This document discusses using semantic technologies and ontologies to enable regulatory compliance through semantic data governance. It introduces the Regulatory Compliance Ontology (RECO) and how a GDPR ontology was created by processing GDPR regulations into semantic models. It describes how TopBraid EDG can integrate these models with its asset governance and lineage ontologies to answer compliance questions by linking enterprise assets to regulatory obligations and requirements. A demo is then presented of how TopBraid EDG can be used to assess situations for GDPR compliance through its knowledge graph.

1. © Copyright 2017 TopQuadrant Inc. Slide 1
Semantic Data Governance for Regulatory Compliance
Ralph Hodgson, CTO and co-founder of TopQuadrant Inc.
September 12, 2017
SEMANTiCS 2017
Theater de Meervaart
Meer en Vaart 300
1068 LE Amsterdam, Netherlands
v2

2. © Copyright 2017 TopQuadrant Inc. Slide 2
Semantic Data Governance for Regulatory Compliance
§ Introductions
§ RECO – Regulatory Compliance Ontology
§ GDPR – and a GDPR Ontology
§ TopBraid EDG Asset Governance and Lineage Ontologies
– How TopBraid EDG addresses the hard problems in GDPR?
§ Demo
§ Concluding Remarks
§ Q&A
! 20 minutes ? on …

3. © Copyright 2017 TopQuadrant Inc. Slide 3
TOPQUADRANT COMPANY
TOPQUADRANT COMPANY
FOUNDATION
• TopQuadrant was founded in 2001
• Strong commitment to standards-based approaches to data semantics
MISSION
• Empower people and drive results — by making enterprise information
meaningful
FOCUS
• Provide comprehensive data governance solutions

4. © Copyright 2017 TopQuadrant Inc. Slide 4

5. © Copyright 2017 TopQuadrant Inc. Slide 5
Who are my data partners?
What data do I share with them?
What countries are they in?
Do I have data regulation assets in my
system for those countries?
What 3rd country jurisdictions have regulatory
authority for what data and/or what data processing?
Regulatory
Compliance
Enterprise
Governance
GDPR
Compliance
TopBraid EDG’s Knowledge Engine answers compliance questions
What problems are we addressing?

6. © Copyright 2017 TopQuadrant Inc. Slide 6
… Helps understand
How enterprise contexts for…
• Data Assets
• Software and systems
• Processing locations
• Third party processors
… relate to compliance
• responsibilities
• obligations
• actions needed
TopBraid EDG Knowledge Base

7. © Copyright 2017 TopQuadrant Inc. Slide 7
RDF
SPARQL
OWL
RDFS
Statements:
Saying things
Vocabulary:
Shared terms can
we use
Classification:
What is this thing?
Query:
What did you say?
OWL SHACL
Rules:
Is that term used correctly?
What do you need to know?
You can't say that here!
*W3C = World Wide Web Consortium led
by Tim Berners-Lee
TopBraid EDG is based on Semantic Standards

8. © Copyright 2017 TopQuadrant Inc. Slide 8
RECO - Regulatory Compliance Ontology
§ An ontology for:
–obligations,
–permissions,
–Prohibitions,
–Violations and
–Waivers
reco:Norm
reco:Prescription
reco:Obligation
reco:DataObligation
reco:DataDisclosureObligation

9. © Copyright 2017 TopQuadrant Inc. Slide 9
Semantic Models for Compliance: Processing EUR-Lex –
32014R0600 into TopBraid
From Text:
To Triples:
To RECO Ontology of Obligations, Permissions and Prohibitions
Ref: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0600&from=NL

10. © Copyright 2017 TopQuadrant Inc. Slide 10
Mandate: Protect Personally Identifiable Information (PII)
ü 7 guiding principles and 83 pages of regulations govern the protection of personal
data.
ü Generally applies to all personal data of EU residents or handled by EU companies.
ü Protection ”by design” requires systems for compliance, verification, audit, and
notification
ü Full compliance required by May 25, 2018
General Data Protection Regulations
(GDPR) as an example and demo

11. © Copyright 2017 TopQuadrant Inc. Slide 11
GDPR is Complex
GDPR is not just about data-at-rest.
It’s about:
• What processing is involved: transformations and software systems
• Jurisdictions concerning where data, software and processing are hosted
• How data flows through systems, jurisdictions and partner relationships
• And how, requirements that need to be met change situationally

12. © Copyright 2017 TopQuadrant Inc. Slide 12
Regulated
Data Actions
Regulatory
Obligations
Transport Outside EU
Consent Request
Consent Review
Consent Withdrawal
Data Erasure
Consent Preservation
Adaptation
Alignment
Storage
Archiving
Backup
Alteration
Collection
Combination
Hosting
Disclosure By Transmission
Processing
Recording
Consent in Plain Language
72 Hour Notification
GDPR - What do we need to talk about?

