An Exploration of Data Interoperability for GDPR

An Exploration of Data Interoperability for GDPR

Harshvardhan J. Pandit (ADAPT Centre, Trinity College Dublin, Dublin, Ireland), Christophe Debruyne (ADAPT Centre, Trinity College Dublin, Dublin, Ireland), Declan O'Sullivan (ADAPT Centre, Trinity College Dublin, Dublin, Ireland) and Dave Lewis (ADAPT Centre, Trinity College Dublin, Dublin, Ireland)
Copyright: © 2018 |Pages: 21
DOI: 10.4018/IJSR.2018010101

Abstract

The General Data Protection Regulation (GDPR) specifies obligations that shape the way information is collected, shared, provided, or communicated, and provides rights for receiving a copy of their personal data in an interoperable format. The sharing of information between entities affected by GDPR provides a strong motivation towards the adoption of an interoperable model for the exchange of information and demonstration of compliance. This article explores such an interoperability model through entities identified by the GDPR and their information flows along with relevant obligations. The model categorises information exchanged between entities and presents a discussion on its representation using existing standards. An investigation of data provided under the Right to Data Portability for exploring interoperability in a real-world use-case. The findings demonstrate how the use of common data formats hamper its usability due to a lack of context. The article discusses the adoption of contextual metadata using a semantic model of interoperability to remedy these identified shortcomings.
Article Preview

Introduction

Businesses are increasingly using personal data to provide services, especially online, in various forms such as personalisation of provided services and targeted advertisements. Such services need to adhere to data protection laws governing the collection and subsequent usage and sharing of personal data. Previously, the Data Protection Directive, or DPD (DPD, 1995), in the European Union regulated the processing of personal data. This has been superseded by the General Data Protection Regulation (GDPR, 2016), abbreviated as GDPR, which is the new European data protection legislation that entered into force on 25th May 2018. Non-compliance towards its obligations carries a fine of up to €20 million or 4% of a company’s global annual turnover of the previous financial year, whichever is higher, based on the nature of offense (Article 83). This makes GDPR an important legislation in terms of changes to the organisational measures required for compliance. In particular, GDPR focuses on the use of consent and personal data as the basis of operations and provides the data subject with several rights. These new changes have spurred innovation within the community that targets compliance with the various obligations of the GDPR.

Along with providing constraints for how personal data is used and shared through various processes, the GDPR also provides statements about the way information is shared or communicated between various entities. GDPR provides seven key principles (Article 5) that act to guide the processing of personal data. These are - Lawfulness, fairness and transparency, Purpose limitation, Data minimisation, Accuracy, Storage limitation, and Integrity and confidentiality, and Accountability. While these principles are similar to those within the DPD, GDPR encompasses these principles in a larger role in its adherence towards compliance. These principles set out how each data controller should process the personal data of clients or data subjects and forms the guideline for duties and obligations for compliance by entities. For example, a Data Processor under the GDPR is an entity that can only act on the data under the instructions it receives from a Data Controller or another Data Processor (making it the sub-Processor). Therefore, a Data Processor cannot decide the purpose of the data it receives and must adhere to the instructions it receives from the Data Controller or Data Processor that provides the data. Assuming this entity is a Data Controller, the agreement with the Data Processor is expected to state these responsibilities in an explicit manner such that the Data Processor as well as the Data Controller can verify or audit the accountability of this agreement for obligations provided by the GDPR.

The GDPR provides several rights to the data subjects whose adherence is mandatory for organisations. The Right to Inform (Article 12-14) and Right to Access (Article 12, 15) provide the Data Subject the right to be informed regarding how their personal data is or will be collected, processed, stored, and used along with the specific purposes. The Right to Data Portability (Article 12, A20) enables the Data Subject to receive a copy of their personal data which they have provided to the Data Controller. It also allows the Data Subject to request this data to be directly moved, copied, or transferred to another Data Controller. The provided must be in a commonly used, machine readable, and interoperable format. The exercising of these rights involves an explicit interaction between the Data Controller and the Data Subject or another Data Controller where the information exchanged is the personal data under consideration. Additionally, GDPR explicitly mentions interoperability as one of the mandatory properties of this data, making its adoption a necessary part towards its compliance.

While there is no requirement for legally structuring shared data in a particular way, doing so has benefits for all entities involved. For Data Subjects, this provides consistency in terms of understandability and interoperability of their personal data. For Data Controllers and Data Processors, this enables seamless operations through interoperable mechanisms that also act as demonstrable compliance towards required obligations. For Supervisory Authorities, the interoperability of data provides a uniform interface when conducting investigations, being particularly helpful when tracing the flow of information across multiple entities.

Complete Article List

Search this Journal:
Reset
Open Access Articles
Volume 17: 2 Issues (2019): Forthcoming, Available for Pre-Order
Volume 16: 2 Issues (2018): 1 Released, 1 Forthcoming
Volume 15: 2 Issues (2017)
Volume 14: 2 Issues (2016)
Volume 13: 1 Issue (2015)
View Complete Journal Contents Listing