• No se han encontrado resultados

Capítulo II: Identificación y Caracterización de Aislados de Stemphylium Causantes

II. I Introducción

After computing the correlations based on the glossaries of terms, we reviewed the resulting list and compared with our preliminary list of correlations. Each correla- tion was analysed, but we focused on the discrepancies between the lists. For those, we semantically interpreted the Article and requirement marked as correlating to understand the context in which the key-terms appeared, and whether or not they had the similar meaning. We realised this procedure in a peer review manner. The correlations were then adjusted accordingly. We highlight here a few of the manually adjusted correlations.

According to our initial list, requirement 111.2 on information about how data are stored and who has access to them, should correlate with Article 15.1(c), which describes the rights of the data subject in obtaining from the controller the recipients of personal data. The requirement and the Article have a clear correlation. How- ever, it was being disregarded by our parser as the Article contains the key-term “third countries" which does not appear in the requirement. As this key-term is responsible for several other well-fitted correlations, we opted for adjusting this ex- ception manually. Similarly, the correlations with requirement 111.18, on describing the ownership of the data, had to be adjusted. We understand that describing the

86 Chapter 6. Accomplishing Transparency in Medical Systems

Algorithm 4 Correlate(articlesGDPR[n], requirements[m], glossary{}[])

Input: array articlesGDPR with n entries, array of requirements with m entries, hash table of lists representing the glossary of equivalent terms

keys = glossary.getKeys()

for eachi2 {1, . . . , n}do .For each GDPR Article

for eachkey in keys do

ifarticlesGDPR[i].containsString(key) then keyTerms[i].add(key)

end if end for

for eachj2 {1, . . . , m}do .For each requirement

matchFound = FALSE

for eachterm in keyTerms[i]do

equivalentTerms[]= glossary{term}

for eachvalue in equivalentTerms do

ifrequirements[j].containsString(value) then matchFound = TRUE break end if matchFound = FALSE end for if !matchFound then break end if end for ifmatchFound then correlatedArticles[i].add(requirements[j]) end if end for end for Output:correlatedArticles Algorithm 5 Init()

Let: articlesGDPR[n]be the list of n selectedGDPRArticles, requirements[m]be

the list of m technical requirements, in f ormation{}[]be a glossary of information that should be provided to the data subject, rights{}[]be a glossary of the rights the data subject has, technique{}[] be a glossary of techniques mentioned in an Article, keywords{}[]be a glossary of keywords found in the Articles;

resultI[]= Correlate(articlesGDPR[], requirements[], in f ormation{}[]) resultR[]= Correlate(articlesGDPR[], requirements[], rights{}[]) resultT[]= Correlate(articlesGDPR[], requirements[], technique{}[]) resultK[]= Correlate(articlesGDPR[], requirements[], keywords{}[])

for eachi2 {1, . . . , n}do

f inalCorrelation[i]= resultI[i][resultR[i][resultT[i][resultK[i]

end for

6.3. Correlating GDPR Articles and technical requirements 87 ownership means to clarify what means to be the owner of a piece of data. In other words, to inform and describe the rights the data subjects have regarding the control of their data. In this sense, requirement 111.18 also relates to Articles 13.2.(c), 14.2.(c) and 21.4. Our parser captured a few relevant correlations for this requirement, but not all of them. We manually added those remaining correlations.

We also adjusted Articles and requirements that were marked as correlating by key-terms but were semantically different. For example, requirement 111.3, which requires the system to inform the users about the purchase of services, and Article 19, which requires the controller to communicate the erasure or rectification of personal data to its recipients. The same goes for requirement 111.19, regarding the disclosure of policies, regulations and terms, and Article 16, regarding the right to rectification of data. In both cases, the requirements and Articles were erroneously correlated and manually removed from the final list. Finally, we did the same for requirement 221.7, which mandates the provision of evidence that revoked consent has been executed. It had been erroneously correlated with Articles 7.1, 13.2.(c) and 14.2.(d) caused by the key-terms “consent" and “withdraw", present in those Articles.

