This document describes the SPECIAL project, which aims to develop a scalable policy-aware linked data architecture to support privacy, transparency and compliance with the General Data Protection Regulation (GDPR). The architecture will include components for policy management, transparency and compliance, using a linked data approach. It will integrate existing technologies like the Big Data Europe platform, PrimeLife policy languages, and compression/encryption. The system will allow users to control personal data policies, companies to demonstrate compliance, and regulators to check compliance through semantified policies linked to data and analytics. Adversarial testing and input from other projects will help evaluate and strengthen the system.

1. Scalable
Policy-­‐awarE Linked
Data
arChitecture for
prIvacy,
trAnsparency and
compLiance
H2020-­‐ICT-­‐2016-­‐1
Big
Data
PPP:
privacy-­‐preserving
Big
Data
technologies
(ICT-­‐18-­‐2016)
call

2. Technological
problem
-­‐ General
Data
Protection
Regulation
supporting
consent
and
transparency
2013 2014 2015 2016 2017 2018
Draft
of
the
regulation
7/22/2012
Revisions
in
the
draft
3/12/2013
Discussions
in
the
EU
Council
5/19/2014
EU
Council
finalises
the
chapters
8/6/2015
Trilogue
starts
6/24/2015
Trilogue
agrees
12/17/2015
Comes
into
force
5/15/2018

3. Companies whose business models rely on personal data
Data subjects who would like to declare, monitor and optionally
revoke their (often not explicit) preferences on data sharing
Regulators who can leverage technical means to check
compliance with the GDPR
2013 2014 2015 2016 2017 2018
Draft
of
the
regulation
7/22/2012
Revisions
in
the
draft
3/12/2013
Discussions
in
the
EU
Council
5/19/2014
EU
Council
finalises
the
chapters
8/6/2015
Trilogue
starts
6/24/2015
Trilogue
agrees
12/17/2015
Comes
into
force
5/15/2018
Technological
problem
-­‐ General
Data
Protection
Regulation
supporting
consent
and
transparency

4. Data$&$Data$
Driven$
Services
Regulators
Companies/
Service4
Providers
Customers/
Service4Users
Privacy4
Preferences
Legal
Policies
Contracts/
Terms4of4use
Technological
problem
-­‐ General
Data
Protection
Regulation
supporting
consent
and
transparency

5. • Policy
management
framework
vGives
users
control
of
their
personal
data
vRepresents
access/usage
policies
and
legislative
requirements
in
a
machine
readable
format
• Transparency
and
compliance
framework
vProvides
information
on
how
data
is
processed and with
whom
it
is
shared
vAllows
data
subjects
to
take
corrective
action
• Scalable
policy-­‐aware
Linked
Data
architecture
vBuild
on
top
of
the Big
Data
Europe
(BDE)
platform
scalability
and
elasticity
mechanisms
vExtended
BDE
with
robust
policy,
transparency
and
compliance
protocols
Technological
problem
-­‐ General
Data
Protection
Regulation
supporting
consent
and
transparency

6. Software
components
-­‐ Foundations
• Big
Data
Europe
scalability
and
elasticity
• PrimeLife policy
languages,
access
control
policies,
release
policies
and
data
handling
policies
Payload'Data
Permissions
Semantification
Policy'ingestion
Compression'&'Encryption
Persisting'policies'with''data:
“Sticky”'Policies
Policy>aware'Querrying:
Data'Subsets/Filtering'
Policies
HDT
SPECIAL
APIs
User'Control
Dashboards

7. Software
components
-­‐ Foundations
• SPECIAL
uses
the
Linked
Data
paradigm
• All
data
items
are
identified
by
globally
unique
identifiers
(i.e.
Internationalised Resource
Identifiers
(IRI’s))
• By
using
HyperText Transfer
Protocol
(HTTP)
IRI’s
everything
is
potentially
linkable
Payload'Data
Permissions
Semantification
Policy'ingestion
Compression'&'Encryption
Persisting'policies'with''data:
“Sticky”'Policies
Policy>aware'Querrying:
Data'Subsets/Filtering'
Policies
HDT
SPECIAL
APIs
User'Control
Dashboards

8. Payload'Data
Permissions
Semantification
Policy'ingestion
Compression'&'Encryption
Persisting'policies'with''data:
“Sticky”'Policies
Policy>aware'Querrying:
Data'Subsets/Filtering'
Policies
HDT
SPECIAL
APIs
User'Control
Dashboards
• IRI’s
allow
SPECIAL
to
make
semantic
assertions
(access/usage
constraints)
on
the
data
items
using
Linked
Data
annotations
• Legacy
systems
can
be
integrated
via
transformation
middleware
Software
components
-­‐ Semantification

