Abstract

This paper describes a new model, using a privacy vocabulary standard (the Data Privacy Vocabulary, DPV) to audit and monitor GDPR compliance of international transfers of personal data. New terms were identified which I have proposed as extensions to the DPV. A prototype software tool was built based on the model, and synthetic use-cases created to test the capabilities of the model and tool (together a compliance framework). This framework was created because the rules around international transfer compliance are complex and changing, there is an absence of a common approach to ensuring compliance, few (if any) tools exist to assist, and those that do lack interoperability. Evaluation results demonstrate that the proposed model improves compliance in terms of identification and standardization from less than 35% to over 90% in test use-cases. The tool received very positive feedback from the data protection practitioners who participated in the evaluation, and an initial version of the tool is now in use in one financial services organization. While currently the tool only addresses international transfers, in theory the framework can be extended through further work to the broader area of compliance of all aspects of the GPDR (being based on the DPV).