Achieving GDPR Compliance of BPMN Process Models

  • Simone Agostinelli
  • Fabrizio Maria Maggi
  • Andrea MarrellaEmail author
  • Francesco Sapio
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 350)


In an increasingly digital world, where processing and exchange of personal data are key parts of everyday enterprise business processes (BPs), the right to data privacy is regulated and actively enforced in the Europe Union (EU) through the recently introduced General Data Protection Regulation (GDPR), whose aim is to protect EU citizens from privacy breaches. In this direction, GDPR is highly influencing the way organizations must approach data privacy, forcing them to rethink and upgrade their BPs in order to become GDPR compliant. For many organizations, this can be a daunting task, since little has been done so far to easily identify privacy issues in BPs. To tackle this challenge, in this paper, we provide an analysis of the main privacy constraints in GDPR and propose a set of design patterns to capturing and integrating such constraints in BP models. Using BPMN (Business Process Modeling Notation) as modeling notation, our approach allows us to achieve full transparency of privacy constraints in BPs making it possible to ensure their compliance with GDPR.


Data privacy GDPR Process models BPMN 


  1. 1.
    Altuhhova, O., Matulevicius, R., Ahmed, N.: An extension of business process model and notation for security risk management. Int. J. Inf. Syst. Model. Design 4(4), 93–113 (2013)CrossRefGoogle Scholar
  2. 2.
    Ayed, G.B., Ghernaouti-Helie, S.: Processes view modeling of identity-related privacy business interoperability: considering user-supremacy federated identity technical model and identity contract negotiation. In: ASONAM 2012 (2012)Google Scholar
  3. 3.
    Basin, D., Debois, S., Hildebrandt, T.: On purpose and by necessity: compliance under the GDPR. In: Proceedings Financial Cryptography and Data Security, vol. 18 (2018)Google Scholar
  4. 4.
    Brucker, A.D.: Integrating security aspects into business process models. Inf. Technol. 55(6), 239–246 (2013)Google Scholar
  5. 5.
    Carey, P.: Data Protection: A Practical Guide to UK and EU Law. Oxford University Press Inc., Oxford (2018)Google Scholar
  6. 6.
    Cherdantseva, Y., Hilton, J., Rana, O.: Towards secureBPMN - aligning BPMN with the information assurance and security domain. In: Mendling, J., Weidlich, M. (eds.) BPMN 2012. LNBIP, vol. 125, pp. 107–115. Springer, Heidelberg (2012). Scholar
  7. 7.
    Chergui, M.E.A., Benslimane, S.M.: A valid BPMN extension for supporting security requirements based on cyber security ontology. In: Abdelwahed, E.H., Bellatreche, L., Golfarelli, M., Méry, D., Ordonez, C. (eds.) MEDI 2018. LNCS, vol. 11163, pp. 219–232. Springer, Cham (2018). Scholar
  8. 8.
    Labda, W., Mehandjiev, N., Sampaio, P.: Modeling of privacy-aware business processes in BPMN to protect personal data. In: SAC 2014, pp. 1399–1405 (2014)Google Scholar
  9. 9.
    Maines, C.L., Zhou, B., Tang, S., Shi, Q.: Adding a third dimension to BPMN as a means of representing cyber security requirements. In: DeSE 2016 (2016)Google Scholar
  10. 10.
    Maines, C.L., Llewellyn-Jones, D., Tang, S., Zhou, B.: A cyber security ontology for BPMN-security extensions. In: CIT 2015 (2015)Google Scholar
  11. 11.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: ARES 2009 (2009)Google Scholar
  12. 12.
    Petersen, S.A., Mannhardt, F., Oliveira, M., Torvatn, H.: A framework to navigate the privacy trade-offs for human-centred manufacturing. In: Camarinha-Matos, L.M., Afsarmanesh, H., Rezgui, Y. (eds.) PRO-VE 2018. IAICT, vol. 534, pp. 85–97. Springer, Cham (2018). Scholar
  13. 13.
    Pullonen, P., Matulevičius, R., Bogdanov, D.: PE-BPMN: privacy-enhanced business process model and notation. In: Carmona, J., Engels, G., Kumar, A. (eds.) BPM 2017. LNCS, vol. 10445, pp. 40–56. Springer, Cham (2017). Scholar
  14. 14.
    Robol, M., Salnitri, M., Giorgini, P.: Toward GDPR-compliant socio-technical systems: modeling language and reasoning framework. In: Poels, G., Gailly, F., Serral Asensio, E., Snoeck, M. (eds.) PoEM 2017. LNBIP, vol. 305, pp. 236–250. Springer, Cham (2017). Scholar
  15. 15.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE Trans. Inf. Syst. 90(4), 745–752 (2007)CrossRefGoogle Scholar
  16. 16.
    Salnitri, M., Dalpiaz, F., Giorgini, P.: Designing secure business processes with SecBPMN. Softw. Syst. Model. 16(3), 737–757 (2017)CrossRefGoogle Scholar
  17. 17.
    Sang, K.S., Zhou, B.: BPMN security extensions for healthcare process. In: CIT 2015 (2015)Google Scholar
  18. 18.
    Tom, J., Sing, E., Matulevičius, R.: Conceptual representation of the GDPR: model and application directions. In: Zdravkovic, J., Grabis, J., Nurcan, S., Stirna, J. (eds.) BIR 2018. LNBIP, vol. 330, pp. 18–28. Springer, Cham (2018). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Simone Agostinelli
    • 1
  • Fabrizio Maria Maggi
    • 2
  • Andrea Marrella
    • 1
    Email author
  • Francesco Sapio
    • 1
  1. 1.DIAGSapienza University of RomeRomeItaly
  2. 2.University of TartuTartuEstonia

Personalised recommendations