A Common Semantic Model of the GDPR Register of Processing Activities

Paul Ryan; and Harshvardhan J. Pandit; Rob Brennan

arXiv:2102.00980·cs.CR·February 2, 2021

A Common Semantic Model of the GDPR Register of Processing Activities

Paul Ryan, and Harshvardhan J. Pandit, Rob Brennan

PDF

TL;DR

This paper analyzes variations in GDPR Register of Processing Activities templates across EU jurisdictions and proposes a unified, flexible data model to standardize ROPA processing and enhance compliance demonstration.

Contribution

It introduces a consolidated data model for ROPAs and extends the Data Privacy Vocabulary to support consistent GDPR compliance documentation.

Findings

01

Template scope and granularity vary widely between jurisdictions.

02

The Data Privacy Vocabulary does not directly model ROPAs.

03

The proposed CSM-ROPA enables standardized ROPA processing.

Abstract

The creation and maintenance of a Register of Processing Activities (ROPA) is an essential process for the demonstration of GDPR compliance. We analyse ROPA templates from six EU Data Protection Regulators and show that template scope and granularity vary widely between jurisdictions. We then propose a flexible, consolidated data model for consistent processing of ROPAs (CSM-ROPA). We analyse the extent that the Data Privacy Vocabulary (DPV) can be used to express CSM-ROPA. We find that it does not directly address modelling ROPAs, and so needs additional concept definitions. We provide a mapping of our CSM-ROPA to an extension of the Data Privacy Vocabulary.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.