Privacy-enhanced BPMN: enabling data privacy analysis in business processes models

Pullonen, Pille; Tom, Jake; Matulevičius, Raimundas; Toots, Aivo

doi:10.1007/s10270-019-00718-z

Cited by 40 publications

(28 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Caramujo et al [19] target privacy policies from the web and mobile applications, and propose a domain-specific language along with model transformations for specifying privacypolicy models. Pullonen and Matulevicius [20] present a multilevel model to be used as an extension of the Business Process Model and Notation (BPMN) to enable the visualization, analysis, and communication of the privacy-policy characteristics of business processes. Tom et al [32] present a preliminary GDPR model aimed at providing a simple, visual overview so that process implementers can better understand the associations between different entities in the GDPR.…”

Section: Related Workmentioning

confidence: 99%

“…As we discuss in more detail in Section VII, existing modelbased approaches for compliance verification have one of the following limitations as far as the GDPR is concerned: they (1) have a different focus than the GDPR, e.g., [5], (2) present guidelines only for the manual application of the GDPR, e.g., [18], or (3) focus exclusively on specific GDPR use cases, e.g., [19], [20]. To the best of our knowledge, there are no proposals in the literature aimed at providing a holistic modelbased representation of the GDPR.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Using Models to Enable Compliance Checking Against the GDPR: An Experience Report

Torre

Soltana

Sabetzadeh

et al. 2019

2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS)

View full text Add to dashboard Cite

The General Data Protection Regulation (GDPR) harmonizes data privacy laws and regulations across Europe. Through the GDPR, individuals are able to better control their personal data in the face of new technological developments. While the GDPR is highly advantageous to individuals, complying with it poses major challenges for organizations that control or process personal data. Since no automated solution with broad industrial applicability currently exists for GDPR compliance checking, organizations have no choice but to perform costly manual audits to ensure compliance. In this paper, we share our experience building a UML representation of the GDPR as a first step towards the development of future automated methods for assessing compliance with the GDPR. Given that a concrete implementation of the GDPR is affected by the national laws of the EU member states, GDPR's expanding body of case law and other contextual information, we propose a two-tiered representation of the GDPR: a generic tier and a specialized tier. The generic tier captures the concepts and principles of the GDPR that apply to all contexts, whereas the specialized tier describes a specific tailoring of the generic tier to a given context, including the contextual variations that may impact the interpretation and application of the GDPR. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it, and future directions for research.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Using Models to Enable Compliance Checking Against the GDPR: An Experience Report

Torre

Soltana

Sabetzadeh

et al. 2019

2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS)

View full text Add to dashboard Cite

show abstract

“…Data privacy violations can be prevented if privacy requirements are properly elicited during the early stages of software development, that is, in the specification phase of functional and non-functional requirements. Although much work has been developed proposing methodologies for privacy requirements' elicitation [4][5][6][7][8][9][10][11][12], we found few works in the literature that have conducted empirical studies to describe how the software industry faces problems related to software development teams perceptions of system privacy [3,13,14], as well as what knowledge these professionals have, in order to perform correct implementations of these requirements along with the compliance with current legislation [13].…”

Section: Introductionmentioning

confidence: 99%

Perceptions of ICT Practitioners Regarding Software Privacy

Canedo

Calazans

Masson

et al. 2020

Entropy

View full text Add to dashboard Cite

During software development activities, it is important for Information and Communication Technology (ICT) practitioners to know and understand practices and guidelines regarding information privacy, as software requirements must comply with data privacy laws and members of development teams should know current legislation related to the protection of personal data. In order to gain a better understanding on how industry ICT practitioners perceive the practical relevance of software privacy and privacy requirements and how these professionals are implementing data privacy concepts, we conducted a survey with ICT practitioners from software development organizations to get an overview of how these professionals are implementing data privacy concepts during software design. We performed a systematic literature review to identify related works with software privacy and privacy requirements and what methodologies and techniques are used to specify them. In addition, we conducted a survey with ICT practitioners from different organizations. Findings revealed that ICT practitioners lack a comprehensive knowledge of software privacy and privacy requirements and the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, LGPD, in Portuguese), nor they are able to work with the laws and guidelines governing data privacy. Organizations are demanded to define an approach to contextualize ICT practitioners with the importance of knowledge of software privacy and privacy requirements, as well as to address them during software development, since LGPD must change the way teams work, as a number of features and controls regarding consent, documentation, and privacy accountability will be required.

show abstract

“…Caramujo et al [7] target privacy policies from the web and mobile applications, and propose a domain-specific language along with model transformations for specifying privacy-policy models. Similarly, Pullonen et al [28] present a multi-level model to be used as an extension of the Business Process Model and Notation to enable the visualization, analysis, and communication of the privacy-policy characteristics of business processes. Finally, Kumar and Shyamasundar [29] explore the suitability of information-flow controls as a tool for specifying and enforcing privacy-policy requirements.…”

Section: Related Workmentioning

confidence: 99%

An AI-assisted Approach for Checking the Completeness of Privacy Policies Against GDPR

Torre

Abualhaija

Sabetzadeh

et al. 2020

2020 IEEE 28th International Requirements Engineering Conference (RE)

View full text Add to dashboard Cite

Privacy policies are critical for helping individuals make informed decisions about their personal data. In Europe, privacy policies are subject to compliance with the General Data Protection Regulation (GDPR). If done entirely manually, checking whether a given privacy policy complies with GDPR is both time-consuming and error-prone. Automated support for this task is thus advantageous. At the moment, there is an evident lack of such support on the market. In this paper, we tackle an important dimension of GDPR compliance checking for privacy policies. Specifically, we provide automated support for checking whether the content of a given privacy policy is complete according to the provisions stipulated by GDPR. To do so, we present: (1) a conceptual model to characterize the information content envisaged by GDPR for privacy policies, (2) an AI-assisted approach for classifying the information content in GDPR privacy policies and subsequently checking how well the classified content meets the completeness criteria of interest; and (3) an evaluation of our approach through a case study over 24 unseen privacy policies. For classification, we leverage a combination of Natural Language Processing and supervised Machine Learning. Our experimental material is comprised of 234 real privacy policies from the fund industry. Our empirical results indicate that our approach detected 45 of the total of 47 incompleteness issues in the 24 privacy policies it was applied to. Over these policies, the approach had eight false positives. The approach thus has a precision of 85% and recall of 96% over our case study.

show abstract

Privacy-enhanced BPMN: enabling data privacy analysis in business processes models

Cited by 40 publications

References 26 publications

Using Models to Enable Compliance Checking Against the GDPR: An Experience Report

Using Models to Enable Compliance Checking Against the GDPR: An Experience Report

Perceptions of ICT Practitioners Regarding Software Privacy

An AI-assisted Approach for Checking the Completeness of Privacy Policies Against GDPR

Contact Info

Product

Resources

About