Session 2.6 semantic data governance for regulatory compliance

© Copyright 2017 TopQuadrant Inc. Slide 1
Semantic Data Governance for Regulatory Compliance
Ralph Hodgson, CTO and co-founder of TopQuadrant Inc.
September 12, 2017
SEMANTiCS 2017
Theater de Meervaart
Meer en Vaart 300
1068 LE Amsterdam, Netherlands
v2

Semantic Data Governance for Regulatory Compliance
§ Introductions
§ RECO – Regulatory Compliance Ontology
§ GDPR – and a GDPR Ontology
§ TopBraid EDG Asset Governance and Lineage Ontologies
– How TopBraid EDG addresses the hard problems in GDPR?
§ Demo
§ Concluding Remarks
§ Q&A
! 20 minutes ? on …

TOPQUADRANT COMPANY
TOPQUADRANT COMPANY
FOUNDATION
• TopQuadrant was founded in 2001
• Strong commitment to standards-based approaches to data semantics
MISSION
• Empower people and drive results — by making enterprise information
meaningful
FOCUS
• Provide comprehensive data governance solutions

Who are my data partners?
What data do I share with them?
What countries are they in?
Do I have data regulation assets in my
system for those countries?
What 3rd country jurisdictions have regulatory
authority for what data and/or what data processing?
Regulatory
Compliance
Enterprise
Governance
GDPR
Compliance
TopBraid EDG’s Knowledge Engine answers compliance questions
What problems are we addressing?

… Helps understand
How enterprise contexts for…
• Data Assets
• Software and systems
• Processing locations
• Third party processors
… relate to compliance
• responsibilities
• obligations
• actions needed
TopBraid EDG Knowledge Base

RDF
SPARQL
OWL
RDFS
Statements:
Saying things
Vocabulary:
Shared terms can
we use
Classification:
What is this thing?
Query:
What did you say?
OWL SHACL
Rules:
Is that term used correctly?
What do you need to know?
You can't say that here!
*W3C = World Wide Web Consortium led
by Tim Berners-Lee
TopBraid EDG is based on Semantic Standards

RECO - Regulatory Compliance Ontology
§ An ontology for:
–obligations,
–permissions,
–Prohibitions,
–Violations and
–Waivers
reco:Norm
reco:Prescription
reco:Obligation
reco:DataObligation
reco:DataDisclosureObligation

Semantic Models for Compliance: Processing EUR-Lex –
32014R0600 into TopBraid
From Text:
To Triples:
To RECO Ontology of Obligations, Permissions and Prohibitions
Ref: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0600&from=NL

Mandate: Protect Personally Identifiable Information (PII)
ü 7 guiding principles and 83 pages of regulations govern the protection of personal
data.
ü Generally applies to all personal data of EU residents or handled by EU companies.
ü Protection ”by design” requires systems for compliance, verification, audit, and
notification
ü Full compliance required by May 25, 2018
General Data Protection Regulations
(GDPR) as an example and demo

GDPR is Complex
GDPR is not just about data-at-rest.
It’s about:
• What processing is involved: transformations and software systems
• Jurisdictions concerning where data, software and processing are hosted
• How data flows through systems, jurisdictions and partner relationships
• And how, requirements that need to be met change situationally

Regulated
Data Actions
Regulatory
Obligations
Transport Outside EU
Consent Request
Consent Review
Consent Withdrawal
Data Erasure
Consent Preservation
Adaptation
Alignment
Storage
Archiving
Backup
Alteration
Collection
Combination
Hosting
Disclosure By Transmission
Processing
Recording
Consent in Plain Language
72 Hour Notification
GDPR - What do we need to talk about?

§ provide a common language of meaning
§ reveal dependencies
§ bridge domains of discourse for insight
§ define “line-of-sights” for decision support
§ place GDPR into a structured framework
A Publication Ontology
helps and the semantics:
First we need a Graph Representation of GDPR
Things
Relationships

Using TopBraid EDG we express GDPR using a
Regulatory Compliance Ontology (RECO)
Regulatory
Compliance
Graph
Regulation
Regulatory
Things
Relationships

Collection
GDPR Regulated
Data Activities
Data Controller
Data Subject
Data Protection Officer (DPO)
Storage
Hosting
Transformation
GDPR Regulation
GDPR Regulated
Roles
Now we can relate PII to concepts in GDPR
Personally
Identifiable
Information (PII)
Country Data Regulations ?
Pacific Data Regulations ?

Next we need ontologies of Data, Technical and
Enterprise Assets, and Governance
Data, Technical
and Enterprise
Knowledge
Graphs
Governance Things
Relationships
Personally Identifiable
Information (PII)

We can then make the connections across
these domains for compliance analysis
Discovering the path between personal data …
… and specific GDPR obligations

GDPR needs support for “Situated Processes”
GDPR
Compliance
Graph
A Process “in Context”
GDPR Things
Relationships

GDPR Regulation in TopBraid EDG

The Power of TopBraid EDG …
General
Regulatory
Compliance
… is in bringing this all together into a connected knowledge base
that can be queried for insights, reports and decision support
Enterprise
Governance
GDPR
Compliance
+
+

GDPR Demo Example: “Transmission Outside EU”
Regulatory
Obligation
Data
Elements
(PII)
Process-In-Context
(SituatedProcess)
GDPR
Paragraph
1
2
3
4

TopBraid EDG Lineage for Compliance Reporting
Data
Resources
Information
Products
Inputs Data Elements PipelinesSoftware Outputs

