Skip to main content
Springer Nature Link
Log in

Business process models and simulation to enable GDPR compliance

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The general data protection regulation (GDPR) provides European individuals with a regulatory framework for personal data protection and privacy. Compliance with this regulation represents an essential challenge for organisations that store, transmit, and process personal data. Millionaire fines are imposed by European protection authorities due to non-compliance. Currently, non-automated solutions are applied in organisations to carry out regulatory compliance, and therefore expensive manual implementation and audits are necessary to ensure GDPR compliance. To avoid these drawbacks, this paper presents a data model and a business process model as a first step towards designing automated mechanisms for implementing the GDPR. Furthermore, the proposed models are employed to support business process simulation (BPS), which includes aspects of performance, cost, and scalability, for evaluating the resource human impact and the execution time that our proposal can have in organisations. These factors would facilitate informed decision-making by the data controller regarding the resources and the degree of GDPR compliance, supporting data controller decisions regarding determining the necessary types of resources to achieve a suitable level of compliance and to obtain the degree of GDPR compliance. Given the large number of legal articles on the GDPR and owing to space limitation herein, we focus on Articles 33 and 34 regarding notification and communication of a personal data breach.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

Data availibility

Following open science good practices, the artefacts generated in this work are available in the latest version publicly in a repository https://github.com/GDPRresearch/SimulationResults.

Notes

  1. https://www.enforcementtracker.com/

  2. Due to this requirement, we added the Affected Information System data entity.

  3. These measures include the LessonLearning data entity.

  4. Since it is necessary to document the personal data breach, then it is necessary to pre-analyse and store the personal data breach, hence the origin of the activities Analyse PDB and Fill in PDB.

  5. Due to this requirement, we added the QualityMitigationMeasures data entity.

  6. Business Process Model and Notation.

  7. Decision Model and Notation: https://www.omg.org/spec/DMN.

  8. ©2023, Apromore Pty Ltd.https://apromore.com/.

References

  1. Agostinelli, S., Maggi, F.M., Marrella, A., Sapio, F.: Achieving GDPR compliance of BPMN process models. In: Cappiello, C., Ruiz, M. (eds.) Information Systems Engineering in Responsible Information Systems, pp. 10–22. Springer International Publishing, Cham (2019)

    Chapter  Google Scholar 

  2. Bonatti, P.A., Kirrane, S., Petrova, I.M., Sauro, L.: Machine understandable policies and gdpr compliance checking. Gesellschaft für Informatik e.V. and Springer-Verlag GmbH Germany, part of Springer Nature (2020). https://doi.org/10.1007/s13218-020-00677-4

  3. Brocke, J., Mendling, J., Rosemann, M.: Business Process Management Cases Vol. 2: Digital Transformation - Strategy, Processes and Execution. Springer Berlin Heidelberg (2021). https://books.google.es/books?id=zs47EAAAQBAJ

  4. Chapela-Campa, D., Benchekroun, I., Baron, O., Dumas, M., Krass, D., Senderovich, A.: Can I trust my simulation model? measuring the quality of business process simulation models. CoRR arXiv:2303.17463 (2023). https://doi.org/10.48550/arXiv.2303.17463

  5. da Conceição Freitas, M., da Silva, M.M.: GDPR compliance in SMEs: there is much to be done. J. Inf. Syst. Eng. Manag. 3(4), 30 (2018)

    Google Scholar 

  6. Cotino Hueso, L.: Guía de Protección de Datos en IA y Espacios de Datos (2021)

  7. Damiano Torre. Mauricio Alferez, G.S., Sabetzadeh, M., Briand, L.: Modeling data protection and privacy: application and experience with GDPR. Software and Systems Modeling (2021). https://link.springer.com/article/10.1007/s10270-021-00935-5

  8. Dumas, M., Rosa, M.L., Mendling, J., Reijers, H.A.: Fundamentals of Business Process Management. Springer-Verlag GmbH Germany, part of Springer Nature (2013) (2nd edn 2018). https://doi.org/10.1007/978-3-662-56509-4

  9. Garber, J.: GDPR - compliance nightmare or business opportunity? Comput. Fraud Secur. 2018(6), 14–15 (2018)

    Article  Google Scholar 

  10. Hoepman, J.H.: Privacy design strategies. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) ICT Systems Security and Privacy Protection, pp. 446–459. Springer, Berlin Heidelberg, Berlin, Heidelberg (2014)

  11. Islam, S., Mouratidis, H., Wagner, S.: Towards a framework to elicit and manage security and privacy requirements from laws and regulations. In: Wieringa, R., Persson, A. (eds.) Requirements Engineering: Foundation for Software Quality, pp. 255–261. Springer, Berlin Heidelberg, Berlin, Heidelberg (2010)

    Chapter  MATH  Google Scholar 

  12. López-Pintado, O., Dumas, M.: Business process simulation with differentiated resources: Does it make a difference? In: C.D. Ciccio, R.M. Dijkman, A. del-Río-Ortega, S. Rinderle-Ma (eds.) Business Process Management - 20th International Conference, BPM 2022, Münster, Germany, September 11-16, 2022, Proceedings, Lecture Notes in Computer Science, (13420), 361–378. Springer (2022). https://doi.org/10.1007/978-3-031-16103-2_24

