What do services dealing with health and social security data, a car dealership’s customer relations and real estate agencies using cloud services have in common? Since May 2018, that would be the General Data Protection Regulation (GDPR). Or, perhaps more precisely, the extra burden coming with the creation of GDPR-compliant business processes. The problem is well-documented, yet not fully addressed. Reaching GDPR compliance is far from easy, especially for SMEs with limited resources and know-how. Every day, such businesses face questions related to the interpretation of GDPR provisions and requirements, operational adaptation, and the appropriate technical measures to be deployed. Likewise, the relation with data subjects, the enforcement of their rights, the question of accountability and the management of compliance evidence have never been so sensitive. This is the context in which the BPR4GDPR (Business Process Re-engineering and functional toolkit for GDPR compliance) tools were conceived. “We’ve come up with the first-ever range of tools that can consider most aspects of GDPR compliance across all phases of a business process life cycle,” says Spiros Alexakis, member of the Board at CAS Software and BPR4GDPR coordinator. “These tools can automatically adapt and transform processes so as to make them compliant with privacy policies, both at design time and following execution.” BPR4GDPR essentially takes on the bulk of the GDPR-related stress endured by company staff, no matter how far they are with implementation. At design time, the project tools and solutions will help businesses understand when predefined behaviours and rules are not compliant and how to adapt. At runtime, they will provide solutions to support or enforce privacy policies. Finally, a posteriori, they will help investigate and analyse non-compliance circumstances.
The project has four main outcomes, as Alexakis notes. “We first have the compliance ontology, a comprehensive privacy-aware access and usage control framework that regulates the overall system operation. Then, we have a privacy-aware re-engineering of business processes that automatically makes process models compliant with the GDPR. The third outcome is a framework to identify compliance discrepancies, and the fourth one is a runtime ‘compliance toolkit’. It provides typical functionalities needed to implement GDPR measures such as encryption, anonymisation and data management tools; and it enforces the rights of data subjects.” The project team trialled its solutions in three pilots focusing respectively on sensitive data in the health and social security sectors, compliance-as-a-service for CRM services in car dealerships, and real estate agencies using cloud services. “The three pilots, apart from common core needs, reflect different compliance requirements. The first round has provided us with valuable feedback in terms of functionality, performance and usability, which was then exploited during the second implementation phase. We are currently conducting the final round, which aims to thoroughly test the solutions, perform the necessary fine-tuning, and pave the way for the exploitation of results beyond the project lifetime,” George Lioudakis, co-founder of ICT Abovo and BPR4GDPR policy framework leader, explains. Renata Medeiros de Carvalho, assistant professor at Eindhoven University of Technology in charge of BPR4GDPR’s scientific coordination and dissemination, is particularly optimistic about outcomes for partners. “We all have different expectations. Large software industries expect to increase their revenues either by offering compliance-as-a-service or by embedding compliance into their products. Meanwhile, technology and consulting SMEs expect a flexible and cost-efficient means to inject compliance into their offerings. Participating law firms benefit from a new consultancy tool for legislation codification, compliance assessment and implementation. Finally, the pilot organisations are now reconsidering their approach to compliance.” With a few months to go before completion, Alexakis says the project team will now focus on impact creation. This covers the dissemination of project results, interaction with stakeholders and commercial/non-commercial exploitation of project results.
BPR4GDPR, GDPR, compliance, automation, SME, data privacy