GDPR Analysis and Automated Compliance Checking

Data is everywhere and is produced daily in huge quantities. Not surprisingly, data spreads at the same pace of the links between data and individuals. Companies are more and more interested in collecting as much personal data as possible and serious concerns about data privacy arise. All over the world, governments are facing the issue of protecting citizens from those who collect and process their personal data; in recent years, a number of privacy regulations have been enacted in Europe and US. The enacting of privacy laws has triggered the need for compliance processes, that still rely on manual efforts and therefore are costly, resource intensive and may lack coverage. The demand for automated tools is highly felt and spreaded among privacy champions. In this work we'll focus on the General Data Protection Regulation (GDPR), a unique, general, comprehensive guideline for each and every privacy related matter. First of all, we have carried out a dependency analysis on GDPR clauses that contain references to other articles or paragraphs. The purpose of the analysis is to check, using a computer scientist rather than a jurist approach, whether cyclic dependencies occur. On the way to compliance monitoring automation, we translate the legal text of privacy clauses into a machine-readable language. We have exploited the results of the dependency analysis to improve a user-friendly language, that seeks a compromise between the extraordinary expressiveness of the natural language and the limitations imposed by a formal language. Then, we enforce the translated privacy policies through a specific software framework. The core component of such framework is a static analyzer, that checks the compliance of data analysis programs with formal privacy specifications. We modified the static analyzer, to accept the formal specs resulting from the translation, and we adapted it to the specific needs of a Data Protection Officer. We have set ourselves the ambitious goal of creating a realistic scenario: formalizing the significant clauses of the GDPR and using the analyzer to check the compliance of real open-source applications. We passed satisfactory tests, both in terms of functionality and in terms of readability.