  13. Matulevičius, R., Tom, J., Kala, K., Sing, E.: A method for managing GDPR compliance in business processes. In: Herbaut, N., La Rosa, M. (eds.) Advanced Information Systems Engineering, pp. 100–112. Springer International Publishing, Cham (2020)

    Chapter  Google Scholar 

  14. OMG: Business process model and notation (2017). http://www.omg.org/spec/BPMN/2.0

  15. Pérez-Álvarez, J.M., Gómez-López, M.T., Eshuis, R., Montali, M., Gasca, R.M.: Verifying the manipulation of data objects according to business process and data models. Knowl. Inf. Syst. 62(7), 2653–2683 (2020). https://doi.org/10.1007/S10115-019-01431-5

    Article  Google Scholar 

  16. Robol, M., Salnitri, M., Giorgini, P.: Toward GDPR-compliant socio-technical systems: Modeling language and reasoning framework. In: G. Poels, F. Gailly, E. Serral Asensio, M. Snoeck (eds.) The Practice of Enterprise Modeling,236–250. Springer International Publishing, Cham (2017)

  17. Rosenthal, K., Ternes, B., Strecker, S.: Business process simulation on procedural graphical process models. In: Business and Information Systems Engineering, 100–112 (2021). https://doi.org/10.1007/s12599-021-00690-3

  18. Sing, E.: A meta-model driven method for establishing business process compliance to GDPR. Master’s thesis, University of Tartu (2018). https://core.ac.uk/reader/237084810

  19. Teixeira, G.A., da Silva, M.M., Pereira, R.: The critical success factors of GDPR implementation: a systematic literature review. Digital Policy, Regulat. Govern. 21(4), 402–418 (2019). https://doi.org/10.1108/dprg-01-2019-0007

    Article  MATH  Google Scholar 

  20. THE EUROPEAN DATA PROTECTION BOARD: Guidelines 9/2022 on personal data breach notification under GDPR (2022). https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-92022-personal-data-breach_en

  21. THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION: Regulation (EU) 2016/679 of the european parliament and of the council of 27 april 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (2016). http://data.europa.eu/eli/reg/2016/679/oj

  22. Tom, J., Sing, E., Matulevičius, R.: Conceptual representation of the GDPR: Model and application directions. In: J. Zdravkovic, J. Grabis, S. Nurcan, J. Stirna (eds.) Perspectives in Business Informatics Research, pp. 18–28. Springer International Publishing, Cham (2018). https://link.springer.com/chapter/10.1007/978-3-319-99951-7_2

  23. Torre, D., Soltana, G., Sabetzadeh, M., Briand, L.C., Auffinger, Y., Goes, P.: Using models to enable compliance checking against the GDPR: An experience report. In: 2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS),1–11 (2019). https://doi.org/10.1109/MODELS.2019.00-20

  24. Weske, M.: Business Process Management - Concepts, Languages, Architectures, 2nd Edition. Springer (2012)

  25. Zaguir, N.A., de Magalhães, G.H., de Mesquita Spinola, M.: Challenges and enablers for gdpr compliance: systematic literature review and future research directions. IEEE Access 12, 81608–81630 (2024). https://doi.org/10.1109/ACCESS.2024.3406724

    Article  Google Scholar 

  26. Zhou, C., Barati, M., Shafiq, O.: A compliance-based architecture for supporting GDPR accountability in cloud computing. Future Generation Comput. Syst. 145, 104–120 (2023). https://doi.org/10.1016/j.future.2023.03.021

    Article  MATH  Google Scholar 

Download references

Acknowledgements

This work was supported by the Spanish R&D Research Programme by means of grants AETHER-US PID2020-112540RB-C44 funded by MCIN/AEI/10.13039/501100011033 and ALBA-US TED2021-130355B-C32 funded by MCIN/AEI/10.13039/501100011033/Unión Europea NextGenerationEU/PRTR.

Author information

Authors and Affiliations

  1. IDEA Research Group, Dpto. Lenguajes y Sistemas Informáticos, Universidad de Sevilla, Sevilla, Spain

    Ángel Jesús Varela-Vaca, María Teresa Gómez-López, Yolanda Morales Zamora & Rafael M. Gasca

Authors
  1. Ángel Jesús Varela-Vaca
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. María Teresa Gómez-López
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Yolanda Morales Zamora
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Rafael M. Gasca
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Ángel Jesús Varela-Vaca.

Ethics declarations

Competing interest

The authors have no Conflict of interest to declare.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Varela-Vaca, Á.J., Gómez-López, M.T., Morales Zamora, Y. et al. Business process models and simulation to enable GDPR compliance. Int. J. Inf. Secur. 24, 41 (2025). https://doi.org/10.1007/s10207-024-00952-7

Download citation

  • Published:

  • DOI: https://doi.org/10.1007/s10207-024-00952-7

Keywords