Skip to main content

Business Process Re-engineering and functional toolkit for GDPR compliance

Periodic Reporting for period 1 - BPR4GDPR (Business Process Re-engineering and functional toolkit for GDPR compliance)

Período documentado: 2018-05-01 hasta 2019-04-30

There are still difficulties lying in the actual realisation of GDPR regulations. Therefore, BPR4GDPR project focuses on providing a holistic framework that supports end-to-end GDPR-compliant intra- and inter-organisational ICT-enabled processes at various scales, while also being generic enough, fulfilling operational requirements covering diverse application domains.
Several requirements and needed solution characteristics for the holistic BPR4GDPR framework have been identified in the frame of deliverable D2.1 (Use cases and requirements) that need to be considered as challenges for facilitating GDPR compliance for businesses.
The overall objectives and related work in the first period of the project is summarised below:
1. Overall collaboration: establishing the project framework so that the team members can work efficiently together; enabling a joint understanding of project vision and architecture; bringing the team together for realising this vision (work in WP1) – Deliverable D1.1 Project Handbook (due end month M3).

2. Raising awareness of the BPR4GDPR project: disseminating und communicating project results among industrial and research, academic, and international community; first actions for standardisation and cooperation ; Top Down and Bottom Up market analysis and sustainability plans (work in WP7) – Deliverable D7.1 Project presentation and project website (due by month M3) and D7.2 Initial dissemination, standardisation and exploitation plan (due by month M12).

3. Project Objective I – Reference compliance framework reflecting GDPR requirements and codifying legislation: we are in good progress to deliver the final result R1 “Regulation-driven policy framework” through
the joint work between legal and technical experts, as well as project end-users. The bridge between the law and the BPR4GDPR technical solutions through “compliance ontology” (Deliverable D3.1 Compliance ontology specification (due by month M10 and part of milestone MS2).

4. Project Objective II – Sophisticated security and privacy policies through a comprehensive, rule-based framework: we are in good progress to deliver the final result R1 “Regulation-driven policy framework” through
the development of a rule-based policy framework, devised for access and usage control.

5. Project Objective III – by design privacy-aware process models through modelling technologies and tools: we are in good progress to deliver the final result R1 “Regulation-driven policy framework” .

6. Project Objective IV – Compliance-driven process re-engineering through a set of mechanisms for automating the respective procedures: We are progressing with results R2 “Compliance-driven process re-engineering” and R4 “Process discovery and mining enabling traceability and adaptability”.

7. Project Objective V – Compliance toolkit with PETs, data management tools and functionalities for enforcing data subject rights: we are in good progress to deliver the final result R3 “Compliance toolkit”.

8. Project Objective VI – Implementation of Compliance-as-a-Service (CaaS) at BPR4GDPR Cloud infrastructures: we are progressing with result R5 “Compliance-as-a-Service (CaaS)” through:

9. Project Objective VII – Assessment of BPR4GDPR technology via comprehensive trials for Solution Assessment and Validation: we are progressing with result R6 “Impact creation – holistic innovation approach resulting in sustainable business models” through the pilot deployment and operation, assessment, and market penetration plans in three pilot site ecosystems, covering both stand-alone and as-a-service (IDIKA, the governmental body for health and social security ICT system in Greece; CAS, a major Cloud solutions provider, that will test BPR4GDPR in the context of providing business services to car dealerships in Germany; Inno and its customer Vistocasa, a real estate agency in Italy). See also Deliverable D6.1 Data protection validation and trials plan (due by month M12 and part of milestone MS3).

10. Project Objective VIII – Impact creation in European research and economy: we are progressing with result R6 “Impact creation – holistic innovation approach resulting in sustainable business models” through the adoption of a clear plan for impact creation that includes activities for raising awareness;the initiation of a BPR4GDPR User Community; the interaction with standardisation bodies, industry and technology associations and authorities.
During the first project period (month 1 to month 12), three milestones have been successfully achieved. Main partial objectives included regulatory as well as requirements analyses based on reference use cases, with strong involvement of the participating partners and grounding technical work. Moreover, a first architectural and a validation approach have been elaborated. The achieved milestones are described below. For more details please refer to the public deliverables of the project.

MS1 Completion of the first iteration of Task T2.2 (Regulatory analysis) and delivery of the report on the Regulatory analysis and Compliance Workshop D2.2 containing the Regulatory analysis.
MS2 Completion of the first iteration of Tasks T2.1 (Use cases), T2.3 (Functional and non-functional requirements) and T2.4 (System architecture). Delivery of the first version of the use cases and requirements (D2.1 – Use cases and requirements), the first version of the compliance ontology (D3.1 – Compliance ontology specification) and the first complete version of the BPR4GDPR architecture (D2.3 – Initial Specification of BPR4GDPR architecture).
MS3 Completion of the first iteration of Task T6.3 (Trials and validation) and delivery of the Data protection impact analysis Deliverable D6.1 that also comprises the Data protection validation and trials plan.
Currently available privacy technology does not collectively cover important GDPR aspects, while process orientation has not been extensively incorporated either. BPR4GDPR will therefore offer privacy-by-design throughout the entire process lifecycle, based on a broad spectrum of innovations:
• Process analysis and redesign, i.e. automatic verification of process models but also transformation of non-conformant ones.
• A compliance toolkit encompassing sophisticated functionalities, including cryptography, data handling and notification mechanisms, user-centered tools ensuring consent, but also the exercise of other data subjects’ rights.
• Use of process mining for process discovery, process monitoring and controlling, enabling a posteriori analysis and compliance check of running processes.

The results of BPR4GDPR results will be packaged to vrious products and benefit European competitiveness in the global privacy market, where EU currently appears rather underrepresented.
Besides, by increasing the effectiveness of data protection mechanisms and their integration in the service provision chain of European companies, BPR4GDPR aims at impacting their market position in several application domains, especially considering the security- and privacy-wise challenging trend to develop complex solutions on top of service-oriented architectures, by means of workflow-based service compositions. This will further provide for increase of income and widening of the actual markets through customer satisfaction, as well as new services leveraging the BPR4GDPR mechanisms.