The General Data Protection Regulation (GDPR) has changed the ecosystem of services involving personal data and information. It emphasises several obligations and rights, amongst which the Right to Data Portability requires providing a copy of the given personal data in a commonly used, structured, and machine-readable format – for interoperability. The GDPR thus explicitly motivates the use and adoption of data interoperability concerning information. This chapter explores the entities and their interactions in the context of the GDPR to provide an information model for the development of interoperable services. The model categorises information and exchanges and explores existing standards and efforts towards use for interoperable interactions. The chapter concludes with an argument for the use and adoption of structured metadata to enable more expressive services through semantic interoperability.
TopIntroduction
Standards emerge when operations have consequences and an agreement is essential for co-operation between stakeholders. In today’s world, interoperability is essential for the smooth running of businesses and services that are increasingly dealing with data through the medium of the Internet. With the advent of the Internet as a marketplace with global outreach, the progression of online services has increasingly indulged in personalisation and targeted advertisements. To counter unchecked pervasiveness and instill the responsible use of personal data, privacy laws are enacted and updated to keep pace with ever-evolving technology. The latest of these is the European Council’s General Data Protection Regulation (‘Regulation (EU) 2016/679...’, 2016), which was adopted on 14th April 2016 and entered into force on 25th May 2018. It is the topic of global interest due to the potential of significantly high fines on the order of 20 million euros or 4% of an organisation’s global turnover – whichever is higher. Now past its first year, GDPR still continues to be a topic of development and innovation due to its extent of requirements and lack of technological solutions and guidance to address compliance (Good, Rubinstein, & Maslin, 2019).
The GDPR provides the data subject (an individual whose personal data is being processed) with several rights that form an obligation for organisations in order to be compliant. These rights require the provision of information concerning processing in a transparent manner (A12-14) regarding how their personal data is or will be collected, processed, stored, and used along with the specific purposes (A15). The Right to Data Portability (A20) enables the data subject to request a copy of personal data provided to the Data Controller (organisation determining the purposes of processing), or to request it be directly moved, copied, or transferred to another Data Controller. This data is required to be provided in a commonly used, machine-readable, and interoperable format. Thus, the GDPR explicitly mentions and uses interoperability as a means to ensure a common understanding of data between different Data Controllers, through which it provides the data subject with the freedom to reuse their personal data.
Along with regulating how personal data is used and shared through various processes, the GDPR also provides guidelines, requirements, and obligations on how information is shared or communicated between various entities. For example, when a Data Controller shares data with a Data Processor (organisation performing processing for a Data Controller), the Data Processor is required to carry out its processing limited to the explicit instructions provided by the Controller. These instructions are required to be maintained by the Processor for verifying compliance and ensuring accountability, as well as to clarify the legal responsibilities of each party. Within this arrangement, the Data Processor cannot determine the purpose of the processing, but the Data Processor can share the data with another Data Processor (a Sub-Data Processor) to carry out the processing on its behalf. In such a case, the Data Processor will share the instructions with the Sub-Data Processor, who will, upon completion, notify the Data Processor. The Data Processor will, in turn, notify the Data Controller –thereby establishing a chain where information flows between entities and establishes points of interaction.
While there is no legal requirement for maintaining and using data in a structured and interoperable form, doing so has several benefits for the post-GDPR ecosystem. For Data Subjects and Data Controllers, (semantic) interoperability provides consistency in terms of the understandability of personal data across organisations. For Data Controllers and Data Processors, interoperability enables seamless operations through common mechanisms that also act towards maintaining and demonstrating legal compliance. For Regulatory and Supervisory Authorities, interoperability provides a uniform entry point when conducting investigations into processing operations, and specifically in the case where information flows involve multiple organisations.
In this chapter, we explore these issues of standardisation and data interoperability shaped by the requirements of GDPR and its compliance.