GDPR Readiness-Checklist SPARQL demo
Information associated with regulatory compliance is often siloed as legal documentation that is not suitable for querying or reuse. Utilising open standards and technologies to represent and query this information can facilitate interoperability between stakeholders and assist in the task of maintaining as well as demonstrating compliance. We show how semantic web technologies can assist in representation and querying of compliance information related to the General Data Protection Regulation (GDPR), an European law governing the use of consent and personal data. We focus on the subset of obligations related to the use of consent and personal data, and represent the associated metadata using the GDPRov ontology and GDPRtEXT resource. This is a proof-of-concept demonstration where information is queried to automatically populate the GDPR-readiness checklist published by Ireland’s Data Protection Commissioner (gdprandyou.ie).
PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#> PREFIX dct: <http://purl.org/dc/terms/> PREFIX gdprov: <http://purl.org/adaptcentre/openscience/ontologies/gdprov#> PREFIX gdprtext: <http://purl.org/adaptcentre/openscience/ontologies/GDPRtEXT#> PREFIX p-plan: <http://purl.org/net/p-plan#> PREFIX prov: <http://www.w3.org/ns/prov#< PREFIX this: <http://example.com/ontology/shoppingapp#>
List the categories of data subjects and personal data collected and retained e.g. current employee data; retired employee data; customer data (sales information); marketing database; CCTV footage.
SELECT DISTINCT ?category where {
?category rdfs:subClassOf gdprov:PersonalData .
FILTER(regex(str(?category), "http://example.com/ontology/shoppingapp#")) .
} ORDER BY ?category
SELECT DISTINCT ?category where {
?category rdfs:subClassOf gdprov:DataSubject .
FILTER(regex(str(?category), "http://example.com/ontology/shoppingapp#")) .
} ORDER BY ?category
List each type of personal data included within each category of personal data e.g. name, address, banking details, purchasing history, online browsing history, video and images.
SELECT DISTINCT ?data ?type where {
?data a ?type .
?type rdfs:subClassOf gdprov:PersonalData .
FILTER(regex(str(?data), "http://example.com/ontology/shoppingapp#")) .
} ORDER BY ?data ?type
List the source(s) of the personal data e.g. collected directly from individuals; from third parties (if third party identify the data controller as this information will be necessary to meet obligations under Article 14).
SELECT DISTINCT ?data ?step ?agent ?agent_type where {
?data a ?data_type .
?data_type rdfs:subClassOf gdprov:PersonalData .
?step a gdprov:DataCollectionStep .
?step gdprov:collectsData ?data .
?step gdprov:collectsDataFromAgent ?agent .
?agent a ?agent_type .
FILTER(regex(str(?agent_type), "http://example.com/ontology/shoppingapp#")) .
} ORDER BY ?data ?step ?agent
Within each category of personal data list the purposes for the data is collected and retained e.g. marketing, service enhancement, research, product development, systems integrity, HR matters, advertising.
SELECT DISTINCT ?data_type ?process where {
?data a ?data_type .
?data_type rdfs:subClassOf+ gdprov:PersonalData .
?step a ?step_type .
?step_type rdfs:subClassOf* gdprov:DataStep .
?step gdprov:usesData ?data .
?step gdprov:isPartOfProcess ?process .
} ORDER BY ?data_type ?process
For each purpose that personal data is processed, list the legal basis on which it is based e.g. consent, contract, legal obligation (Article 6).
SELECT DISTINCT ?process ?legal where {
?data a ?data_type .
?data_type rdfs:subClassOf gdprov:PersonalData .
?step a ?step_type .
?step_type rdfs:subClassOf gdprov:DataStep .
?step gdprov:usesData ?data .
?step gdprov:isPartOfProcess ?process .
OPTIONAL { ?step gdprov:hasLegalBasis ?legal } .
OPTIONAL {?process gdprov:hasLegalBasis ?legal . } .
} ORDER BY ?process
If special categories of personal data are collected and retained, set out details of the nature of the data e.g. health, genetic, biometric data.
SELECT DISTINCT ?data ?SensitiveDataType ?collectionStep ?retained where {
?SensitiveDataType rdfs:subClassOf gdprov:SensitiveData .
?data a ?SensitiveDataType .
