The TRAPEZE Policy Framework
The General Data Protection Regulation (GDPR) introduced strong incentives to virtuous personal data processing. Consequently, companies (and data controllers in general) are looking for automated support in order to comply with the regulation.
TRAPEZE has recently released the first version of its machine-understandable usage policy language: a necessary prerequisite for automating compliance checking. The policy language can express in a simple and uniform way the privacy policies of controllers, the consent of the data subjects, and objective parts of the GDPR. Thus, using TRAPEZE’s compliance checker, it is possible to verify whether the controller’s operations comply with data subjects’ consent and with the formalized part of the GDPR.
The policy language does not inherit the complexity of full OWL2. TRAPEZE’s specialized compliance checker is very efficient: it can execute a few thousand compliance checks per second, thereby addressing the most challenging scenarios.
Last but not least, the whole framework is “vocabulary neutral”, that is, the engine can work with different vocabularies of privacy concepts, purposes, legal bases, etc. This feature makes the policy framework easily adaptable to new application domains (with their specific purposes and data categories) and to different regulations. Currently, TRAPEZE is adopting the vocabularies developed by the Data Privacy Vocabularies and Controls Community Group of the W3C (https://www.w3.org/community/dpvcg/) covering the basic concepts of the GDPR, as well as purposes and personal data categories of common interest.
The technical details of the policy language and the compliance checker can be found in deliverables D2.1 Policy Language – First version and D2.3 Transparency and compliance checking – First version.
by Piero Bonatti