Legislative Compliance Assessment: Framework, Model and GDPR Instantiation

  • Sushant Agarwal
  • Simon Steyskal
  • Franjo Antunovic
  • Sabrina Kirrane
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11079)


Legislative compliance assessment tools are commonly used by companies to help them to understand their legal obligations. One of the primary limitations of existing tools is that they tend to consider each regulation in isolation. In this paper, we propose a flexible and modular compliance assessment framework that can support multiple legislations. Additionally, we describe our extension of the Open Digital Rights Language (ODRL) so that it can be used not only to represent digital rights but also legislative obligations, and discuss how the proposed model is used to develop a flexible compliance system, where changes to the obligations are automatically reflected in the compliance assessment tool. Finally, we demonstrate the effectiveness of the proposed approach through the development of a General Data Protection Regulatory model and compliance assessment tool.


Compliance GDPR ODRL 



Partially supported by the European Unions Horizon 2020 research and innovation programme under grant 731601 and the Austrian Federal Ministry of Transport, Innovation and Technology (BMVIT) DALICC. For Figs. 1, 4 and 6, icons have been taken from icons8 (


  1. 1.
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 0031–0050 (1995).
  2. 2.
    IEEE recommended practice for software requirements specifications: Approved 25 June 1998, IEEE Std, vol. 830–1998. IEEE, New York (1998)Google Scholar
  3. 3.
    Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. OJ L 337, 35–127 (2015).
  4. 4.
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 1–88 (2016).
  5. 5.
    Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications). COM (2017) 2017/03 (COD) (2017)Google Scholar
  6. 6.
    Arora, C., Sabetzadeh, M., Briand, L.C., Zimmer, F.: Requirement boilerplates: transition from manually-enforced to automatically-verifiable natural language patterns. In: 2014 IEEE 4th International Workshop on Requirements Patterns (RePa), pp. 1–8. IEEE (2014)Google Scholar
  7. 7.
    Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: 2006 IEEE Symposium on Security and Privacy, p. 15. IEEE (2006)Google Scholar
  8. 8.
    Biasiotti, M., Francesconi, E., Palmirani, M., Sartor, G., Vitali, F.: Legal informatics and management of legislative documents. In: Global Center for ICT in Parliament Working Paper 2 (2008)Google Scholar
  9. 9.
    Boella, G., Humphreys, L., Muthuri, R., Rossi, P., van der Torre, L.: A critical analysis of legal requirements engineering from the perspective of legal practice. In: 2014 IEEE 7th International Workshop on Requirements Engineering and Law (RELAW), pp. 14–21. IEEE (2014)Google Scholar
  10. 10.
    Breaux, T.D., Vail, M.W., Anton, A.I.: Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: 14th IEEE International Requirements Engineering Conference (RE 2006), pp. 49–58 (2006)Google Scholar
  11. 11.
    Breaux, T.D.: Legal requirements acquisition for the specification of legally compliant information systems. North Carolina State University (2009).
  12. 12.
    Cranor, L.F.: P3P: making privacy policies more useful. IEEE Secur. Priv. 99(6), 50–55 (2003)CrossRefGoogle Scholar
  13. 13.
    Génova, G., Fuentes, J.M., Llorens, J., Hurtado, O., Moreno, V.: A framework to measure and improve the quality of textual requirements. Requir. Eng. 18(1), 25–41 (2013)CrossRefGoogle Scholar
  14. 14.
    Ghanavati, S., Amyot, D., Peyton, L.: Towards a framework for tracking legal compliance in healthcare. In: Krogstie, J., Opdahl, A., Sindre, G. (eds.) CAiSE 2007. LNCS, vol. 4495, pp. 218–232. Springer, Heidelberg (2007). Scholar
  15. 15.
    Grimm, R., Rossnagel, A.: P3P and the privacy legislation in Germany: can P3P help to protect privacy worldwide? In: Proceedings of the ACM Multimedia, November 2000Google Scholar
  16. 16.
    Holzmann, G.J.: Design and validation of protocols: a tutorial. Comput. Netw. ISDN Syst. 25(9), 981–1017 (1993)CrossRefGoogle Scholar
  17. 17.
    Hull, E., Jackson, K., Dick, J.: Requirements Engineering. Practitioner Series, 2nd edn. Springer, London (2005). Scholar
  18. 18.
    Information Commissioner’s Office (ICO) UK: Getting ready for the GDPR (2017).
  19. 19.
    Kamsties, E., Berry, D.M., Paech, B.: Detecting ambiguities in requirements documents using inspections. In: Proceedings of the First Workshop on Inspection in Software Engineering (WISE01), pp. 68–80. Citeseer (2001)Google Scholar
  20. 20.
    Kiyavitskaya, N., Krausová, A., Zannone, N.: Why eliciting and managing legal requirements is hard. In: 2008 Requirements Engineering and Law, RELAW 2008, pp. 26–30. IEEE (2008)Google Scholar
  21. 21.
    Kiyavitskaya, N., et al.: Automating the extraction of rights and obligations for regulatory compliance. In: Li, Q., Spaccapietra, S., Yu, E., Olivé, A. (eds.) ER 2008. LNCS, vol. 5231, pp. 154–168. Springer, Heidelberg (2008). Scholar
  22. 22.
    Korba, L., Kenny, S.: Towards meeting the privacy challenge: adapting DRM. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 118–136. Springer, Heidelberg (2003). Scholar
  23. 23.
    Massacci, F., Prest, M., Zannone, N.: Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation. Comput. Stand. Interfaces 27(5), 445–455 (2005)CrossRefGoogle Scholar
  24. 24.
    Mavin, A., Wilkinson, P., Harwood, A., Novak, M.: Easy approach to requirements syntax (EARS). In: 17th IEEE International Requirements Engineering Conference, pp. 317–322. IEEE (2009)Google Scholar
  25. 25.
    May, M.J., Gunter, C.A., Lee, I.: Privacy APIs: access control techniques to analyze and verify legal privacy policies. In: 19th IEEE Computer Security Foundations Workshop, p. 13. IEEE (2006)Google Scholar
  26. 26.
    Microsoft Trust Center: Detailed GDPR Assessment (2017).
  27. 27.
    Nissenbaum, H.: Privacy as contextual integrity symposium - technology, values, and the justice system. Wash. Law Rev. 79, 119 (2004)Google Scholar
  28. 28.
    Nymity: GDPR Compliance Toolkit.
  29. 29.
    Otto, P.N., Anton, A.I.: Addressing legal requirements in requirements engineering. In: 15th IEEE International Requirements Engineering Conference (RE 2007), pp. 5–14. IEEE (2007)Google Scholar
  30. 30.
    Schwartz, A.: Looking back at P3P: lessons for the future. Center for Democracy & Technology (2009).
  31. 31.
    Agarwal, S., Kirrane, S., Scharf, J.: Modelling the general data protection regulation. In: 20. Internationales Rechtsinformatik Symposion (IRIS) 2017, 23–25 Feb 2017, Salzburg (2017)Google Scholar
  32. 32.
    Toval, A., Olmos, A., Piattini, M.: Legal requirements reuse: a critical success factor for requirements quality and personal data protection. In: Proceedings IEEE Joint International Conference on Requirements Engineering, pp. 95–103. IEEE (2002)Google Scholar
  33. 33.
    van Lamsweerde, A.: Requirements Engineering: From System Goals to UML Models to Software Specifications, vol. 10. Wiley, Chichester and Hoboken (2009)Google Scholar
  34. 34.
    W3C ODRL Community Group: ODRL Information Model 2.2 (2018).

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Vienna University of Economics and BusinessViennaAustria

Personalised recommendations