?collectionStep a gdprov:DataCollectionStep .
?collectionStep gdprov:collectsData ?data .
BIND( EXISTS {
?storageStep a gdprov:DataStorageStep .
?storageStep gdprov:usesData ?data .
} as ?retained ) .
} ORDER BY ?SensitiveDataType ?retained
List the legal basis on which special categories of personal data are collected and retained e.g. explicit consent, legislative basis (Article 9).
SELECT DISTINCT ?data ?SensitiveDataType ?collectionStep ?retained ?legal WHERE {
?SensitiveDataType rdfs:subClassOf gdprov:SensitiveData .
?data a ?SensitiveDataType .
?collectionStep a gdprov:DataCollectionStep .
?collectionStep gdprov:collectsData ?data .
OPTIONAL {
?collectionStep gdprov:hasLegalBasis ?legal .
}
BIND( EXISTS {
?storageStep a gdprov:DataStorageStep .
?storageStep gdprov:usesData ?data .
} as ?retained ) .
OPTIONAL {
?collectionStep gdprov:isPartOfProcess ?process .
}
} ORDER BY ?SensitiveDataType
For each category of personal data, list the period for which the data will be retained e.g. one month? one year? As a general rule data must be retained for no longer than is necessary for the purpose for which it was collected in the first place.
Identify actions that are required to ensure all personal data processing operations are GDPR compliant e.g. this may include deleting data where there is no further purpose for retention.
Have you reviewed your organisation’s mechanisms for collecting consent to ensure that it is freely given, specific, informed and that it is a clear indication that an individual has chosen to agree to the processing of their data by way of statement or a clear affirmative action?
SELECT DISTINCT ?step ?terms ?template ?givenConsent {
?step a gdprov:ConsentAcquisitionStep .
?template a gdprov:ConsentAgreementTemplate .
?terms a gdprov:TermsAndConditions .
?givenConsent a gdprov:ConsentAgreement .
?step gdprov:usesConsentAgreementTemplate ?template .
?step gdprov:usesTermsAndConditions ?terms .
?step gdprov:generatesConsentAgreement ?givenConsent .
} ORDER BY ?step
If personal data that you currently hold on the basis of consent does not meet the required standard under the GDPR, have you re-sought the individual’s consent to ensure compliance with the GDPR?
Are procedures in place to demonstrate that an individual has consented to their data being processed?
SELECT DISTINCT ?step ?action ?consent where {
?consent a gdprov:ConsentAgreement .
?StepType rdfs:subClassOf gdprov:ConsentStep .
?step a ?StepType .
?step ?action ?consent.
FILTER(regex(str(?action), "http://purl.org/adaptcentre/openscience/ontologies/gdprov#")) .
} ORDER BY ?step ?consent
Are procedures in place to allow an individual to withdraw their consent to the processing of their personal data?
SELECT DISTINCT ?step ?process ?action ?item where {
?step a gdprov:ConsentWithdrawalStep .
OPTIONAL {
?process a gdprov:Process .
?step gdprov:isPartOfProcess ?process .
}
OPTIONAL {
?step ?action ?item .
}
FILTER(regex(str(?action), "http://purl.org/adaptcentre/openscience/ontologies/gdprov#")) .
} ORDER BY ?step ?action
Where online services are provided to a child, are procedures in place to verify age and get consent of a parent/ legal guardian, where required?
SELECT DISTINCT ?step ?StepType where {
?StepType rdfs:subClassOf gdprov:ConsentAgeVerificationStep .
?step a ?StepType .
} ORDER BY ?step
If legitimate interest is a legal basis on which personal data is processed, has an appropriate analysis been carried out to ensure that the use of this legal basis is appropriate? That analysis must demonstrate that 1) there is a valid legitimate interest, 2) the data processing is strictly necessary in pursuit of the legitimate interest, and 3) the processing is not prejudicial to or overridden by the rights of the individual.
SELECT DISTINCT ?step ?process ?action ?item where {
?data a ?data_type .
?data_type rdfs:subClassOf gdprov:PersonalData .
?step a ?step_type .
?step_type rdfs:subClassOf gdprov:DataStep .
?step gdprov:usesData ?data .
?step gdprov:isPartOfProcess ?process .
?step ?action ?item .
