Fast Compliance Checking with General Vocabularies

2020·Arxiv

Abstract

Abstract

We address the problem of complying with the GDPR while processing and transferring personal data on the web. For this purpose we introduce an extensible profile of OWL2 for representing data protection policies. With this language, a company’s data usage policy can be checked for compliance with data subjects’ consent and with a formalized fragment of the GDPR by means of subsumption queries. The outer structure of the policies is restricted in order to make compliance checking highly scalable, as required when processing high-frequency data streams or large data volumes. However, the vocabularies for specifying policy properties can be chosen rather freely from expressive Horn fragments of OWL2. We exploit IBQ reasoning to integrate specialized reasoners for the policy language and the vocabulary’s language. Our experiments show that this approach significantly improves performance.

1 Introduction

The European General Data Protection Regulation (GDPR) constrains the use of the personal data of European citizens, no matter where the controller (i.e. the entity that collects and processes the data) is located. Violations may have severe consequences, such as significant economic sanctions (4% of worldwide turnover) and loss of reputation. Therefore companies are looking for methodologies and technologies that support compliance with the GDPR. The H2020 project SPECIAL addresses these needs in several ways, including a policy-aware framework consisting of:3

– A semantic policy language for expressing: (i) business policies, i.e. the data usage policies adopted by the controller; (ii) the consent to data processing granted by the data subjects; (iii) an axiomatization of the “objective” part of the GDPR.

– A compliance checker capable of verifying whether business policies are compatible with the available consent and with the formalized fragment of the GDPR.

– Explanation facilities for the data subjects and for policy authors.

The semantic policy language consists of a profile of OWL2 called PL, and vocabularies for expressing policy properties such as the data categories involved in the processing, the nature and purpose of the processing, the recipients of the results, and information about where and how long data are stored. Compliance checking is currently reduced to subsumption checking in PL [3].

While compliance with respect to the GDPR is a validation phase that takes place before deploying business policies, compliance checks w.r.t. consent occur at run-time, in such a way as to allow data subjects to modify or withdraw their consent anytime. Moreover, many interesting web-based scenarios involve the processing of large volumes of personal data (including various forms of personal data collection, akin to tracking and fingerprinting) that require scalable, possibly real-time compliance checking w.r.t. the consent policies released by all the subjects which the data refer to. For these reasons SPECIAL developed a scalable reasoner of PL, called PLR, supporting compliance checks per second.

The expressiveness of PL is appropriate for encoding the structure of data usage policies, licences, and even EHR; however it is too limited for the needs of the associated vocabularies of properties, considering that concept inclusions in PL are restricted to class names only. The vocabularies for encoding data usage and GDPR concepts are being developed independently by the Data Privacy Vocabularies and Controls Community Group” (DPVCG) of the W3C.4 We intend to put as few constraints as possible on the development of such standardized vocabularies, because as more application domains are introduced in the vocabularies and more standards (e.g. for classifying controllers) are imported, it is difficult to predict the expressiveness needs that may arise in their modeling.

In this paper, we address this need by introducing a flexible method for integrating PL-based compliance checking with more general vocabularies, expressed in Horn- SRIQ, leveraging the literature on import by query reasoning (IBQ). The IBQ approach makes it possible to integrate PLR with specialized engines for the logic of the vocabularies, thereby improving the performance of the available reasoners, and addressing the aforementioned scalability requirements.

In the next section, we start with technical preliminaries. In Section 4 we apply (and slightly extend) the theory of IBQ to integrate PL knowledge bases with external ontologies expressed in Horn-SRIQ (and fragments thereof). Then, in Section 5, we report our experiments. Software and data can be downloaded from https://1drv.ms/u/ s!Aple1sNCCRUesOEzvzGVRqZnS3uU0Q?e=JHzsyF.

2 Preliminaries

We assume the reader is familiar with the basics on Description Logics (DL) [1], here we focus only on the aspects needed for this work. The DL languages of our interest are built from countably infinite sets of concept names (), role names (), individual names (), concrete property names (). A signature is a subset of . An interpretation I of a signature is a structure where is a nonempty set, and the interpretation function , defined over , is such that (i) if ; (ii) if ; (iii) if ; (iv) if , where N denotes the set of natural numbers.

