The TRAPEZE Policy Framework

The General Data Protection Regulation (GDPR) introduced strong incentives to virtuous personal data processing.  Consequently, companies (and data controllers in general) are looking for automated support in order to comply with the regulation.

TRAPEZE has recently released the first version of its machine-understandable usage policy language: a necessary prerequisite for automating compliance checking.  The policy language can express in a simple and uniform way the privacy policies of controllers, the consent of the data subjects, and objective parts of the GDPR.  Thus, using TRAPEZE’s compliance checker, it is possible to verify whether the controller’s operations comply with data subjects’ consent and with the formalized part of the GDPR.

The internal format of policies is the OWL 2 Web Ontology Language. The formal semantics of OWL2 has been essential to prove with mathematical rigor that the compliance checker returns no false positives and no false negatives. However, policies can be serialized in JSON (JavaScript Object Notation), too, which most developers are familiar with. TRAPEZE’s dashboards translate the machine-understandable formats into a presentation accessible to all citizens.

The policy language does not inherit the complexity of full OWL2. TRAPEZE’s specialized compliance checker is very efficient: it can execute a few thousand compliance checks per second, thereby addressing the most challenging scenarios.

Last but not least, the whole framework is “vocabulary neutral”, that is, the engine can work with different vocabularies of privacy concepts, purposes, legal bases, etc.  This feature makes the policy framework easily adaptable to new application domains (with their specific purposes and data categories) and to different regulations.  Currently, TRAPEZE is adopting the vocabularies developed by the Data Privacy Vocabularies and Controls Community Group of the W3C (https://www.w3.org/community/dpvcg/) covering the basic concepts of the GDPR, as well as purposes and personal data categories of common interest.

The technical details of the policy language and the compliance checker can be found in deliverables D2.1 Policy Language – First version and D2.3 Transparency and compliance checking – First version.

by Piero Bonatti