Extending Business Process Management for Regulatory Transparency

TL;DR

This paper introduces a process-oriented approach to enhance business process management with regulatory transparency features, enabling modeling, discovery, and checking of personal data flows in cloud-native systems to meet GDPR requirements.

Contribution

It proposes a novel extension to BPMN for regulatory transparency, utilizing event logs and process mining to ensure compliance with data protection laws.

Findings

Extended BPMN with transparency information

Effective discovery of personal data flows

Conformance checking for regulatory compliance

Abstract

Ever-increasingly complex business processes are enabled by loosely coupled cloud-native systems. In such fast-paced development environments, data controllers face the challenge of capturing and updating all personal data processing activities due to considerable communication overhead between development teams and data protection staff. To date, established business process management methods generate valuable insights about systems, however, they do not account for all regulatory transparency obligations. For instance, data controllers need to record all information about data categories, legal purpose specifications, third-country transfers, etc. Therefore, we propose to bridge the gap between business processes and application systems by providing three contributions that assist in modeling, discovering, and checking personal data transparency through a process-oriented perspective. We enable transparency modeling for relevant business activities by providing a plug-in extension to BPMN featuring regulatory transparency information. Furthermore, we utilize event logs to record regulatory transparency information in realistic cloud-native systems. On this basis, we leverage process mining techniques to discover and analyze personal data flows in business processes, e.g., through transparency conformance checking. We design and implement prototypes for all contributions, emphasizing the appropriate integration and modeling effort required to create business-process-oriented transparency. Altogether, we connect current business process engineering techniques with regulatory needs as imposed by the GDPR and other legal frameworks.