System Sciences 2019 (HICSS-52), 2019.

[28]

H. J. Pandit, K. Fatema, D. O’Sullivan, and D. Lewis, “GDPRtEXT - GDPR as a Linked Data Resource,” in The Semantic Web, 2018, vol. 10843, pp. 481–495, doi: 10.1007/978-3-319-93417-4_31.

[29]

“Business Process Re-engineering and functional toolkit for GDPR compliance (BPR4GDPR H2020 Project) (Accessed: 2022-03-10).” https://www.bpr4gdpr.eu/.

[30]

H. J. Pandit and D. Lewis, “Modelling Provenance for GDPR Compliance using Linked Open Data Vocabularies,” in Proceedings of the 5th Workshop on Society, Privacy and the Semantic Web - Policy and Technology (PrivOn2017) (PrivOn), 2017.

[31]

H. J. Pandit, C. Debruyne, D. O’Sullivan, and D. Lewis, “GConsent - A Consent Ontology Based on the GDPR,” in The Semantic Web, 2019, pp. 270–282, doi: 10.1007/978-3-030-21348-0_18.

[32]

P. A. Bonatti, S. Kirrane, I. M. Petrova, and L. Sauro, “Machine Understandable Policies and GDPR Compliance Checking,” KI - Künstliche Intelligenz, vol. 34, no. 3, pp. 303–315, Sep. 2020, doi: 10.1007/s13218-020-00677-4.

[33]

M. Palmirani, M. Martoni, A. Rossi, C. Bartolini, and L. Robaldo, “PrOnto: Privacy Ontology for Legal Compliance,” in Proceedings of the 18th European Conference on Digital Government ECDG 2018, 2018, p. 10.

[34]

B. Esteves and V. Rodriguez-Doncel, “Analysis of Ontologies and Policy Languages to Represent Information Flows in GDPR,” Semantic Web J., vol. Forthcoming, 2022.

[35]

G. V. Lioudakis et al., “Facilitating GDPR Compliance: The H2020 BPR4GDPR Approach,” in Digital Transformation for a Sustainable Society in the 21st Century, 2020, pp. 72–78, doi: 10.1007/978-3-030-39634-3_7.

[36]

E. Grunewald, P. Wille, F. Pallas, M. C. Borges, and M.-R. Ulbricht, “TIRA: An OpenAPI Extension and Toolbox for GDPR Transparency in RESTful Architectures,” in International Workshop on Privacy Engineering (IWPE’21), 2021, doi: 10.1109/EuroSPW54576.2021.00039.

[37]

E. Grünewald and F. Pallas, “TILT: A GDPR-Aligned Transparency Information Language and Toolkit for Practical Privacy Engineering,” in Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency, 2021, pp. 636–646, doi: 10.1145/3442188.3445925.

[38]

M. Rost and R. Weichelt, “The Standard Data Protection Model,” Conference of the Independent Data Protection Supervisory Authorities of the Federation and the Länder, Version 2.0b, Apr. 2020.

[39]

F. Scharffe and D. Fensel, “Correspondence patterns for ontology alignment,” in International Conference on Knowledge Engineering and Knowledge Management, 2008, pp. 83–92.

[40]

P. Brous, M. Janssen, and R. Krans, “Data Governance as Success Factor for Data Science,” in Responsible Design, Implementation and Use of Information and Communication Technology, 2020, pp. 431–442, doi: 10.1007/978-3-030-44999-5_36.

[41]

“Records Register | European Data Protection Supervisor (Accessed: 2022-03-10).” https://edps.europa.eu/about/data-protection-within-edps/records-register_en, 2022.

[42]

“Apache Jena Version 4.4.0 (Accessed: 2022-03-10).” https://jena.apache.org/, Jan-2022.

[43]

“GraphDB Free Version 9.7.0-1 (Accessed: 2022-03-10).” https://graphdb.ontotext.com/, Feb-2021.

[44]

“TopBraid SHACL API Version 1.3.2 (Accessed: 2022-03-10).” TopQuadrant, Inc, Apr-2022.

[45]

H. J. Pandit, D. O’Sullivan, and D. Lewis, “Test-driven Approach Towards GDPR Compliance,” in 15th International Conference on Semantic Systems (SEMANTiCS2019), 2019, doi: 10.1007/978-3-030-33220-4_2.

[46]

“Coordinated Plan on Artificial Intelligence 2021 Review | Shaping Europe’s digital future (Accessed: 2022-03-10).” https://digital-strategy.ec.europa.eu/en/library/coordinated-plan-artificial-intelligence-2021-review, Apr-2021.

[47]

“CKAN - The open source data management system (Accessed: 2022-03-10),” ckan.orghttp://ckan.org/.

[48]

P. Ryan, M. Crane, and R. Brennan, “Design Challenges for GDPR RegTech:” in Proceedings of the 22nd International Conference on Enterprise Information Systems, 2020, pp. 787–795, doi: 10.5220/0009464507870795.

[49]

D. W. Arner, J. N. Barberis, and R. P. Buckley, “The Evolution of Fintech: A New Post-Crisis Paradigm?” SSRN Electronic Journal, 2015, doi: 10.2139/ssrn.2676553.

[50]

“Privacy Impact Assessment (PIA) | CNIL (Accessed: 2022-03-10).” https://www.cnil.fr/en/privacy-impact-assessment-pia, 2021.

[51]

“DPV-GDPR: GDPR Extension for DPV (Accessed: 2022-04-15).” https://w3c.github.io/dpv/dpv-gdpr/, Apr-2022.

[52]

C. Taylor, “GDPR at risk of failing due to underfunding of regulators, study finds (Accessed: 2022-03-10),” The Irish Timeshttps://www.irishtimes.com/business/technology/gdpr-at-risk-of-failing-due-to-underfunding-of-regulators-study-finds-1.4238927, Apr-2020.

 

文章链接