?step gdprov:hasLegalBasis gdprtext:LegitimateInterest .
FILTER(regex(str(?action), "http://purl.org/adaptcentre/openscience/ontologies/gdprov#")) .
} ORDER BY ?process ?actions
Is there a documented policy/procedure for handling Subject Access Requests (SARs)?
SELECT DISTINCT ?process where {
?process a gdprov:HandleSAR .
} ORDER BY ?process
Is your organisation able to respond to SARs within one month?
Are procedures in place to provide individuals with their personal data in a structured, commonly used and machine readable format?
SELECT DISTINCT ?data ?format where {
?process a gdprov:HandleRightOfDataPortability .
?step gdprov:isPartOfProcess ?process .
?step gdprov:generatesData ?data .
?data dct:format ?format .
} ORDER BY ?data
Are there controls and procedures in place to allow personal data to be deleted or rectified (where applicable)?
SELECT DISTINCT ?process where {
{
?process a gdprov:HandleRightOfErasure .
}
UNION
{
?process a gdprov:HandleRightToRectification .
}
} ORDER BY ?process
Are there controls and procedures in place to halt the processing of personal data where an individual has on valid grounds sought the restriction of processing?
Are individuals told about their right to object to certain types of processing such as direct marketing or where the legal basis of the processing is legitimate interests or necessary for a task carried out in the public interest?
Are there controls and procedures in place to halt the processing of personal data where an individual has objected to the processing?
SELECT DISTINCT ?process where {
?process a gdprov:HandleRightToObjectProcessing .
} ORDER BY ?process
If automated decision making, which has a legal or significant similar affect for an individual, is based on consent, has explicit consent been collected?
SELECT DISTINCT ?step ?process where {
?step a gdprov:AutomatedStep .
?step gdprov:isPartOfProcess ?process .
?process gdprov:hasLegalBasis gdprtext:GivenConsent .
} ORDER BY ?step ?process
Where an automated decision is made which is necessary for entering into, or performance of, a contract, or based on the explicit consent of an individual, are procedures in place to facilitate an individual’s right to obtain human intervention and to contest the decision?
SELECT DISTINCT ?step ?process ?legal where {
?step a gdprov:AutomatedStep .
?step gdprov:isPartOfProcess ?process .
?process gdprov:hasLegalBasis ?legal .
FILTER(?legal IN (gdprtext:ContractWithDataSubject, gdprtext:GivenConsent) ) .
} ORDER BY ?step
Have the circumstances been documented in which an individual’s data protection rights may be lawfully restricted? Note: the Irish Data Protection Bill will set out further details on the implementation of Article 23.
Is personal data only used for the purposes for which it was originally collected?
SELECT DISTINCT ?data ?process WHERE {
?StepType rdfs:subClassOf gdprov:DataStep .
?step a ?StepType .
?DataType rdfs:subClassOf gdprov:PersonalData .
?data a ?DataType .
?step ?action ?data .
?step gdprov:isPartOfProcess ?process
} ORDER BY ?data ?process
Is the personal data collected limited to what is necessary for the purposes for which it is processed?
SELECT DISTINCT ?data ?used where {
?DataType rdfs:subClassOf gdprov:PersonalData .
?data a ?DataType .
?step a gdprov:DataUsageStep .
BIND(EXISTS { ?step gdprov:usesData ?data } as ?used) .
} ORDER BY ?data
Are procedures in place to ensure personal data is kept up to date and accurate and where a correction is required, the necessary changes are made without delay?
Are retention policies and procedures in place to ensure data is held for no longer than is necessary for the purposes for which it was collected?
Is your business subject to other rules that require a minimum retention period (e.g. medical records/tax records)?
Do you have procedures in place to ensure data is destroyed securely, in accordance with your retention policies?
SELECT DISTINCT ?step ?action ?data where {
?step a gdprov:DataDeletionStep .
?DataType rdfs:subClassOf gdprov:PersonalData .
?data a ?DataType .
?step ?action ?data .
} ORDER BY ?step ?action
Are procedures in place to ensure that there is no unnecessary or unregulated duplication of records?
Are service users/employees fully informed of how you use their data in a concise, transparent, intelligible and easily accessible form using clear and plain language?