13. © Copyright 2017 TopQuadrant Inc. Slide 13
§ provide a common language of meaning
§ reveal dependencies
§ bridge domains of discourse for insight
§ define “line-of-sights” for decision support
§ place GDPR into a structured framework
A Publication Ontology
helps and the semantics:
First we need a Graph Representation of GDPR
Things
Relationships

14. © Copyright 2017 TopQuadrant Inc. Slide 14
Using TopBraid EDG we express GDPR using a
Regulatory Compliance Ontology (RECO)
Regulatory
Compliance
Graph
Regulation
Regulatory
Things
Relationships

15. © Copyright 2017 TopQuadrant Inc. Slide 15
Collection
GDPR Regulated
Data Activities
Data Controller
Data Subject
Data Protection Officer (DPO)
Storage
Hosting
Transformation
GDPR Regulation
GDPR Regulated
Roles
Now we can relate PII to concepts in GDPR
Personally
Identifiable
Information (PII)
Country Data Regulations ?
Pacific Data Regulations ?

16. © Copyright 2017 TopQuadrant Inc. Slide 16
Next we need ontologies of Data, Technical and
Enterprise Assets, and Governance
Data, Technical
and Enterprise
Knowledge
Graphs
Governance Things
Relationships
Personally Identifiable
Information (PII)

17. © Copyright 2017 TopQuadrant Inc. Slide 17
We can then make the connections across
these domains for compliance analysis
Discovering the path between personal data …
… and specific GDPR obligations

18. © Copyright 2017 TopQuadrant Inc. Slide 18
GDPR needs support for “Situated Processes”
GDPR
Compliance
Graph
A Process “in Context”
GDPR Things
Relationships

19. © Copyright 2017 TopQuadrant Inc. Slide 19
GDPR Regulation in TopBraid EDG

20. © Copyright 2017 TopQuadrant Inc. Slide 20
The Power of TopBraid EDG …
General
Regulatory
Compliance
… is in bringing this all together into a connected knowledge base
that can be queried for insights, reports and decision support
Enterprise
Governance
GDPR
Compliance
+
+

21. © Copyright 2017 TopQuadrant Inc. Slide 21
GDPR Demo Example: “Transmission Outside EU”
Regulatory
Obligation
Data
Elements
(PII)
Process-In-Context
(SituatedProcess)
GDPR
Paragraph
1
2
3
4

22. © Copyright 2017 TopQuadrant Inc. Slide 22
TopBraid EDG Lineage for Compliance Reporting
Data
Resources
Information
Products
Inputs Data Elements PipelinesSoftware Outputs

23. © Copyright 2017 TopQuadrant Inc. Slide 23
DEMO:
TopBraid EDG Semantic Data Governance for
GDPR Compliance

24. © Copyright 2017 TopQuadrant Inc. Slide 24
Machine-Process-able Standards for:
üpolicies, methods, procedures and workflows for
performance of required actions/tasks
üinformational resources language, documents,
forms, templates used in workflows
üsupporting systems for compliance validation &
verification, change tracking, audit, etc.
TopBraid EDG Knowledge Engine
Helps automate GDPR compliance;
assessments, documentation, discovery of obligations, compliance gaps …

25. … Questions?
Flexible Connections Enable:

26. © Copyright 2017 TopQuadrant Inc. Slide 26
To Learn More …
Contact us: at info@topquadrant.com to:
• Discuss our GDPR compliance solutions
• Request a more targeted demo of TopBraid EDG
• Ask for a free EDG evaluation account
EDG Product Info:
• http://www.topquadrant.com/products/topbraid-edg/
• http://www.topquadrant.com/products/topbraid-edg-gov-packs/
Other EDG demos/webinar recordings:
• http://www.topquadrant.com/knowledgeassets/videos/#edgoverviewdemo
Webinar: Data Governance for the Connected Enterprise: TopBraid EDG in Action
• http://www.topquadrant.com/knowledge-assets/topquadrant-webinars/#TQ-EDG-metadata-mgt-webinar
Webinar: Metadata Management is Key to Data Governance Initiatives
Thank You !

