Towards Privacy Policy Conceptual Modeling Katsiaryna Krasnashchok - - PowerPoint PPT Presentation
Towards Privacy Policy Conceptual Modeling Katsiaryna Krasnashchok Majd Mustapha Anas Al Bassit Sabri Skhiri Katsiaryna Krasnashchok, R&D Engineer @EURA NOVA 1 EURA NOVA A R&D-fueled consultancy company Customers challenges WE
Katsiaryna Krasnashchok Majd Mustapha Anas Al Bassit Sabri Skhiri Katsiaryna Krasnashchok, R&D Engineer @EURA NOVA
1
Customers’ challenges R&D expertise Products
WE BELIEVE TECHNOLOGY IS THE ENGINE OF CHANGE.
2
A R&D-fueled consultancy company
3
The next two-year program R&D expertise AUTOMATION
+700 K What if you could simplify and even automate a machine learning task?
DATA PRIVACY
$1 to $5 Mi What if we can understand what each user agreed about their data?
DATA PIPELINES
$500 K What if best configuration data pipelines
DATA QUALITY
85% What if you can detect which sources impact the accuracy the most?
1 2 3 4
4
The next two-year program R&D expertise DATA PRIVACY
$1 to $5 Mi What if we can understand what each user agreed about their data?
1
Creating new approaches in nlp in order to support gdpr & privacy by design 1- Towards Privacy Policy Conceptual Modeling 2-Privacy Policy Classification With XLNet
5 5
Automate privacy by design based on policies and DPAs
Policy/DPA Data Flow DPO
RUNE
Controls
6
IMDB use case Information You Give Us: We receive and store any information you enter on our Web site or give us in any other way. Click here to see examples of what we collect. ...you might supply us with such information as your name, e-mail address, physical address, zip code, and phone number; your age and gender; the movies and actors you like or dislike; and your general movie preferences. You can choose not to provide certain information, but then you might not be able to take advantage of many of our features. We use the information that you provide for such purposes as responding to your requests, customizing future browsing for you, improving our site, and communicating with you.
7
IMDB use case Information You Give Us: We receive and store any information you enter on our Web site or give us in any other way. Click here to see examples of what we collect. ...you might supply us with such information as your name, e-mail address, physical address, zip code, and phone number; your age and gender; the movies and actors you like or dislike; and your general movie preferences. You can choose not to provide certain information, but then you might not be able to take advantage of many of our features. We use the information that you provide for such purposes as responding to your requests, customizing future browsing for you, improving our site, and communicating with you.
8
Automate privacy by design based on policies and DPAs
Compliance/ Data Access NLP
Policy model
Policy/contract parser Policies/ contracts Policy representations
Instance of
Request for action Reasoner / compliance checker
Sent to Written in terms of Checks against Returns response Uses
Pre-processing/ conflict resolution module
Refine / enrich
9
Ontology Engineering
Ontology Aligning Ontology Search Ontology Selection Ontology Comparison Ontology Assessment Ontology Merging
Scenario 5: Reusing and Merging Ontological Resources
Gómez-Pérez, Asunción, and Mari Carmen Suárez-Figueroa. "Neon methodology for building ontology networks: a scenario-based methodology." (2009).
STATE OF THE ART
Ontology Aligning Ontology Search Ontology Selection Ontology Comparison Ontology Assessment Ontology Merging 10
11
For Model Selection
11 GDPR- awareness Privacy Concepts Deontic Concepts
Interoperability / Reusability
Annotated Data Maturity Level Reasoning
12
State of the Art
12
MODEL ENGINEERING
Ontology Aligning Ontology Search Ontology Selection Ontology Comparison Ontology Assessment Ontology Merging 13
14
Combine existing models to cover full requirements for our model Deontic concepts Vocabularies of privacy terms ODRL/ORCP ODRL Regulatory Compliance Profile DPV Data Privacy Vocabularies
Rule Obligation Prohibition Permission Action Data Party Purpose
Legal Basis
Processing Personal Data Category
Data Controller / Data Processor / Data Subject / Third Party
Purpose
Legal Basis Technical / Organisational Measure
14
1. De Vos, Marina, et al. "ODRL policy modelling and compliance checking." International Joint Conference on Rules and Reasoning. Springer, 2019. 2. Pandit, Harshvardhan J., et al. "Creating a Vocabulary for Data Privacy." OTM Confederated International Conferences" On the Move to Meaningful Internet Systems". Springer, 2019.
