/GDPR_compliance_tool

An interoperable and scalable tool for GDPR consent management and automated compliance verification.

Primary LanguagePythonMIT LicenseMIT

GDPR Consent Management and Automated Compliance Verification Tool (or Automatic Contracting Tool)

System Architecture

updated_act-paper-2-tek

Privacy and Security

The tool's security and privacy component is implemented in Prolog by Rance DeLong from Open group and extends the Next Generation Access Control (NGAC) framework, which is a framework for attribute-based access control. The security and privacy component's source code can be accessed via the link below.

Software Requirements

Instructions

This tool's distributed nature enables the installation of different components on multiple (or the same) servers. Anyone wishing to deploy and utilize these tools should follow the deployment steps outlined below.

  • First, ensure that MongoDB and GraphDB have been installed. MongoDB is used for logging and GraphDB for storing instances of knowledge graphs. You can use the links below for more information and download

    Note: You can use a database other than GraphDB, but you might have to make the adjustment in code.

  • Deploy the OpenFaaS serverless functions that are present in core/func. Follow the steps below for the deployment of serverless functions.

    • Install faasd

           $ git clone https://github.com/openfaas/faasd --depth=1
           $ cd faasd
           $ ./hack/install.sh
    • Install OpenFaaS CLI

       $ curl -sSL https://cli.openfaas.com | sudo -E sh 
    • Deploy the serverless functions

       		$ faas-cli up -f stack.yml 
    • For further deployment and installation instructions for OpenFaaS/OpenFaaS functions or serverless functions, refer to the links below.

    • After a successful installation, you should have access to the OpenFaaS user interface (UI), where you can see your deployed functions. You can also deploy new functions using the UI. openfaasui

      deploynewfunc image

    • After setting up the databases, deploying the serverless functions, and integrating components such as service layers, you should be able to observe logging information from various operations such as consent creation flowing into the MongoDB database. image

    Note: Before the deployment of functions, do not forget to adjust the connection parameters depending on your installations.

  • Next is the deployment of the security and privacy component. Since the security and privacy component is written in Prolog, you must install all prerequisites for running Prolog programs and deploying the component. The following link should be useful for the deployment of the Prolog-based application.

    • SWI-Prolog

    • With the successful deployment of the security and privacy service (or component), you should have access to the following endpoints.

      screencapture-app-swaggerhub-apis-tog-rtd-ngac-apis-1-1-1-2023-04-27-16_27_27

    • After the security and privacy component (or service) and service layer have been successfully deployed, you should be able to interact with security and privacy components for operations such as access checks.

      image

      Figure: Access check (single) without altering the data processing operation - “Collect”

      image

      Figure: Access check (single) after altering the data processing operation - “Collect” to something different “test”

      image

      Figure: Updating security and privacy upon consent revocation

      image

      Figure: Access check for multiple data processing operations

  • Once you have deployed all other components, you can deploy the service layer component as well as the scheduler. To be able to deploy the service layer and the scheduler, you first need to install Docker. You can install Docker by following the installation instructions at the link below:

    • Docker Installation
    • After installing Docker, you can run the docker_run.sh file to deploy the service layer and the scheduler. If everything goes well, you should see the URL to access the API (application programming interface) endpoints, and you should also be able to access the Swagger UI. docker-deployment

    image

    • Upon successful deployment you should be able to perform the operations like consent creation and JWT login. image

      image image image
    • Note: In order for this to work, the cryptographic keys need to be present. You can call generate_key() function from core/security/Cryptography.py to generate the necessary keys, which are currently disabled, i.e., no call is made to generate_key().

  • Please read our paper, which is freely accessible at https://doi.org/10.3390/s22072763, for additional information.

Ontology

Debugging

  • Sometimes you might get dependency error. This might be due to your system configuration so ensure that there's no conflict of the libraries. dependency-error-annotated
  • For any other problems create an issue.

Performance

  • MongoDB Cluster Information

    • Tier: M0 Sandbox (General)

    • Cluster: AWS / Frankfurt (eu-central-1)

    • Type: Replica Set - 3 nodes image

      image

Contributors

  • Consortium Partners: Institute for Applied Systems Technology Bremen (ATB), Leopold-Franzens-Universität Innsbruck (UIBK), Atos Information Technology (ATOS), InfoTripla OY (INFT), The open group limited (TOG), Forum virium Helsinki OY (FVH), Volkswagen AG (VW), LexisNexis Risk Solutions (LN)
  • Developed By

Publication

If you use any code from this or https://github.com/tog-rtd/SmashHit.git repository, please cite our work.

@Article{s22072763,
AUTHOR = {Chhetri, Tek Raj and Kurteva, Anelia and DeLong, Rance J. and Hilscher, Rainer and Korte, Kai and Fensel, Anna},
TITLE = {Data Protection by Design Tool for Automated GDPR Compliance Verification Based on Semantically Modeled Informed Consent},
JOURNAL = {Sensors},
VOLUME = {22},
YEAR = {2022},
NUMBER = {7},
ARTICLE-NUMBER = {2763},
URL = {https://www.mdpi.com/1424-8220/22/7/2763},
ISSN = {1424-8220},
ABSTRACT = {The enforcement of the GDPR in May 2018 has led to a paradigm shift in data protection. Organizations face significant challenges, such as demonstrating compliance (or auditability) and automated compliance verification due to the complex and dynamic nature of consent, as well as the scale at which compliance verification must be performed. Furthermore, the GDPR’s promotion of data protection by design and industrial interoperability requirements has created new technical challenges, as they require significant changes in the design and implementation of systems that handle personal data. We present a scalable data protection by design tool for automated compliance verification and auditability based on informed consent that is modeled with a knowledge graph. Automated compliance verification is made possible by implementing a regulation-to-code process that translates GDPR regulations into well-defined technical and organizational measures and, ultimately, software code. We demonstrate the effectiveness of the tool in the insurance and smart cities domains. We highlight ways in which our tool can be adapted to other domains.},
DOI = {10.3390/s22072763}
}

Consent JSON Schema

{
  "Agents": [
    {
      "id": "string",
      "role": "string"
    }
  ],
  "DataProcessing": [
    "string"
  ],
  "GrantedAtTime": "2023-04-28T10:58:29.150Z",
  "Medium": "string",
  "Purpose": "string",
  "Resource": {
    "additionalProp1": [
      {
        "data": [
          "string"
        ]
      }
    ],
    "additionalProp2": [
      {
        "data": [
          "string"
        ]
      }
    ],
    "additionalProp3": [
      {
        "data": [
          "string"
        ]
      }
    ]
  },
  "city": "string",
  "consentid": "string",
  "country": "string",
  "dataprovider": "string",
  "expirationTime": "2023-04-28T10:58:29.150Z",
  "state": "string"
} 

Project

Note: In smashHit documents, this tool is referred to as Automatic Contracting Tool (ACT).

License

MIT