Authors:
(1) Harshvardhan J. Pandit, ADAPT Centre, Dublin City University, Dublin, Ireland, and Cybersecurity and Data Protection Group, National Standards Institute, Ireland ([email protected])
(2) Jan Lindquist, Privacy and Security Group, Institute for Standards, Sweden ([email protected]);
(3) Georg P. Krog, Signatu AS, Oslo, Norway ([email protected]).
Table of Links
2 Overview of ISO/IEC TS 27560:2023
3 Comparing ISO-27560, ISO-29184, and GDPR
4 Consent Records and Receipts using DPV
6 Implementation Considerations and Future Work
6.2 Using Records and Receipts with eIDAS and EUDI Wallet
6.5 IEEE P7012 Machine-Readable Privacy Terms
A Example of Consent Record with both required and optional fields
B Example of Consent Receipt with required fields from consent record
6.3 Standard for PII Processing Record Information
Even though ISO-27560 only focuses on consent records and receipts, its fields were developed with the intention of a future expansion in a separate standard to cover other legal bases, such as the 7 other legal basis in GDPR Article 6. To continue in this direction, we have initiated a ‘new standard’ proposal in ISO regarding ‘PII processing record information’.
To support this activity, we are currently identifying the specific requirements for record keeping for each legal basis and creating the necessary specifications using DPV. This builds on prior work providing a machine-readable Records of Processing Activities (ROPA) required under GDPR Article 30, and which consolidates the guidelines from all 30 EU/EEA member states.
6.4 Technical Considerations in Managing Records and Receipts
We can use the Data Catalog Vocabulary[13] (DCAT), a W3C standard, to represent the records as datasets and receipts as a catalogue of records. By doing so, the metadata fields provided by DCAT can be readily used to represent information that supports in maintenance and exchange of consent records and receipts, including using existing infrastructure to manage them. DCAT is a widely used standard that supports implementing (open) data portals and has tooling for discovery and management of information. The EU has developed the DCAT Application Profile[14] (DCAT-AP) which extends DCAT to support the EU Open Data Portals[15].
Through these records and receipts can be readily communicated as interoperable datasets between relevant entities - for example controller to data subject, or between controllers and third parties. This is a crucial technical enabler for the principle of increasing data value through utilisation within the Data Governance Act and Data Spaces. In particular, the use of DCAT(-AP) also supports the addition of further policies and measures to support the implementation of data intermediaries which will be required to maintain consent records under the obligations of the DGA.
6.5 IEEE P7012 Machine-Readable Privacy Terms
In addition to the above, we are also working with the IEEE P7012 group to develop a standard for machine-readable privacy terms which uses ISO-27560 and ISO-29184 with DPV to define the conditions under which the individual allows use or reuse of their personal data. The use of this standard will provide an efficient and optimal mechanism for data subjects to signal their consent or initiate an agreement with a service provider.
This paper is available on arxiv under CC BY 4.0 DEED license.
[13] DCAT - Version 3 https://www.w3.org/TR/vocab-dcat-3/
[14] DCAT Application profile for data portals in Europe (DCAT-AP) https://op.europa.eu/en/web/eu-vocabularies/dcat-ap