Compound concepts and roles are built from concept names, role names, and the logical constructors listed in Table 1. We will use metavariables A, B for concept names, C, D for (possibly compound) concepts, R, S for (possibly inverse) roles, a, b for individual names, and f, g for concrete property names. The third column shows how to extend the valuation of an interpretation I to compound expressions. Table 1 also shows the terminological and assertional axioms we deal with. An interpretation I satisfies an axiom (in symbols, ) if it satisfies the corresponding semantic condition in Table 1. As usual, is an abbreviation for the pair of inclusions and . Similarly, disj(C, D), range(R, C) and func(R) are abbreviations for and , respectively.

A knowledge base K is a finite set of DL axioms. Its terminological part (or TBox) is the set of terminological axioms in K, while its ABox is the set of its assertion axioms.

Table 1. Syntax and semantics of some DL constructs and axioms.

If X is a DL expression, an axiom, or a knowledge base, then denotes the signature consisting of all symbols occurring in X. An interpretation I of a signature is a model of K (in symbols, I |= K) if I satisfies all the axioms in K. We say that K entails an axiom (in symbols, ) if all the models of K satisfy . Given a knowledge base K and general concept inclusion (GCI) , the subsumption problem consists in deciding whether . A pointed interpretation is a pair (I, d) where . We say (I, d) satisfies a concept C iff . In this case, we write (I, d) |= C.

It is straightforward to see that any knowledge base K defined on the base of Table 1 satisfies the disjoint model union property, that is, if two disjoint interpretations I and J satisfy K, their disjoint union – where for all – satisfies K, too ([1], Ch. 5). This result can be easily extended to the union of an arbitrary set S of disjoint models.A knowledge base K is semantically modular with respect to a signature if each interpretation over can be extended to a model of K such that and , for all symbols . Roughly speaking, this means that K does not constrain the symbols of in any way. A special case of semantic modularity exploited in [9] is locality: A knowledge base K is local with respect to a signature if each interpretation over can be extended to a model of K by setting for all concept and role names .

Finally, a Horn-SRIQ knowledge base [13,14] consists of terminological and assertional axioms from Table 1 satisfying the following restrictions: (i) the set of role axioms should be regular and the roles simple, according to the definitions stated in [10]5, and (ii) GCIs have the following normal form:

where either belong to or are of the form , and S is a simple role. Like all Horn DLs, Horn-SRIQ is convex, that is, holds iff either or .

3 Semantic Encoding of Data Usage Policies

SPECIAL’s policy language PL is a fragment of OWL2-DL that has been specifically designed to describe data controller/subject usage policies and to model selected parts of the GDPR that can be used to support the validation of the controller’s internal processes. The aspects of data usage that have legal relevance are clearly indicated in several articles of the GDPR and in the available guidelines:

SPECIAL adopts a direct encoding of usage policies in description logics, based on those features. The simplest possible policies have the form:

processinghasrecipienthasstoragehas

All of the above roles are functional. Duration is represented as an interval of integers , representing a minimum and a maximum storage time (such bounds may be required by law, by the data subject, or by the controller itself). The classes P, D, O, etc. are defined in suitable auxiliary knowledge bases that specify the relationships between different terms.

A policy of the form (1) may represent the conditions under which a data subject gives her consent. For example if D = DemographicData then the data subject authorizes – in particular – the use of her address, age, income, etc. as specified by the other properties of the policy.

The usage policies that are applied by the data controller’s business processes are called business policies and include a description of data usage of the form (1). Additionally, each business policy is labelled with its legal basis and describes the associated obligations that must be fulfilled. For example, if the data category includes personal data, and processing is allowed by explicit consent, then the business policy should have the additional conjuncts:

that label the policy with the chosen legal basis from Art. 6 GDPR, and model the obligations related to the data subjects’ rights, cf. Chapter 3 of the GDPR. More precisely, the terms involving hasduty assert that the process modelled by the business policy includes the operations needed to obtain the data subject’s consent () and those needed to receive and apply the data subjects’ requests to access, rectify, and delete their personal data.

Data controllers and subjects may specify different policies for different categories of data and different purposes. The result is a full policy where each is a simple usage policies like (1) or (1) (2) (one for each usage type).

Simple usage policies are formalized by simple PL concepts, that are defined by the following grammar, where , and

A (full) PL concept is a union of simple PL concepts ().