DEMO:
TopBraid EDG Semantic Data Governance for
GDPR Compliance

Machine-Process-able Standards for:
üpolicies, methods, procedures and workflows for
performance of required actions/tasks
üinformational resources language, documents,
forms, templates used in workflows
üsupporting systems for compliance validation &
verification, change tracking, audit, etc.
TopBraid EDG Knowledge Engine
Helps automate GDPR compliance;
assessments, documentation, discovery of obligations, compliance gaps …

… Questions?
Flexible Connections Enable:

To Learn More …
Contact us: at info@topquadrant.com to:
• Discuss our GDPR compliance solutions
• Request a more targeted demo of TopBraid EDG
• Ask for a free EDG evaluation account
EDG Product Info:
• http://www.topquadrant.com/products/topbraid-edg/
• http://www.topquadrant.com/products/topbraid-edg-gov-packs/
Other EDG demos/webinar recordings:
• http://www.topquadrant.com/knowledgeassets/videos/#edgoverviewdemo
Webinar: Data Governance for the Connected Enterprise: TopBraid EDG in Action
• http://www.topquadrant.com/knowledge-assets/topquadrant-webinars/#TQ-EDG-metadata-mgt-webinar
Webinar: Metadata Management is Key to Data Governance Initiatives
Thank You !

Reference Slides

§ Core flexibility and extensibility
Add user defined models, assets and properties as needed
(model-driven)
§ Models: pre-built and user defined
Support multiple types of governance assets
§ Connections:
Can be made between any types of assets
§ Flexible Connections Enable:
– People (UI) and software (APIs/web services) to view,
follow and query the connections to answer core
questions, e.g. “Where did this come from?”
– complete data governance vs. siloed data governance,
i.e “reference-ability”
TopBraid EDG: Summary and Benefits for GDPR

Key Concepts: Assets
§ Asset is a technical, business, or operational resource governed by an
organization using TopBraid EDG.
§ Asset type: Asset type is a class in an ontology (either ontologies shipped with
TopBraid EDG or customized/created by the users) that formally describes
attributes and relationships of an asset. An asset could have multiple types.
– TopBraid EDG includes over 100 asset types such as Glossary Term, Requirement, ETL Script and
many others.
Software Executable
Data Pipeline
Policy
Team Database
Capability
Server Organization Database Table
DatasetReport
Datatype
Business Area Glossary TermObligation

RECO Engine Approach
1. Use ontologies to express a “finance/macroeconomics knowledge base”:
uRECO for regulatory compliance ontology
uQUDT for quantity kinds
uExtend with “deep” terminology
2. Transform regulatory documents to a machine-processable model
uScreen scraping HTML to an RDF document model
u“Lifting” the RDF document model to a RECO representation of “Obligations”, “Prohibitions” and
“Permissions”
uUse of machine-learning techniques for auto-classification
uManual steps
3. Integrate with an Enterprise Data Governance platform (TopBraid EDG) for
specifying lineage models:
uSemantic relations from reporting and data policy stipulations to asset types
uTranslation (mapping) of knowledge representations to physical data specifications and
transforms

From CELEX HTML Pages
to CELEX RECO Models
Transform to
Semantic XHTML
Transform to
oePUB
Transform to
RECO
XHTML
XHTML
Ontology
SPIN
Transforms
ePUB
Ontology
RECO
Ontology
SPIN
Transforms
Semantic
XML
REGULATION
(EU) No
600/2014
http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1460832668231&uri=CELEX:32014R0600

From Document references
to semantic links
CELEX 600
Directive Article Directive Article
REGULATION
(EU) No
600/2014
normative
reference
normative
reference

How a RECO Model of Regulatory Compliance
helps Lineage Models
Compliance
Report
Traceability to Compliance Regulation
Informs Lineage Model
RECO model of Celex 600/2014 for Article 10 Para 1
REGULATION (EU) No 600/2014

RECO – Illustrative Classes and Properties
34
~83 Classes ~62 Properties
reco:Norm
reco:Prescription
reco:Obligation
reco:DataObligation
reco:DataDisclosureObligation

RECO – Regulation Classe in TopBraid Composer
35Confidential TopQuadrant, Inc. 2015
Example classes from the Regulatory Compliance Ontology (RECO)

EUR-Lex – 32014R0600 in TopBraid EVN
36Confidential TopQuadrant, Inc. 2015
Paragraph 1 of
article 13
Article 13 rendered in TopBraid EVN using SWP/SWA:

RECO: Obligations as Prescriptions

7 Guiding Principles – Standard of Care
§ Lawful, Fair and Transparent Processing …................................................................. Article 5.1a
§ Specified, Fair and Legitimate Purposes …................................................................. Article 5.1b
§ Data Minimization – Adequate , Relevant, Limited to Necessary ............................. Article 5.1c
§ Accurate and current …............................................................................................... Article 5.1d
§ Minimize duration of storage ….................................................................................. Article 5.1e
§ Secure Processing ….................................................................................................... Article 5.1f
§ Accountability ….......................................................................................................... Article 5.2
GDPR Facts

Violations have significant consequences
§ 20MM Euro or 4% of Global Turnover
§ Prohibited from processing of critical data
§ Reputation Exposure and/or Damage
§ Interruption of critical data supply chain
§ Business model at risk
GDPR Facts

Ends

Session 2.6 semantic data governance for regulatory compliance

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Session 2.6 semantic data governance for regulatory compliance

Similar to Session 2.6 semantic data governance for regulatory compliance (20)

More from semanticsconference

More from semanticsconference (20)

Recently uploaded

Recently uploaded (20)

Session 2.6 semantic data governance for regulatory compliance