Where personal data is collected directly from the individuals, are procedures in place to provide the information listed at Article 13 of the GDPR?
SELECT DISTINCT ?step ?data where {
?step a gdprov:DataCollectionStep .
?step gdprov:collectsData ?data .
} ORDER BY ?step
If personal data is not collected from the subject but from a third party (e.g. acquired as part of a merger) are procedures in place to provide the information listed at Article 14 of the GDPR?
SELECT DISTINCT ?agent ?thirdparty ?step where {
?step a gdprov:DataCollectionStep .
?step gdprov:collectsDataFromAgent ?agent .
BIND(EXISTS { ?agent a gdprov:ThirdParty } as ?thirdparty ) .
} ORDER BY ?agent ?step
Is information on how the organisation facilitates individuals exercising their GDPR rights published in an easily accessible and readable format?
Have agreements with suppliers and other third parties processing personal data on your behalf been reviewed to ensure all appropriate data protection requirements are included?
Do you need to appoint a DPO as per Article 37 of the GDPR?
If it is decided that a DPO is not required, have you documented the reasons why?
Where a DPO is appointed, are escalation and reporting lines in place? Are these procedures documented?
"Have you published the contact details of your DPO to facilitate your customers/ employees in making contact with them? (Note: post 25 May 2018 you will also be required to notify your data protection authority of your DPO’s contact details)"
If your data processing is considered high risk, do you have a process for identifying the need for, and conducting of, DPIAs? Are these procedures documented?
SELECT DISTINCT ?process where {
?process a gdprov:ImpactAssessment .
} ORDER BY ?process
Have you assessed the risks involved in processing personal data and put measures in place to mitigate against them?
SELECT DISTINCT ?data ?step where {
?StepType rdfs:subClassOf gdprov:DataStep .
?step a ?StepType .
?DataType rdfs:subClassOf gdprov:PersonalData .
?data a ?DataType .
?step gdprov:usesData ?data .
} ORDER BY ?data
Is there a documented security programme that specifies the technical, administrative and physical safeguards for personal data?
Is there a documented process for resolving security related complaints and issues?
Is there a designated individual who is responsible for preventing and investigating security breaches?
Are industry standard encryption technologies employed for transferring, storing, and receiving individuals' sensitive personal information?
Is personal information systematically destroyed, erased, or anonymised when it is no longer legally required to be retained.
Can access to personal data be restored in a timely manner in the event of a physical or technical incident?
Does the organisation have a documented privacy and security incident response plan?
SELECT DISTINCT ?process ?step where {
?process a ?BreachProcess .
FILTER(?BreachProcess IN (gdprov:HandleDataBreachProcess, gdprov:ReportDataBreach) ) .
?step gdprov:isPartOfProcess ?process .
} ORDER BY ?process
Are plans and procedures regularly reviewed?
Are there procedures in place to notify the office of the Data Protection Commissioner of a data breach?
SELECT DISTINCT ?process where {
?process a gdprov:ReportDataBreach .
} ORDER BY ?process
Are there procedures in place to notify data subjects of a data breach (where applicable)?
SELECT DISTINCT ?process where {
?process a gdprov:ReportDataBreach .
} ORDER BY ?process
Are all data breaches fully documented?
Co-operation procedures for data breach
Is personal data transferred outside the EEA, e.g. to the US or other countries?
SELECT DISTINCT ?step ?region ?location where {
?step a gdprov:DataTransferStep .
OPTIONAL {
?step gdprov:transfersDataToRegion ?region .
?region this:location ?location .
}
} ORDER BY ?step ?region
Does this include any special categories of personal data?
ASK {
?step a gdprov:DataTransferStep .
?step ?_ ?data .
?data a ?DataType .
?DataType rdfs:subClassOf gdprov:SensitiveData .
}
What is the purpose(s) of the transfer?
select DISTINCT ?step ?comment {
?step a gdprov:DataTransferStep .
?step rdfs:comment ?comment .
} ORDER BY ?step
Who is the transfer to?
SELECT DISTINCT ?step ?entity ?EntityType {
?step a gdprov:DataTransferStep .
OPTIONAL {
?step ?action ?entity .
?entity a ?EntityType .
?EntityType rdfs:subClassOf* prov:Agent .
}
} ORDER BY ?step ?entity