skip to main content
10.1145/3098954.3104057acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Orchestrating Privacy Enhancing Technologies and Services with BPM Tools: The WITDOM Data Protection Orchestrator

Published: 29 August 2017 Publication History

Abstract

Privacy is a highly complex subject, especially when it comes to balancing data subjects' expectations, requirements and needs with i) the objectives of service providers and data controllers, and ii) the variety of legal obligations that dictate protection rights of data subjects and responsibilities of data controllers. This requires to provide technical solutions capable of matching different and adequate levels of privacy, while still attending to data subjects' preferences and business objectives. The Data Protection Orchestrator (DPO) developed in the context of the WITDOM project1 meets this challenge by interacting with different Protection Enhancing Technologies or Services following a set of pre-defined protection processes, so as to support automated management trade-offs between privacy, performance and utility. By leveraging Business Process Management standards, the DPO is capable of making data protection processes and practices (such as automated anonymization or management of data subject's consent) integral to other business core services, as intended with the data protection by design and by default approach in the EU's GDPR. The DPO capabilities will be explained in the context of two complementary scenarios: the eHealth scenarios, where the DPO will be used for protecting genomic data and the financial scenario where the DPO will be responsible for protecting the transaction history and personal attributes of the bank's customers.

References

[1]
Business Process Model and Notation (BPMN). Technical Report. Object Management Group, Inc. (OMG). http://www.omg.org/spec/BPMN/2.0/PDF/
[2]
European Central Bank. 2015. Fourth report on card fraud. Technical Report. https://www.ecb.europa.eu/pub/pdf/other/4th_card_fraud_report.en.pdf
[3]
George EP Box, Gwilym M Jenkins, Gregory C Reinsel, and Greta M Ljung. 2015. Time series analysis: forecasting and control. John Wiley & Sons.
[4]
2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union L119/59 (4 May 2016). http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC
[5]
Brian Patrick Green and Jae Hwa Choi. 1997. Assessing the risk of management fraud through neural network technology. Auditing 16, 1 (1997), 14.
[6]
Nils Gruschka and Meiko Jensen. 2014. Aligning User Consent Management and Service Process Modeling. In 44. Jahrestagung der Gesellschaft für Informatik, Informatik 2014, Big Data - Komplexität meistern, 22-26. September 2014 in Stuttgart, Deutschland. 527--538. http://subs.emis.de/LNI/Proceedings/Proceedings232/article214.html
[7]
Paul Harmon. 2016. The State of the BPM Market. Technical Report. BPTrends. http://www.bptrends.com/bpt/wp-content/uploads/2015-BPT-Survey-Report.pdf
[8]
Jane Kaye, Edgar A Whitley, David Lund, Michael Morrison, Harriet Teare, and Karen Melham. 2014. Dynamic consent: a patient interface for twenty-first century research networks. European Journal of Human Genetics 23, 2 (may 2014), 141--146.
[9]
Wadha Labda, Nikolay Mehandjiev, and Pedro Sampaio. 2013. Privacy-Aware Business Processes Modeling Notation (PrvBPMN) in the Context of Distributed Mobile Applications. Springer International Publishing, Cham, 120--134.
[10]
Wadha Labda, Nikolay Mehandjiev, and Pedro Sampaio. 2014. Modeling of Privacy-aware Business Processes in BPMN to Protect Personal Data. In Proceedings of the 29th Annual ACM Symposium on Applied Computing (SAC '14). ACM, New York, NY, USA, 1399--1405.
[11]
David Mazieres and Dennis Shasha. 2002. Building Secure File Systems out of Byzantine Storage. In Proceedings of the Twenty-first Annual Symposium on Principles of Distributed Computing (PODC '02). ACM, New York, NY, USA, 108--117.
[12]
SpiderOak. 2015. Crypton. https://github.com/SpiderOak/crypton. (2015).
[13]
Latanya Sweeney. 2002. K-anonymity: A Model for Protecting Privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst. 10, 5 (Oct. 2002), 557--570.

Cited By

View all
  • (2023)Translating Privacy Design Principles Into Human-Centered Software Lifecycle: A Literature ReviewInternational Journal of Human–Computer Interaction10.1080/10447318.2023.221996440:17(4465-4483)Online publication date: 20-Jun-2023
  • (2021)Privacy Design Strategies and the GDPR: A Systematic Literature ReviewHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-77392-2_16(241-257)Online publication date: 3-Jul-2021

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security
August 2017
853 pages
ISBN:9781450352574
DOI:10.1145/3098954
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Anonymization
  2. Business Process Management
  3. Data Protection
  4. Privacy
  5. Privacy Enhancing Services
  6. Privacy Enhancing Technologies
  7. Trust

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ARES '17
ARES '17: International Conference on Availability, Reliability and Security
August 29 - September 1, 2017
Reggio Calabria, Italy

Acceptance Rates

ARES '17 Paper Acceptance Rate 100 of 191 submissions, 52%;
Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)10
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Translating Privacy Design Principles Into Human-Centered Software Lifecycle: A Literature ReviewInternational Journal of Human–Computer Interaction10.1080/10447318.2023.221996440:17(4465-4483)Online publication date: 20-Jun-2023
  • (2021)Privacy Design Strategies and the GDPR: A Systematic Literature ReviewHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-77392-2_16(241-257)Online publication date: 3-Jul-2021

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media