In order to check whether a business process complies with the consent given by a data subject S, it suffices to check whether the corresponding business policy BP is subsumed by the consent policy of S, denoted by (in symbols, ). This subsumption is checked against a knowledge base that encodes type restrictions related to policy properties. Such a knowledge base is the union of a main knowledge base K that specifies the semantics of general terms, such as haspurpose or hasdata, plus the auxiliary knowledge base O that models the different types of data, purposes, recipients, etc. according to a specific application domain. An example of the actual axioms occurring in K is:

Formally, we assume that a main PL knowledge base K is a set of axioms of the following kinds:

In [3] O is expressed in the same way. In the following we are showing how to support more general auxiliary knowledge bases expressed in Horn-SRIQ.

4 Supporting General Vocabularies with IBQ Reasoning

Our strategy consists in treating the auxiliary ontologies as oracles. Roughly speaking, whenever the reasoner for PL needs to check a subsumption between two terms de-fined in the auxiliary ontologies, the subsumption query is submitted to the oracle. Of course this method, called import by query (IBQ), is not always complete [9, 8]. In the following, we provide sufficient conditions for completeness.

In SPECIAL’s policy modeling scenario, the main ontology K defines policy attributes, such as data categories, purpose etc. – by specifying their ranges and functionality properties – while the auxiliary ontology O defines the privacy-related vocabularies that provide the range for those attributes. The reasoning task of interest in such scenarios is deciding, for a given subsumption query , whether . Both C and D are PL concepts (policies) that may contain occurrences of concept names defined in O.

SPECIAL’s application scenarios make it possible to adopt a simplifying assumption that makes oracle reasoning technically simpler [9, 8], namely, we assume that neither K nor the query q share any roles with O. This naturally happens in SPECIAL precisely because the roles used in the main KB identify the sections that constitute a policy (e.g. data categories, purpose, processing, storage, recipients), while the roles defined in O model the contents of those sections, e.g. anonymization parameters, relationships between recipients, relationships between storage locations, and the like.

The IBQ framework was introduced to reason with a partly hidden ontology O. For our purposes, IBQ is interesting because instead of reasoning on as a whole, each partition can be processed more efficiently with a different, specialized reasoner. The reasoner for K may query O as an oracle, using a query language QL consisting of all the subsumptions

such that are concept names. We will denote with pos(O) all the queries to O that have a positive answer, that is:

The problem instances of our interest are formally defined as follows:

Definition 1 (PL subsumption instances with oracles, PLSO). A PL subsumption instance with oracle is a triple where K is a PL knowledge base (the main knowledge base), O is a Horn-SRIQ knowledge base (the oracle), and q is a PL subsumption query such that . The set of all PL subsumption instances with oracle will be denoted by PLSO.

The restriction on the signatures is aimed at keeping the roles of O separated from those of K and q, as previously discussed. Oracles are restricted to Horn-SRIQ because (to the best of our knowledge) it is the most expressive convex and nominal-free logic studied so far in the literature; it can be proved that convexity is essential for the tractability of PL with oracles, and that nominals affect the completeness of IBQ reasoning (we do not include these results here due to space limitations).

The next lemma rephrases the original completeness result for IBQ [9, Lemma 1] in our notation. Our statement relaxes the requirements on O by assuming only that it enjoys the disjoint model union property (originally it had to be in SRIQ). The proof, however, remains essentially the same, and is omitted here.

Lemma 1. Let K and O be knowledge bases and a GCI, such that

domain of integer intervals; 2. The terminological part of O enjoys the disjoint model union property; 3. The terminological part T of K is local w.r.t. ; 4. .

Using the above lemma, we prove a variant of IBQ completeness for PLSO. The locality requirement of Lemma 1 is removed by shifting axioms from K to O.

