Data protection and privacy is becoming increasingly crucial in the digital era. Numerous companies depend on third-party vendors and service providers to carry out critical functions within their operations, encompassing tasks such as data handling and storage. However, this reliance introduces potential vulnerabilities, as these vendors' security measures and practices may not always align with the standards expected by regulatory bodies. Businesses are required, often under the penalty of law, to ensure compliance with the evolving regulatory rules. Interpreting and implementing these regulations pose challenges due to their complexity. Regulatory documents are extensive, demanding significant effort for interpretation, while vendor-drafted privacy policies often lack the detail required for full legal compliance, leading to ambiguity. To ensure a concise interpretation of the regulatory requirements and compliance of organizational privacy policy with said regulations, we propose a Large Language Model (LLM) and Semantic Web based approach for privacy compliance. In this paper, we develop the novel Privacy Policy Compliance Verification Knowledge Graph, PrivComp-KG. It is designed to efficiently store and retrieve comprehensive information concerning privacy policies, regulatory frameworks, and domain-specific knowledge pertaining to the legal landscape of privacy. Using Retrieval Augmented Generation, we identify the relevant sections in a privacy policy with corresponding regulatory rules. This information about individual privacy policies is populated into the PrivComp-KG. Combining this with the domain context and rules, the PrivComp-KG can be queried to check for compliance with privacy policies by each vendor against relevant policy regulations. We demonstrate the relevance of the PrivComp-KG, by verifying compliance of privacy policy documents for various organizations.

翻译：数据保护与隐私在数字时代正变得愈发重要。众多企业依赖第三方供应商和服务提供商执行数据处理与存储等关键业务功能。然而，这种依赖性引入了潜在风险——这些供应商的安全措施与实践可能未必符合监管机构期望的标准。企业必须（通常面临法律制裁风险）确保自身运营符合不断演变的监管规则。由于规章体系的复杂性，对其的解读与实施颇具挑战：监管文件内容浩繁，需要付出大量解读精力；而供应商起草的隐私政策往往缺乏完全合法合规所需的细节，导致语义模糊。为实现监管要求的精准解读及组织隐私政策与所述规制的合规性验证，本文提出一种基于大语言模型与语义网的隐私合规方法。我们构建了新型隐私政策合规验证知识图谱PrivComp-KG，该图谱旨在高效存储与检索关于隐私政策、监管框架及隐私法律领域专业知识的综合信息。通过检索增强生成技术，我们识别隐私政策中与对应监管规则相关的章节。每个隐私政策的关联信息被填充至PrivComp-KG中，结合领域上下文与规则后，可通过查询该图谱验证各供应商行为是否遵循相关政策法规。我们通过验证不同组织的隐私政策文档合规性，展示了PrivComp-KG的有效性。