Open AccessOpen Access


A GDPR Compliant Approach to Assign Risk Levels to Privacy Policies

Abdullah R. Alshamsan1, Shafique A. Chaudhry1,2,*

1 Department of Computer Science, Clarkson University, Clarkson Ave, Potsdam, 13699, NY, USA
2 David D. Reh School of Business, Clarkson University, Clarkson Ave, Potsdam, 13699, NY, USA

* Corresponding Author: Shafique A. Chaudhry. Email:

Computers, Materials & Continua 2023, 74(3), 4631-4647.


Data privacy laws require service providers to inform their customers on how user data is gathered, used, protected, and shared. The General Data Protection Regulation (GDPR) is a legal framework that provides guidelines for collecting and processing personal information from individuals. Service providers use privacy policies to outline the ways an organization captures, retains, analyzes, and shares customers’ data with other parties. These policies are complex and written using legal jargon; therefore, users rarely read them before accepting them. There exist a number of approaches to automating the task of summarizing privacy policies and assigning risk levels. Most of the existing approaches are not GDPR compliant and use manual annotation/labeling of the privacy text to assign risk level, which is time-consuming and costly. We present a framework that helps users see not only data practice policy compliance with GDPR but also the risk levels to privacy associated with accepting that policy. The main contribution of our approach is eliminating the overhead cost of manual annotation by using the most frequent words in each category to create word-bags, which are used with Regular Expressions and Pointwise Mutual Information scores to assign risk levels that comply with the GDPR guidelines for data protection. We have also developed a web-based application to graphically display risk level reports for any given online privacy policy. Results show that our approach is not only consistent with GDPR but performs better than existing approaches by successfully assigning risk levels with 95.1% accuracy after assigning data practice categories with an accuracy rate of 79%.


Cite This Article

A. R. Alshamsan and S. A. Chaudhry, "A gdpr compliant approach to assign risk levels to privacy policies," Computers, Materials & Continua, vol. 74, no.3, pp. 4631–4647, 2023.

This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
  • 2925


  • 485


  • 2


Share Link