Theorem 1. For all problem instances , let

This equivalence can be proved with Lemma 1; it suffices to show that and q satisfy the hypotheses of the lemma. First note that is a PL knowledge base and is a Horn-SRIQ knowledge base (because, by definition of PLSO, K is in PL and O in Horn-SRIQ, and the axioms shifted from L to can be expressed in Horn-SRIQ, too). Both PL and Horn-SRIQ are fragments of SROIQ(D) without U, therefore hypothesis 1 is satisfied by and . Moreover, both PL and Horn- SRIQ enjoy the disjoint model union property, therefore hypothesis 2 is satisfied. Next recall that holds, by definition of PLSO. Since the axioms (transferred from K to ) contain no roles (they are of the form or disj(A, B)), it follows that

that is, hypothesis 4 holds. A second consequence of this inclusion is that contains only axioms of the form range(R, A) and func(A) such that . They are trivially satisfied by any interpretation I such that . Therefore is local w.r.t. and hypothesis 3 is satisfied. In the following, let and be defined as in Theorem 1.

The reasoner for solving PLSO consists in two normalization phases followed by a structural subsumption check. The first normalization phase splits the intervals in the left-hand side of the given query q to make it interval safe:

Definition 2 (Interval safety). An inclusion is interval safe iff, for all constraints occurring in C and all occurring in D, either , or .

Assuming that the number of intervals in each simple PL concept in C is bounded by a constant c, this phase can be computed in polynomial time [3]. The result is denoted by .

The second normalization exhaustively applies the rewrite rules in Table 2 to the left-hand side of C. It is easy to see that these rules preserve concept equivalence. We say that a PL concept C is normalized w.r.t. K and O if none of the rules in Table 2 is applicable. Differently from [3], rule 7 queries the oracle to detect inconsistencies.

The third phase of the reasoning is described in Algorithm 1, that differs from its counterpart for PL [3] in line 3, where subsumptions are checked by invoking the oracle. Algorithm 1 accepts elementary (i.e. normalized) concepts:

Definition 3. A PL subsumption is elementary w.r.t. K and O if both C and D are simple, is interval safe, and C is normalized w.r.t. K and O.

Finally, Algorithm 2 () specifies the complete reasoning process for general PL subsumptions with oracles. can be proved to be sound and complete by analogy with [3]. First, it is possible to define a canonical model (I, d) with the following property:7

Table 2. Normalization rules for . Conjunctions are treated as sets (i.e. the ordering of conjuncts is irrelevant, and duplicates are removed).

Lemma 2. If C is a simple PL concept normalized w.r.t. K and O, and , then each canonical model (I, d) of C enjoys the following properties:

Each canonical model of C characterizes all the valid elementary subsumptions whose left-hand side is C:

Lemma 3. If is elementary w.r.t. K and , and (I, d) is a canonical model of C, then iff (I, d) |= D .

Moreover, by means of canonical models, one can prove that interval safety makes the non-convex logic PL behave like a convex logic.

Lemma 4. For all interval-safe PL subsumption queries such that each is normalized w.r.t. K and O, the entailment holds iff for all there exists such that .

Now that the semantic properties are laid out, we focus on the algorithms. Roughly speaking, the next lemma says that (Alg. 1) decides whether the canonical model (I, d) of C satisfies D. The lemma can be proved by structural induction on D.

Lemma 5. If is elementary w.r.t. K and , and (I, d) is the canonical model of C, then iff (I, d) |= D .

Finally we can prove that (Alg. 2) is correct and complete.

Theorem 2. Let be any instance of PLSO. Then

Proof. D is of the form . Let be the concept computed by lines 2 and 3 of . We start by proving the following claim, for all i = 1, . . . , m and j = 1, . . . , n:

There are two possibilities. If , then clearly and (see line 2 of Algorithm 1), so (4) holds in this case. If , then note that is elementary w.r.t. K and O by construction of (which is obtained by splitting the intervals of the normalization of C w.r.t. K and O). Then (4) follows immediately from lemmas 3 and 5.

By (4) and convexity (Lemma 4), we have that lines 5–11 of Algorithm 2 return true iff . Moreover, can be equivalently replaced by C in this entailment, since normalization preserves equivalence. The resulting entailment is equivalent to by Theorem 1. It follows that Algorithm 2 returns true iff

Using Algorithm 2, it can be proved that if the number of intervals occurring in each simple PL concept is bounded by a constant c (as in SPECIAL’s policies, where c = 1), then PL subsumption checking with oracles is in .8 Consequently, if oracles have a tractable subsumption problem, then PLSO with bounded occurrences of intervals is tractable, too.

