Data Protection Compliance (DAPRECO), CORE-FNR, 2017-2019

Interdisciplinary Research Group in Socio-technical Cybersecurity
FNR Luxembourg logo

Data Protection Compliance
2017 - 2019

Data Protection Compliance (DAPRECO), CORE-FNR, 2017-2019

The recently approved General Data Protection Regulation (GDPR) is expected to have a significant impact on the European Digital Single Market because it changes how enterprises have to protect individual’s personal data records. To keep their businesses up and running, and to avoid the high fines that the GDPR accounts for not being comply with its provisions, enterprises must be prepared to face the effects of the application of the regulation. Concomitantly, regulators and authorities should understand how to assess compliance with the GDPR.One way to face these challenges, the way this project helps pursue, is to look at current security standards and to check what “correlations” (i.e. relations of the form “a provision x implements a provision y”) they have with the GDPR. Such correlations depend on the legal interpretations that exist and may exist of the terms and the provisions in the GDPR and in the security standards. Once these correlations are made clear, an enterprise that implements a standard will benefit from a presumption of compliance with the GDPR with respect to those parts covered by the standard. This is possible because standards provide consolidated practices and are certified by auditors and, therefore, by implementing them, enterprises have an argument of compliance coming from having followed the best practices. The same argument can be used by regulators and authorities when assessing an enterprise’s compliance with the GDPR.However, this solution has a problem that hinders its effectiveness. The GDPR and the standards are available in natural language only. Finding correlations by hand is a hard work even without considering the various legal interpretations, which however we must consider. Without an appropriate methodology and without the support of a knowledge base, the task will become easily beyond capacity for a single enterprise or authority to achieve.This project, DAPRECO, offers a solution to this well-recognized challenge in legal informatics. DAPRECO will represent in an innovative logic, the provisions in the GDPR and the current security standards. The logic, and which we call here ProLeMAS (PROcessing LEgal language in normative Multi-Agent Systems) been recently defined by one of the proponents. The provisions will be correlated via operators of the same logic. ProLeMAS integrates insights from modern formalisms in Deontic Logic and Natural Language Semantics and it has been specifically designed to handle legal norms written in natural language. A key aspect for the innovative character of this project is that ProLeMAS is capable of handling a pluralism of interpretations of its items. It is therefore able to host the plethora of legal interpretations that usually occur in the legal domain, where laws are subject to the different understandings defined by subjects such as judges, regulators, and lawyers. This is possible because the operators of the ProLeMAS logic are defeasible. DAPRECO will output a knowledge base which contains the ProLeMAS correlations expressing the ‘formal compliance’ (versus ‘substantive compliance’) of the terms and provisions in the standards and the GDPR. The output of this project is therefore a formal knowledge base, the DAPRECO Knowledge Base, built according to the rigorous methodology that we are going to define fully during the execution of the project. Notably, the legal interpretations of the existing correlations between the security standards and the GDPR can be updated. Different interpretations can be accumulated in our knowledge base, together with the history of their supersedences or their unsolved conflicts, so making the DAPRECO Knowledge Base be the potentially ground-breaking support for professionals and for authorities in the assessment of the compliance of data processing practices with the GDPR’s provisions.

Get in touch with us

SnT – Interdisciplinary Centre for Security, Reliability and Trust
Maison du Nombre, 6, avenue de la Fonte L-4364 Esch-sur-Alzette