A Common Semantic Model of the GDPR Register of Processing Activities
This work addresses GDPR compliance challenges for organizations by standardizing ROPA data models, though it is incremental as it builds on existing vocabularies.
The authors tackled the problem of inconsistent Register of Processing Activities (ROPA) templates across EU jurisdictions by proposing a flexible, consolidated data model (CSM-ROPA), and found that the existing Data Privacy Vocabulary (DPV) lacks direct support for ROPAs, requiring additional concept definitions.
The creation and maintenance of a Register of Processing Activities (ROPA) is an essential process for the demonstration of GDPR compliance. We analyse ROPA templates from six EU Data Protection Regulators and show that template scope and granularity vary widely between jurisdictions. We then propose a flexible, consolidated data model for consistent processing of ROPAs (CSM-ROPA). We analyse the extent that the Data Privacy Vocabulary (DPV) can be used to express CSM-ROPA. We find that it does not directly address modelling ROPAs, and so needs additional concept definitions. We provide a mapping of our CSM-ROPA to an extension of the Data Privacy Vocabulary.