5 Experimental Evaluation

In this section we describe a Java implementation of and compare its performance with that of other popular engines. is implemented in Java and distributed as a .jar file. The reasoner’s class is named PLReasonerIBQ, and provides a partial implementation of the OWL API interfaces, version 5.x. The package includes a complete implementation of , including the structural subsumption algorithm and the two normalization phases, based on the interval splitting method for interval safety illustrated in [3] and on the rewrite rules in Table 2. Several optimizations have been implemented. In the following we will assess two versions of :

IBQ PLR The basic implementation of .

IBQ PLR c The calls to the oracle (triggered by normalization rule 6 and line 3 of ) are one of the most expensive parts of the reasoner. In order to reduce their cost, two caches are introduced, for remembering the results of the oracle queries executed by the normalization phase and , respectively. This optimization is expected to be effective due to the nature of the interval normalization phase, that replicates concepts when intervals are split to achieve interval safety, thereby inducing a large number of identical oracle queries.

SPECIAL’s engine is tested on sets of experiments where both the main ontologies K and the PL subsumptions that encode compliance checks are completely synthetic. On the other hand, the oracles – namely MHC, OntolUrgences and SNOMED CT9 – have been selected from the real ontologies in the BioPortal repository. The choice of these ontologies (unrelated to the GDPR domain) is justified by two considerations:

– We need large ontologies in order to assess the scalablity of the engine in the increasingly complex scenarios we expect in the future. The above oracles have been selected due to their size (cf. Table 3) in order to set up a stress test for verifying the scalability of as vocabularies grow.

– PL is well-suited to the representation of electronic health records (EHR), using the standard HL7 to represent the structure of EHR, and biomedical ontologies (such as SNOMED) to encode the contents of each section (cf. [5]). So our experiments evaluate the practical behavior of PL also in the e-health context.

The main knowledge bases K define policy roles (recall that no role from the external vocabularies may occur in the business and consent policies, and that class inclusion

Table 3. Size of the real world general vocabularies

axioms are all pushed into the oracles). Three ontologies have been generated: one for each of the three sets of parameters K1–K3 reported in Table 4. Approximately half of the roles and concrete properties are functional, and half of the roles have a range axiom. The same table reports the parameters P1, P2 and P3 used to generate the PL concepts occurring in the queries. Concept size and nesting dominate the corresponding dimensions of the real-world policies occurring in SPECIAL’s pilots. The three sizes P1, P2 and P3 have different interval length; this parameter influences the probability of interval splitting during the normalization phase, that has a major effect on complexity. In particular, interval splitting may exponentially inflate the given business policy, and this is unavoidable (unless P=NP) because unrestricted PL subsumption checking is coNP-complete [5]. If the maximum number of intervals per simple policies (hereafter #int) is bounded, then the computation of takes polynomial time, but the degree of the polyomial grows with #int. Although in SPECIAL’s data usage policies (since storage duration is the only interval-valued property), in our experiments we also analyze the costs of higher values of #int, in view of possible future extensions. Note that the value of #int is measured after normalization, since the rewrite rules may decrease the number of intervals.

In each compliance check is a union of randomly generated simple business policies. Policy attributes are specified by randomly picking classes from the oracles. We make sure that every simple policy generated is internally consistent by discarding inconsistent policies. The consent policy is the union of a set of simple policies (i = 1, . . . , n) generated by modifying the simple business policies in , mimicking a selection of privacy options from a list provided by the controller. In particular, a random deletion of conjuncts within a simple policy mimicks the opt-out choices of data subjects with respect to the various data processing activities modelled by the simple policies. Similarly, the random replacement of terms with a different term simulates the opt-in/opt-out choices of the data subject w.r.t. each component of the selected simple policies. More precisely, if the modified term occurring in is a

Table 4. Size of fully synthetic test cases

superclass (resp. a subclass) of the corresponding term in the original business policy, then the data subject opted for a broader (resp. more restrictive) permission relative to the involved policy property (e.g. data categories, purpose, and so on). Finally, we also consider the random addition of new simple policies (disjunct).

The number of queries for each size Pgenerated for each vocabulary is 3600 (50 different queries for each combination of generation parameters).

The experiments have been performed on a server with an 8-cores processor Intel Xeon Silver 4110, 11M cache, 198 GB RAM, running Ubuntu 18.04 and JVM 1.8.0181, configured with 32GB heap memory. We have not exploited parallelism in the engine’s implementation.

