OntoROPA Deliverable 2. Proposed Design Specification and Approach.

Abstract

OntoROPA deals with the automated creation and maintenance of a critical piece of legal compliance required by the GDPR—the Records of Processing Activities (ROPA). It includes the design of a knowledge graph—an RDF graph—tohandleinformationaboutROPAs,combining alegalprofessional ontology (which will be a part of this graph) with the collection and management of the specific knowledge of the community of privacy and data protection experts. The OntoROPA architecture is law and data driven. ROPAs are deemed to be the critical piece of legal compliance from a social perspective: they are the only available source of information, accessible to non- technical people (including citizens, judges, rulers, law experts, data protection users, and supervisors). Thus, this fact makes them a critical piece for GDPR legal compliance for all stakeholders—providers, controllers, supervisors, and companies. This is a market niche. Deliverable 2, OntoROPA proposed design specification and approach, is focused on a modular, distributed, and ontological approach for the design of both layers—software and data—where each module is the answer to a legal requirement. Data comply with standards for the aim of interoperability, and the design of both layers are subjected to a legal governance scheme, specifically set to harmonize an innovative design for the marketplace with the law, policy, and ethics framework. On top of that, Deliverable 2 explores the possibilities that blockchain technology offers: the use of TEE for secure processing, the use of verifiable credentials with standard certificates for identity management, and the use of oracles for accessing external services. In Deliverable 2, Section 1 introduces the main contents. Section 2 presents a solution with two main components: (1) An OWL ontology that collects the expert knowledge from the target domain (ROPA community) for supporting validation and trustworthiness; (2) and the software artifacts that process ROPAs. This section (i) introduces OntoROPA modules—identity, linked RDF ROPAs, validation, certification, proactiveness—,(ii) offers a detailed design specification (ontology and software requirements, methodology, OntoROPA flowchart) (iii) and describes the interfaces for coordination with ONTOCHAIN blocks. Section 3 deals with the impacts. It includes the business model to get into the market as a new Law-Tech Web Service. It describes its main features, the OntoROPA contribution to bridging web semantics and blockchain technologies, and it defines the creation of ONTOCHAIN legal value. Legal knowledge (legal justification) is also required by the Spanish legislation for ROPAs. OntoROPA legal governance system, the 2 middle-out and inside-out approaches aligned with EU strategies and policies, and the generation of the OntoROPA regulatory legal ecosystem, are explained in detail, including the compatibility between blockchain solutions and GDPR requirements. Section 4 copes with the implementation process, comprising ontology modularity, software modularity, and real time performance of the solution (Ontology and Software KPIs, experimental evaluation, and interoperability aspects, followed by a granular implementation plan). This is heading to an OntoROPA standardisation process. Finally, Section 5, highlights in the Conclusion some results and what is next.