9. Software
components
-­‐ Policy
Ingestion
• Record
context information
and
access/usage constraints
• Handle
a
broad
variety
of
sources
and
formats
• Take
a
privacy-­‐by-­‐design approach
and
allows
for
conscious
decisions
about
data
collection
and
data
(re)use
Payload'Data
Permissions
Semantification
Policy'ingestion
Compression'&'Encryption
Persisting'policies'with''data:
“Sticky”'Policies
Policy>aware'Querrying:
Data'Subsets/Filtering'
Policies
HDT
SPECIAL
APIs
User'Control
Dashboards

10. Software
components
-­‐ Compression
&
Encryption
• When
sharing
data
or
query
results
information
is
securely
stored
and
exchanged
• Enable
efficient
queryable encryption
based
on
compressed RDF
data
Payload'Data
Permissions
Semantification
Policy'ingestion
Compression'&'Encryption
Persisting'policies'with''data:
“Sticky”'Policies
Policy>aware'Querrying:
Data'Subsets/Filtering'
Policies
HDT
SPECIAL
APIs
User'Control
Dashboards

11. Software
components
-­‐ Sticky
Policies
• Data
sharing
can
be
done
along
data
value
chains
in
a
way
that
includes
the
policy
information
• Gluing
policy
information
to
the
payload
data
persistently,
even
across
company
borders,
is
called
“sticky
policies”
vData
protection
constraints
vOther
limitations and
obligations
Payload'Data
Permissions
Semantification
Policy'ingestion
Compression'&'Encryption
Persisting'policies'with''data:
“Sticky”'Policies
Policy>aware'Querrying:
Data'Subsets/Filtering'
Policies
HDT
SPECIAL
APIs
User'Control
Dashboards

12. Software
components
-­‐ Policy-­‐aware
Querying
• Categorise and
subdivide
data
through
annotations
into
sensitivity
categories/levels
or
based
on
fine-­‐grained
user-­‐policies
• Policy
aware
aggregation and
anonymisation techniques
• Recording
of
the
sharing
event
in
a
manner
that
supports
non-­‐
repudiation
Payload'Data
Permissions
Semantification
Policy'ingestion
Compression'&'Encryption
Persisting'policies'with''data:
“Sticky”'Policies
Policy>aware'Querrying:
Data'Subsets/Filtering'
Policies
HDT
SPECIAL
APIs
User'Control
Dashboards

13. Software
components
-­‐ User
Control
• Interactive
Dashboard
vDisplay
highly
relevant
information
to
the
user
based
on
context
vMap
what
the
users
sees
to
their
entire
Linked
Data
graph
vInvestigate
how
semantified data
can
cater
for
better
informed
consent
• Relieve
the
burden
of
policy
management
via
Templates
• Support
versioning,
revocation,
and
forgetting functionality
Payload'Data
Permissions
Semantification
Policy'ingestion
Compression'&'Encryption
Persisting'policies'with''data:
“Sticky”'Policies
Policy>aware'Querrying:
Data'Subsets/Filtering'
Policies
HDT
SPECIAL
APIs
User'Control
Dashboards

14. Adversaries
&
Additional
input
• Challenges
vProvide
synthesised
linked
graph
data
(linked
to
existing
open
data
sets)
and
challenge
users
to
reconstruct
those
encrypted
graphs
vDevelop
simulated
synthesised
policies
and
datasets
and
derive
challenges
to
retrieve
and re-­‐construct
unauthorised
information from
our
system
• Workshops
vDiscuss
limitations
and
possible
additional
challenges
vDerive
challenges
that
can
not
be
tested
automatically e.g.
policies
that
cannot
be
enforced
by
automated
means
need
to
be
protected
by
(legal)
contracts
• Additional
Input
vICT-­‐18-­‐2016
and
ICT-­‐14-­‐2016
projects
vPrivacy
&
Us
(Privacy
&
Usability)
https://privacyus.eu/,
Data
markets
Austria
https://datamarket.at/,
etc…
vW3C
standardisation activities

15. Technical/Scientific
contact
Sabrina
Kirrane
Vienna
University
of
Economics
and
Business
sabrina.kirrane@wu.ac.at
Scalable
Policy-­‐awarE Linked
Data
arChitecture for
prIvacy,
trAnsparency and
compLiance
Adminsitrative contact
Philippe
Rohou
ERCIM
W3C
philippe.rohou@ercim.eu