Concerning the engine used to query the oracle, we used the specialized engine ELK for SNOMED (that is in OWL2-EL) but we had to use the general engine Hermit on the other two oracles, since they are too expressive for ELK.10

Performance is not affected by the choice of K1, K2, or K3, therefore we aggregate their results. We aggregate also the results for P1, P2, and P3, because they influence #int indirectly; we rather focus on the actual value of #int after normalization.

The main experimental results are reported in Table 5. The optimized version of is systematically faster than Hermit for #int < 5. Speedups range approximately from 3 to 6 times. On a very large oracle like SNOMED, is almost two orders of magnitude faster than Hermit, also for higher values of #int (we stopped our experiments at #int =10). For the two smaller oracles, the effects of the combinatorial explosion of become visible when #int = 5 and Hermit turns out to be faster. The growth of response time is rather slow until #int = 5 because the cost caused by the exponential inflation of is dominated by the cost of oracle calls, that do not suffer from the combinatorial explosion as explained in the next paragraph.

The effectiveness of the two caches on performance is illustrated in Table 6. The table illustrates also the explosion caused by interval splitting as #int grows. The comparison of the number of oracle queries issued by the two implementations confirms the

Table 5. Hermit vs IBQ PLR c: average time per subsumption check (ms)

hypothesis that most oracle calls are duplicates caused by interval splitting (that may create, for each simple policy, multiple versions that differ only in the intervals). Then the caches keep the number of oracle queries almost constant.

Table 6. Effectiveness of optimizations on small/medium and large ontologies

6 Related Work

PL differs from the tractable profiles of OWL2 and from Horn DLs due to intervals, that constitute a non-convex domain. PL without intervals is a fragment of the tractable DL Horn-SHOIQ with (reuse)-safe roles (cf. [6, 7]). DLs have been already used as policy languages, e.g. [19,11]. These works, however, do not address the encoding of data usage policies, nor the tractability of reasoning.

In [15–17] the authors propose an ontology, PrOnto, for supporting legal reasoning and GDPR compliance checking. Axioms are formulated with nonmonotonic rules interpreted as in corteous logic programming. The scalability of reasoning is not addressed in these works. In SPECIAL we favour a DL-based formalization, because it is particularly well suited to policy comparison (predominant in SPECIAL’s scenarios, and essential for GDPR compliance and data transfers under sticky policies). In rulebased languages, policy comparison is generally intractable and even undecidable if rules are recursive (cf. the discussion in [2]). Moreover, SPECIAL is not addressing advanced legal reasoning. For example, the compliance check w.r.t. the GDPR is aimed only at verifying the policy’s internal coherence (e.g. does it contain all the necessary obligations? Is the legal basis appropriate for the data categories involved?). As a consequence, deontic reasoning and nonmonotonic reasoning – frequently adopted in the AI-and-law area – lie outside the scope of SPECIAL’s use cases.

7 Conclusions

In summary, IBQ reasoning constitutes an effective approach to extending PL reasoning with a wide range of vocabularies, formulated with more expressive logics. The current experiments are encouraging, and show that the integration of different reasoners may significantly increase performance. The benefits of this approach are particularly visible on very large oracles, such as SNOMED. This makes the IBQ approach particularly appealing for reasoning about EHR.

However, the current performance of ’s implementations is not yet sufficient for SPECIAL’s scenarios. To address this issue, we are going to investigate whether (and to what extent) oracles can be compiled into PL knowledge bases, to further speed up reasoning.

In future work we are also going to complete our experimental analysis by extending the set of test cases, and by evaluating further engines for querying the oracles, with aprticular attention to the engines specialized on the Horn fragments of OWL2, such as OWL2-RL and OWL2-QL.