Some other correlations were also considered for adjustments, as they were not present in our preliminary list, but were left untouched after a closer semantic anal- ysis. For example, requirement 111.7, about describing procedures and mechanisms planned in cases of security breaches, correlating to Articles 33.3 and 33.5, and re- quirement 111.15 about informing on who has the authority to investigate any policy compliance, which is also correlated with 33.3. These Articles describe the informa- tion to be provided to data subjects in case of a data breach. Initially, the correlation was not considered as the requirements are ex ante (information to help the users understand what will happen to their data), and the Articles are, in a sense, ex post, as the data breach already happened. However, if the information described in the requirement is made available beforehand, in the event of a data breach, it will fa- cilitate compliance with Article 33 from theGDPR. For this reason, we keep these correlations.

Similarly, requirements 221.2,5,8 are correlated with Article 5.2 of theGDPR(con- troller shall be accountable and responsible for demonstrating compliance with the lawfulness, fairness and transparency principles). The requirements, at first glance, seem unrelated to the Article, and to each other. However, the three requirements demand the users be presented with evidence of security breaches, of recovery from them, and of permission history. As evidence, by definition, is a piece of information or data that is used to prove or disprove something, we understand they contribute to demonstrate compliance. Even though these correlations were not identified in our initial list, we decided to keep them.

GDPR Requirements GDPR Requirements 5.1.(a) 14.3.(c) 5.2 111.16, 111.20, 221.1, 221.2, 221.3, 221.4, 221.5, 221.7, 221.8 14.4 6.1.(a) 221.7 15.1.(a) 111.19 7.1 15.1.(b) 221.6 7.2 15.1.(c) 111.2, 111.4 7.3 221.7 15.1.(d) 9.2.(a) 15.1.(e) 111.18 11.2 15.1.(f) 12.1 15.1.(g) 221.6

88 Chapter 6. Accomplishing Transparency in Medical Systems 12.3 15.1.(h) 12.4 15.2 111.4, 111.11, 221.3 12.7 15.3 112.1 13.1.(a) 111.1 16 13.1.(b) 111.15 17 221.7 13.1.(c) 111.19 18 13.1.(d) 111.3, 111.4, 111.14 19 111.2, 111.4, 13.1.(e) 111.2, 111.3, 111.4 21.1 13.1.(f) 111.4, 111.11, 221.3 21.2 13.2.(a) 21.3 13.2.(b) 111.18 21.4 111.18 13.2.(c) 111.18 21.5 13.2.(d) 22.1 13.2.(e) 22.2.(c) 13.2.(f) 25.3 13.3 26.1 111.14 14.1.(a) 111.1 26.2 111.14 14.1.(b) 111.15 26.3 111.14 14.1.(c) 111.19 30.1 221.5, 222.1, 232.1 14.1.(d) 221.6 30.2 221.5, 222.1, 232.1 14.1.(e) 111.2, 111.3, 111.4 30.3 14.1.(f) 111.4, 11.11, 221.3 30.4 14.2.(a) 32.3 14.2.(b) 111.3, 111.4, 111.14 33.1 111.7, 211.1, 211.4, 221.8 14.2.(c) 111.18 33.2 111.7, 211.1, 211.4, 221.8 14.2.(d) 111.18 33.3 111.7, 111.15, 211.1, 211.4, 221.8 14.2.(e) 33.4 211.4 14.2.(f) 221.6 33.5 111.7, 211.1, 211.4, 221.8 14.2.(g) 34.1 111.7, 211.1, 211.4, 221.8 14.3.(a) 211.5 34.2 14.3.(b)

TABLE 6.6: Final list of correlatedGDPR Articles and technical re-

quirements. 72% of the requirements are correlated (26 out of 36).

Documento similar