Periodic Reporting for period 2 - BPR4GDPR (Business Process Re-engineering and functional toolkit for GDPR compliance) Reporting period: 2019-05-01 to 2021-04-30 Summary of the context and overall objectives of the project There are still difficulties lying in the actual realisation of GDPR regulations. Therefore, BPR4GDPR project focuses on providing a holistic framework that supports end-to-end GDPR-compliant intra- and inter-organisational ICT-enabled processes at various scales, while also being generic enough, fulfilling operational requirements covering diverse application domains. Requirements and needed solution characteristics for the holistic BPR4GDPR framework have been assessed in the frame of deliverables D6.3 Final Validation and assesment report. In the same deliverable we have linked the KPI's to the technical project objectives.The overall objectives and related work in the second reporting period of the project are summarised below:Project Objective I – Reference compliance framework reflecting GDPR requirements and codifying legislation: we have delivered the final result R1 “Regulation-driven policy framework” through the joint work between legal and technical experts, as well as project end-users. Project Objective II – Sophisticated security and privacy policies through a comprehensive, rule-based framework: we have delivered the final result R1 “Regulation-driven policy framework” through the development of a rule-based policy framework, devised for access and usage control.Project Objective III – by design privacy-aware process models through modelling technologies and tools: we have delivered the final result R1 “Regulation-driven policy framework” .Project Objective IV – Compliance-driven process re-engineering through a set of mechanisms for automating the respective procedures: We have delivered results R2 “Compliance-driven process re-engineering” and R4 “Process discovery and mining enabling traceability and adaptability”.Project Objective V – Compliance toolkit with PETs, data management tools and functionalities for enforcing data subject rights: we have delivered the final result R3 “Compliance toolkit”.Project Objective VI – Implementation of Compliance-as-a-Service (CaaS) at BPR4GDPR Cloud infrastructures: we have delivered result R5 “Compliance-as-a-Service (CaaS)”.Project Objective VII – Assessment of BPR4GDPR technology via comprehensive trials for Solution Assessment and Validation: we have delivered result R6 “Impact creation – holistic innovation approach resulting in sustainable business models” through the pilot deployment and operation, assessment, and market penetration plans in three pilot site ecosystems, covering both stand-alone and as-a-service (IDIKA, the governmental body for health and social security ICT system in Greece; CAS, a major Cloud solutions provider, that will test BPR4GDPR in the context of providing business services to car dealerships in Germany; Inno and its customer Vistocasa, a real estate agency in Italy). Project Objective VIII – Impact creation in European research and economy: we ahave delivered result R6 “Impact creation – holistic innovation approach resulting in sustainable business models” through the adoption of a clear plan for impact creation that includes activities for raising awareness;the initiation of a BPR4GDPR User Community; the interaction with standardisation bodies, industry and technology associations and authorities. Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far During the second reporting period (month 13 to month 24), two milestones have been successfully achieved. The second project phase – the actual development phase – includes the iterative implementation of the main pillars of the BPR4GDPR solution, namely the policy framework (WP3), the privacy-aware process engineering (WP4), and the compliance toolkit (WP5). With the achievement of milestone 4 (M18), the first iteration of the development phase has finished with the release of fully working prototypes.In parallel, assessment, trials and validation (WP6) are progressing in the frame of the third project phase, the validation phase. Here the BPR4GDPR solutions are deployed, operated and validated within production environments, being under continuous assessment as regards regulatory compliance and other important aspects. Work in this reporting period includes regulatory and framework assessment, as well as further refinement of the trial cases and definition of KPIs.Horizontal work includes project management (WP1) and dissemination, standardisation and exploitation activities (WP7), with a view to achieving active presence, raising awareness, and paving the way for industrial impact creation.The achieved milestones are described below. For more details please refer to the public deliverables of the project.MS6 Refined architecture definition (M26)MS7 Final Prototypes of BPR4GDPR technology (M31)MS8 Trial demonstration of the achievements '(M36)Moreover, we have finalized the following prototypes:• Compliance ontology• Rule-based access and usage control• Reasoning and knowledge extraction• Compliance metamodel• Process verification and transformation• Process discovery and continuous adaptation• Privacy enhancement tools• Data Management Bus• User centred toolsIn addition, we have produced deployment guidelines, as a basis for further adoptions (deliverable D6.4)The above tools have been integrated and deployed in the three pilots. Specific workshops were performed demonstrating the tools and their usage. Impact creation activities: The project continued with dissemination and standardization activities. For exploitation main effort was put on the definition of the MVP of each exploitable asset and group of assets (feature sets). Furthermore, the consortium did a thorough analysis of the business perspectives, including market, competition and pricing, of each asset. Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far) Currently available privacy technology does not collectively cover important GDPR aspects, while process orientation has not been extensively incorporated either. BPR4GDPR will therefore offer privacy-by-design throughout the entire process lifecycle, based on a broad spectrum of innovations: • Process analysis and redesign, i.e. automatic verification of process models but also transformation of non-conformant ones.• A compliance toolkit encompassing sophisticated functionalities, including cryptography, data handling and notification mechanisms, user-centered tools ensuring consent, but also the exercise of other data subjects’ rights.• Use of process mining for process discovery, process monitoring and controlling, enabling a posteriori analysis and compliance check of running processes.The results of BPR4GDPR will be packaged to various products and benefit European competitiveness in the global privacy market, where EU currently appears rather underrepresented. Based on our experiences during validation and dissemination, we will follow a joint exploitation approach, clustering the assets to feature sets, which for a customer-centric application. In the frame of the pilots, three feature sets have been identified. A feature set consists of several BPR4GDPR assets that form an application, targeting specific needs of a customer: • Process model re-engineering framework and authorisation engine adressing companies with complex processes,• User centered GDPR compliance toolkit for the enforcement of the data subjects’ rights, adressing all organisations using business software and in need to comply to GDPR,• Analysis tools for detecting risks and vulnerabilities is supporting organisations exposed to vulnerabilities.