References

1. Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P.F. (eds.): The Description Logic Handbook: Theory, Implementation, and Applications. Cambridge University Press (2003)

2. Bonatti, P.A.: Datalog for security, privacy and trust. In: Datalog Reloaded - First International Workshop, Datalog 2010, Oxford, UK, March 16-19, 2010. Revised Selected Papers. Lecture Notes in Computer Science, vol. 6702, pp. 21–36. Springer (2010)

3. Bonatti, P.A.: Fast compliance checking in an OWL2 fragment. In: Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, IJCAI 2018. pp. 1746–1752. ijcai.org (2018)

4. Bonatti, P.A., Kirrane, S.: Big data and analytics in the age of the GDPR. In: 2019 IEEE International Congress on Big Data, BigData Congress 2019. pp. 7–16. IEEE (2019)

5. Bonatti, P.A., Petrova, I.M., Sauro, L.: Optimized construction of secure knowledge-base views. In: Proceedings of the 28th International Workshop on Description Logics. CEUR Workshop Proceedings, vol. 1350. CEUR-WS.org (2015), http://ceur-ws.org/Vol-1350/ paper-44.pdf

6. Carral, D., Feier, C., Grau, B.C., Hitzler, P., Horrocks, I.: EL-ifying ontologies. In: Automated Reasoning - 7th International Joint Conference, IJCAR 2014. Proceedings. pp. 464– 479 (2014)

7. Carral, D., Feier, C., Grau, B.C., Hitzler, P., Horrocks, I.: Pushing the boundaries of tractable ontology reasoning. In: The Semantic Web - ISWC 2014 - 13th International Semantic Web Conference, Proceedings, Part II. pp. 148–163 (2014)

8. Cuenca Grau, B., Motik, B.: Reasoning over ontologies with hidden content: The import-by-query approach. J. Artif. Intell. Res. 45, 197–255 (2012)

9. Cuenca Grau, B., Motik, B., Kazakov, Y.: Import-by-query: Ontology reasoning under access limitations. In: IJCAI 2009, Proceedings of the 21st International Joint Conference on Artificial Intelligence. pp. 727–732 (2009)

10. Horrocks, I., Kutz, O., Sattler, U.: The even more irresistible SROIQ. In: Proceedings, Tenth International Conference on Principles of Knowledge Representation and Reasoning. pp. 57–67. AAAI Press (2006)

11. Kagal, L., Finin, T.W., Joshi, A.: A policy language for a pervasive computing environment. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY). pp. 63–. IEEE Computer Society (Jun 2003)

12. Kirrane, S., Fern´andez, J.D., Dullaert, W., Milosevic, U., Polleres, A., Bonatti, P.A., Wenning, R., Drozd, O., Raschke, P.: A scalable consent, transparency and compliance architecture. In: The Semantic Web: ESWC 2018 Satellite Events, Revised Selected Papers. Lecture Notes in Computer Science, vol. 11155, pp. 131–136. Springer (2018)

13. Ortiz, M., Rudolph, S., Simkus, M.: Worst-case optimal reasoning for the Horn-DL fragments of OWL 1 and 2. In: Principles of Knowledge Representation and Reasoning: Proceedings of the Twelfth International Conference, KR 2010. AAAI Press (2010)

14. Ortiz, M., Rudolph, S., Simkus, M.: Query answering in the horn fragments of the description logics SHOIQ and SROIQ. In: IJCAI 2011, Proceedings of the 22nd International Joint Conference on Artificial Intelligence. pp. 1039–1044. IJCAI/AAAI (2011)

15. Palmirani, M., Governatori, G.: Modelling legal knowledge for GDPR compliance checking. In: Legal Knowledge and Information Systems - JURIX 2018: The Thirty-first Annual Conference. pp. 101–110 (2018)

16. Palmirani, M., Martoni, M., Rossi, A., Bartolini, C., Robaldo, L.: Legal ontology for modelling GDPR concepts and norms. In: Legal Knowledge and Information Systems - JURIX 2018: The Thirty-first Annual Conference. pp. 91–100 (2018)

17. Palmirani, M., Martoni, M., Rossi, A., Bartolini, C., Robaldo, L.: Pronto: Privacy ontology for legal reasoning. In: Electronic Government and the Information Systems Perspective -7th International Conference, EGOVIS 2018, Proceedings. pp. 139–152 (2018)

18. Papadimitriou, C.H.: Computational complexity. Academic Internet Publ. (2007)

19. Uszok, A. et al.: KAoS policy and domain services: Towards a description-logic approach to policy representation, deconfliction, and enforcement. In: 4th IEEE Int. Work. on Policies for Distributed Systems and Networks (POLICY). pp. 93–96. IEEE Computer Society (2003)