15
Combine existing models to cover full requirements for our model Deontic concepts Vocabularies of privacy terms ODRL/ORCP ODRL Regulatory Compliance Profile DPV Data Privacy Vocabularies
Processing Personal Data Category
Data Controller / Data Processor / Data Subject / Third Party
Purpose
Legal Basis Technical / Organisational Measure
Rule Obligation Prohibition Permission Action Data Party Purpose
Legal Basis
Technical / Organisational Measure
15
16
Reuse existing models to cover full requirements for our model
16
17
Semantic dAta priVacy modEl
Full documentation: http://rune.research.euranova.eu/
17
IMDB USE CASE
18
19
Permission Example
Full demo: http://rune.research.euranova.eu/demo/Policy.html
19
Information You Give Us: We receive and store any information you enter on our Web site or give us in any
collect. ...you might supply us with such information as your name, e-mail address, physical address, zip code, and phone number; your age and gender; the movies and actors you like or dislike; and your general movie preferences. You can choose not to provide certain information, but then you might not be able to take advantage of many
provide for such purposes as responding to your requests, customizing future browsing for you, improving our site, and communicating with you.
:Permission1 rdf:type owl:NamedIndividual , save:Permission ; save:action :Collect , :Store , :Use ; save:controller :IMDB ; save:sender :DataSubject ; save:data :Address , :Age , :EmailAddress , :Gender , :Dislikes , :Likes , :Preferences , :Name , :PhoneNumber , :ZipCode ; save:purpose :CustomerCare , :ServicePersonalization .
20
Obligation with Technical Measure Example
Full demo: http://rune.research.euranova.eu/demo/Policy.html
20
If you use our subscription service, we work to protect the security of your subscription information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input.
:Obligation1 rdf:type save:Obligation ; save:action :DiscloseByTransmission ; save:controller :IMDB ; save:data :Authenticating ; dpv:hasTechnicalOrganisationalMeasure :EncryptionInTransfer .
CONCLUSION
21
22
Validation ⇔ refinement
○ GDPR-aware, ○ fine-grained, ○ reusable, ○ supports semantic interoperability, ○ possesses potential for automated compliance checking.
○ inheriting the expressive power and functionality of each of its components,
policies, data processing agreements, other contracts - anything that involves rules of personal data processing.
22
ONGOING WORK / FUTURE PLANS
23
24
Ongoing Future Validating the model with the help of legal experts. Improvement, enrichment and correction of the model. Usage in Downstream Applications
contracts (NLP)
Checking (SHACL) Adding another level of policies based on individual user’s consent Representing GDPR norms (functional) to provide “level 0” of policies and compliance Automatic generation of data processing agreements in NL.
24
25
Contact: katherine.krasnaschok@euranova.eu Senior R&D Engineer EURA NOVA Links: SAVE spec: http://rune.research.euranova.eu/ IMDB demo: rune.research.euranova.eu/demo/Policy.html Ontology: http://rune.research.euranova.eu/save.ttl euranova.eu research.euranova.eu
26
27
Katsiaryna Krasnashchok Majd Mustapha Anas Al Bassit Sabri Skhiri Katsiaryna Krasnashchok, R&D Engineer @EURA NOVA
28
CONTEXT
29
30
Goals: ➔ Support GDPR compliance & privacy by design. ➔ Represent privacy policies and data processing agreements in a machine-readable “operational” way. Contributions: ➔ A conceptual model for fine-grained representation of privacy policies; ➔ Merge of two Semantic Web models; ➔ Open, reusable, flexible;
31 31
Policies and contracts do not guarantee privacy by design!
