Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Implementing ISO/IEC TS 27560:2023 Consent Records and Receipts for GDPR and DGA

Harshvardhan J. Pandit, Jan Lindquist, Georg P. Krog

TL;DR

The paper addresses the need for machine readable consent records and receipts to demonstrate GDPR compliance and enable DGA data reuse. It analyzes ISO-27560 and ISO-29184 and demonstrates a DPV based implementation using DPV concepts and four profiles. The authors provide a DPV based online specification at w3id and discuss practicalities including trust, security, eIDAS/EUDI wallet integration, and DCAT-based data catalogs. The work supports GDPR compliance, EU common consent forms, and outlines future standards including PII processing records and IEEE P7012 to broaden interoperability.

Abstract

The ISO/IEC TS 27560:2023 Privacy technologies - Consent record information structure provides guidance for the creation and maintenance of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. In this article, we compare requirements regarding consent between ISO/IEC TS 27560:2023, ISO/IEC 29184:2020 Privacy Notices, and the EU's General Data Protection Regulation (GDPR) to show how these standards can be used to support GDPR compliance. We then use the Data Privacy Vocabulary (DPV) to implement ISO/IEC TS 27560:2023 and create interoperable consent records and receipts. We also discuss how this work benefits the the implementation of EU Data Governance Act (DGA), specifically for machine-readable consent forms.

Implementing ISO/IEC TS 27560:2023 Consent Records and Receipts for GDPR and DGA

TL;DR

The paper addresses the need for machine readable consent records and receipts to demonstrate GDPR compliance and enable DGA data reuse. It analyzes ISO-27560 and ISO-29184 and demonstrates a DPV based implementation using DPV concepts and four profiles. The authors provide a DPV based online specification at w3id and discuss practicalities including trust, security, eIDAS/EUDI wallet integration, and DCAT-based data catalogs. The work supports GDPR compliance, EU common consent forms, and outlines future standards including PII processing records and IEEE P7012 to broaden interoperability.

Abstract

The ISO/IEC TS 27560:2023 Privacy technologies - Consent record information structure provides guidance for the creation and maintenance of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. In this article, we compare requirements regarding consent between ISO/IEC TS 27560:2023, ISO/IEC 29184:2020 Privacy Notices, and the EU's General Data Protection Regulation (GDPR) to show how these standards can be used to support GDPR compliance. We then use the Data Privacy Vocabulary (DPV) to implement ISO/IEC TS 27560:2023 and create interoperable consent records and receipts. We also discuss how this work benefits the the implementation of EU Data Governance Act (DGA), specifically for machine-readable consent forms.
Paper Structure (18 sections, 1 figure, 5 tables)

This paper contains 18 sections, 1 figure, 5 tables.

Table of Contents

  1. Introduction
  2. Overview of ISO/IEC TS 27560:2023
  3. Goals & Scope
  4. Consent Records
  5. Consent Receipts
  6. Structure
  7. Comparing ISO-27560, ISO-29184, and GDPR
  8. Consent Records and Receipts using DPV
  9. Supporting GDPR and DGA
  10. Implementation Considerations and Future Work
  11. Trust and Security
  12. Using Records and Receipts with eIDAS and EUDI Wallet
  13. Standard for PII Processing Record Information
  14. Technical Considerations in Managing Records and Receipts
  15. IEEE P7012 Machine-Readable Privacy Terms
  16. ...and 3 more sections

Figures (1)

  • Figure 1: Summary of fields in ISO/IEC TS 27560:2023. The field names have been modified for alignment with DPV concepts. Field names in bold are mandatory.