Demonstrating GDPR Accountability with CSM-ROPA: Extensions to the Data Privacy Vocabulary

Paul Ryan, Paul Ryan, Rob Brennan

Abstract

The creation and maintenance of a Register of Processing Activities (ROPA) are essential to meeting the Accountability Principle of the General Data Protection Regulation (GDPR). We evaluate a semantic model CSM-ROPA to establish the extent to which it can be used to express a regulator provided accountability tracker to facilitate GDPR/ROPA compliance. We show that the ROPA practices of organisations are largely based on manual paper-based templates or non-interoperable systems, leading to inadequate GDPR/ROPA compliance levels. We contrast these current approaches to GDPR/ROPA compliance with best practice for regulatory compliance and identify four critical features of systems to support accountability. We conduct a case study to analyse the extent that CSM-ROPA, can be used as an interoperable, machine-readable mediation layer to express a regulator supplied ROPA accountability tracker. We demonstrate that CSM-ROPA can successfully express 92% of ROPA accountability terms. The addition of connectable vocabularies brings the expressivity to 98%. We identify three terms for addition to the CSM-ROPA to enable full expressivity. The application of CSM-ROPA provides opportunities for demonstrable and validated GDPR compliance. This standardisation would enable the development of automation, and interoperable tools for supported accountability and the demonstration of GDPR compliance.

Download


Paper Citation


in Harvard Style

Ryan P. and Brennan R. (2021). Demonstrating GDPR Accountability with CSM-ROPA: Extensions to the Data Privacy Vocabulary. In Proceedings of the 23rd International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 978-989-758-509-8, pages 591-600. DOI: 10.5220/0010390505910600


in Bibtex Style

@conference{iceis21,
author={Paul Ryan and Rob Brennan},
title={Demonstrating GDPR Accountability with CSM-ROPA: Extensions to the Data Privacy Vocabulary},
booktitle={Proceedings of the 23rd International Conference on Enterprise Information Systems - Volume 2: ICEIS,},
year={2021},
pages={591-600},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010390505910600},
isbn={978-989-758-509-8},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 23rd International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - Demonstrating GDPR Accountability with CSM-ROPA: Extensions to the Data Privacy Vocabulary
SN - 978-989-758-509-8
AU - Ryan P.
AU - Brennan R.
PY - 2021
SP - 591
EP - 600
DO - 10.5220/0010390505910600