27. © Copyright 2017 TopQuadrant Inc. Slide 27
Reference Slides

28. © Copyright 2017 TopQuadrant Inc. Slide 28
§ Core flexibility and extensibility
Add user defined models, assets and properties as needed
(model-driven)
§ Models: pre-built and user defined
Support multiple types of governance assets
§ Connections:
Can be made between any types of assets
§ Flexible Connections Enable:
– People (UI) and software (APIs/web services) to view,
follow and query the connections to answer core
questions, e.g. “Where did this come from?”
– complete data governance vs. siloed data governance,
i.e “reference-ability”
TopBraid EDG: Summary and Benefits for GDPR

29. © Copyright 2017 TopQuadrant Inc. Slide 29
Key Concepts: Assets
§ Asset is a technical, business, or operational resource governed by an
organization using TopBraid EDG.
§ Asset type: Asset type is a class in an ontology (either ontologies shipped with
TopBraid EDG or customized/created by the users) that formally describes
attributes and relationships of an asset. An asset could have multiple types.
– TopBraid EDG includes over 100 asset types such as Glossary Term, Requirement, ETL Script and
many others.
Software Executable
Data Pipeline
Policy
Team Database
Capability
Server Organization Database Table
DatasetReport
Datatype
Business Area Glossary TermObligation

30. © Copyright 2017 TopQuadrant Inc. Slide 30
RECO Engine Approach
1. Use ontologies to express a “finance/macroeconomics knowledge base”:
uRECO for regulatory compliance ontology
uQUDT for quantity kinds
uExtend with “deep” terminology
2. Transform regulatory documents to a machine-processable model
uScreen scraping HTML to an RDF document model
u“Lifting” the RDF document model to a RECO representation of “Obligations”, “Prohibitions” and
“Permissions”
uUse of machine-learning techniques for auto-classification
uManual steps
3. Integrate with an Enterprise Data Governance platform (TopBraid EDG) for
specifying lineage models:
uSemantic relations from reporting and data policy stipulations to asset types
uTranslation (mapping) of knowledge representations to physical data specifications and
transforms

31. © Copyright 2017 TopQuadrant Inc. Slide 31
From CELEX HTML Pages
to CELEX RECO Models
Transform to
Semantic XHTML
Transform to
oePUB
Transform to
RECO
XHTML
XHTML
Ontology
SPIN
Transforms
ePUB
Ontology
RECO
Ontology
SPIN
Transforms
Semantic
XML
REGULATION
(EU) No
600/2014
http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1460832668231&uri=CELEX:32014R0600

32. © Copyright 2017 TopQuadrant Inc. Slide 32
From Document references
to semantic links
CELEX 600
Directive Article Directive Article
REGULATION
(EU) No
600/2014
normative
reference
normative
reference

33. © Copyright 2017 TopQuadrant Inc. Slide 33
How a RECO Model of Regulatory Compliance
helps Lineage Models
Compliance
Report
Traceability to Compliance Regulation
Informs Lineage Model
RECO model of Celex 600/2014 for Article 10 Para 1
REGULATION (EU) No 600/2014

34. © Copyright 2017 TopQuadrant Inc. Slide 34
RECO – Illustrative Classes and Properties
34
~83 Classes ~62 Properties
reco:Norm
reco:Prescription
reco:Obligation
reco:DataObligation
reco:DataDisclosureObligation

35. © Copyright 2017 TopQuadrant Inc. Slide 35
RECO – Regulation Classe in TopBraid Composer
35Confidential TopQuadrant, Inc. 2015
Example classes from the Regulatory Compliance Ontology (RECO)

36. © Copyright 2017 TopQuadrant Inc. Slide 36
EUR-Lex – 32014R0600 in TopBraid EVN
36Confidential TopQuadrant, Inc. 2015
Paragraph 1 of
article 13
Article 13 rendered in TopBraid EVN using SWP/SWA:

37. © Copyright 2017 TopQuadrant Inc. Slide 37
RECO: Obligations as Prescriptions

38. © Copyright 2017 TopQuadrant Inc. Slide 38
7 Guiding Principles – Standard of Care
§ Lawful, Fair and Transparent Processing …................................................................. Article 5.1a
§ Specified, Fair and Legitimate Purposes …................................................................. Article 5.1b
§ Data Minimization – Adequate , Relevant, Limited to Necessary ............................. Article 5.1c
§ Accurate and current …............................................................................................... Article 5.1d
§ Minimize duration of storage ….................................................................................. Article 5.1e
§ Secure Processing ….................................................................................................... Article 5.1f
§ Accountability ….......................................................................................................... Article 5.2
GDPR Facts

39. © Copyright 2017 TopQuadrant Inc. Slide 39
Violations have significant consequences
§ 20MM Euro or 4% of Global Turnover
§ Prohibited from processing of critical data
§ Reputation Exposure and/or Damage
§ Interruption of critical data supply chain
§ Business model at risk
GDPR Facts

40. © Copyright 2017 TopQuadrant Inc. Slide 40
Ends