Interprets Audits Policy/DPA Data Flow DPO Interprets Audits
32 32
Automate privacy by design based on policies and DPAs
Policy/DPA Data Flow DPO
RUNE
Controls
Automate privacy by design based on policies and DPAs Extract Knowledge MODEL COMPLIANCE Use Knowledge to Control Access NLP SYSTEM Represent (Policies) Knowledge
33
Requirements Policy/DPA WHAT DO WE WANT TO EXTRACT? INPUT Model
34
Requirements Policy/DPA WHAT DO WE WANT TO EXTRACT? INPUT Model
… actions that are allowed/prohibited to be performed with certain personal data by certain parties for certain purposes, supported by legal bases, and protected by technical and/or
35
SAVE - Semantic dAta priVacy modEl
36
37
Combine existing models to cover full requirements for our model Deontic concepts Vocabularies of privacy terms ODRL/ORCP ODRL Regulatory Compliance Profile DPV Data Privacy Vocabularies
Rule Obligation Prohibition Permission Action Data Party Purpose
Legal Basis
Processing Personal Data Category
Data Controller / Data Processor / Data Subject / Third Party
Purpose
Legal Basis Technical / Organisational Measure
37
38
Combine existing models to cover full requirements for our model Deontic concepts Vocabularies of privacy terms ODRL/ORCP ODRL Regulatory Compliance Profile DPV Data Privacy Vocabularies
Processing Personal Data Category
Data Controller / Data Processor / Data Subject / Third Party
Purpose
Legal Basis Technical / Organisational Measure
Rule Obligation Prohibition Permission Action Data Party Purpose
Legal Basis
Technical / Organisational Measure
38
Semantic Web / Ontology
Semantic dAta priVacy modEl
Rule Obligation Prohibition Permission Action Data Party Purpose
Legal Basis
Technical / Organisational Measure
➔ Merged from two existing
➔ Machine-readable ➔ Open ➔ Reusable ➔ Potential for semantic reasoning ➔ Potential to mature in Semantic Web community
39
40
Graffoo diagram
Full documentation: http://rune.research.euranova.eu/
40
EXAMPLE
41
Full example: rune.research.euranova.eu/demo/Policy.html
42
IMDB example
Information You Give Us: We receive and store any information you enter on our Web site or give us in any
collect. ...you might supply us with such information as your name, e-mail address, physical address, zip code, and phone number; your age and gender; the movies and actors you like or dislike; and your general movie preferences. You can choose not to provide certain information, but then you might not be able to take advantage of many
provide for such purposes as responding to your requests, customizing future browsing for you, improving our site, and communicating with you.
:Permission1 rdf:type owl:NamedIndividual , save:Permission ; save:action :Collect , :Store , :Use ; save:controller :IMDB ; save:sender :DataSubject ; save:data :Address , :Age , :EmailAddress , :Gender , :Dislikes , :Likes , :Preferences , :Name , :PhoneNumber , :ZipCode ; save:purpose :CustomerCare , :ServicePersonalization . 42
CONCLUSION
43
Automate privacy by design based on policies and DPAs Extract Knowledge MODELING TRACK COMPLIANCE TRACK Use Knowledge to Control Access NLP TRACK Represent (Policies) Knowledge
44
45
Contact: katherine.krasnaschok@euranova.eu Senior R&D Engineer EURA NOVA Links: SAVE spec: http://rune.research.euranova.eu/ IMDB demo: rune.research.euranova.eu/demo/Policy.html Ontology: http://rune.research.euranova.eu/save.ttl euranova.eu research.euranova.eu
We want to contribute to the world digital transformation
A R&D-fueled consultancy company
ENX Product factory ENX R&D ENX Cust. services
EURA NOVA (ENX)
47 47 Impacting the society with Technologies A research Initiative from EURA NOVA
RUNE GDPR - Security
Creating new approaches in NLP in order to support GDPR & Privacy by design 1- Towards Privacy Policy Conceptual Modeling 2-Privacy Policy Classification With XLNet
ASGARD (Started Feb 2020)
We believe technology is the engine of change. We believe creating new knowledge is the best way to see further and to lead the path to tomorrow.