Benefits and Impact
BPR4GDPR adopts a holistic approach for GDPR compliance, addressing the requirements during different operational phases. In this context, BPR4GDPR will facilitate the enforcement of appropriate organisational and technical measures required for data protection, by automating several aspects of “compliance engineering”. To this end, it will be based on a number of enabling pillars:
- Comprehensive security and data protection policies
- Incorporation of policies into process models
- Automatic process models re-engineering in terms of compliance-aware verification and transformation
- Tools for facilitating run-time compliance enforcement
- Process mining for the identification of compliance discrepancies and discovery of organisational prrocedures
As such, BPR4GDPR is expected to be a project with high impact. The proposal is in fact fully aligned with the impact expectations of DS-08-2016 call as follows:
Support for Fundamental Rights in Digital Society.
BPR4GDPR is focused exactly on the protection of a fundamental human right: privacy. Indeed, from a philosophical perspective, the notion of privacy has broad historical roots; for instance, consider Aristotle’s distinction between the public sphere of political activity and the private sphere associated with domestic life, or the “Hippocratic Oath”, the seminal document on the ethics of medical practice that explicitly included privacy among the medical morals. Nowadays, privacy is recognised as a fundamental human right by the Universal Declaration of Human Rights of the United Nations, the European Convention on Human Rights, as well as the Charter of Fundamental Rights of the European Union, and is protected by relevant legislation in all democratic countries throughout the world, with the GDPR being the cornerstone of this legislation.
According to the famous cartoon of Pat Steiner in The New Yorker in 1993, “on the internet, nobody knows you’re a dog”; this has been frequently cited in order to emphasise the potential for anonymity and privacy that the Internet was supposed to offer. However, reality proves to be different and, in fact, more than a century after the first essay identifying that privacy was endangered by technological advances, never before in history the citizens have been more concerned about their personal privacy and the threats by the emerging technologies. The recent technological advances spur an information revolution that brings significant improvements to quality of life, but, on the other hand, they pose serious risks on privacy: the personal data collection scale is augmented, information access, processing, aggregation, combination and linking are facilitated and new types of data are collected; personal information is increasingly viewed as a valuable asset which is a subject of trading.
To this end, the protection of privacy is the overarching goal of BPR4GDPR, that aims at providing a set of comprehensive technologies for realising the privacy-by-design vision. The BPR4GDPR solutions span a range of technologies (process management, data management, advanced cryptography, etc.) and tackle the four major aspects of privacy according to Solove’s reference taxonomy, namely information collection, information processing, information dissemination and invasion, thereby ensuring that operations are executed in a privacy-aware, GDPR-compliant-manner. Therefore, BPR4GDPR is expected to have considerable impact on the protection of privacy as a fundamental human right. This is also supported by the anticipated diffusion of the project results as regards their dissemination, exploitation, standardisation, communication and awareness raising. Further, results’ uptake, and therefore contribution to privacy protection, is expected due to the different deployment modes considered, i.e., stand-alone and as-a-service, that provide for immediate application at large scale on the Cloud.
Furthermore, it should not be neglected that the BPR4GDPR solutions will be tested by means of comprehensive use cases, that involve sensitive data and have therefore serious privacy concerns. Especially as regards the IDIKA use case, dealing with health and social security data at national scale, it should be noted that IDIKA is the National Contact Point for these domains, participating in the associated European clusters and instruments. Therefore, it will therefore provide for pan-Europan impact creation in these sensitive fields.
Increased Trust and Confidence in the Digital Single Market
As the global economy is rapidly becoming digital, ICT is no longer a sector but the foundation of innovative economic systems. These changes bring immense opportunities for innovation, growth and jobs and, therefore, the European Commission has identified the completion of the Digital Single Market (DSM) as one of its priorities. The potential contribution to European GDP from achieving such a fully functioning DSM has been estimated at 415 billion Euros.
On the other hand, a basic element for economic sustainability is trust; there is a strong correlation between the level of trust and economic growth and prosperity. Indeed, results from recent surveys about DSM obstacles show that concerns about personal data being misused are ranked among the most frequently reported. The DSM, and digital economy, faces setbacks because of the privacy risks.
In view of the above, one of the most important anticipated impacts of BPR4GDPR is to increase the users’ confidence in ICT products and services, as well as trust to service providers. To this end, it will bring innovative tools that will facilitate the implementation of GDPR provisions, in terms of comprehensive technical and organisational measures, thus achieving compliance and a high level of protection.
It should be stressed that the BPR4GDPR solutions target in particular SMEs, that amount for more than 90% of European enterprises. Therefore, considering also the large customer base of project partners, the cloud-based, as-a-service provision model that implies immediate applicability, as well as the marketing and dissemination strategy of the project, it is expected to quickly reach the critical mass of BPR4GDPR solutions deployment in operational environments. Indeed, the BPR4GDPR consortium has the appropriate capacity in terms of customer base, geographical distribution across Europe—and beyond, and type of business model (industry, innovation, service provision, consulting, law) that will be enablers for fast and broad diffusion.
An important aspect towards achieving increase of trust at considerable scale is the Compliance-as-a-Service (CaaS) concept BPR4GDPR introduces. Supported by innovative project tools (e.g., process re-engineering automation) and the compliance toolkit of privacy-enhancing mechanisms, compliance will be delivered out-of-the-box to customers of cloud-based soultions. It should not be neglected here the contribution of leveraging CRM/xRM functionality as a trust enabler; by making compliance an indispensable part of the relation between providers and customers, mainly in terms of data subjects rights’ enforcement, data protection and compliance thereof will not only be enforced, but also experientially manifested, thus increasing customer trust.
An additional contribution of BPR4GDPR in this context will be its awareness-raising strategy, by all available dissemination means, as well as the BPR4GDPR User Community, that will be leveraged also for the assessment of social aspects of the BPR4GDPR results.
Increase in the use of privacy-by-design principles in ICT systems and services
BPR4GDPR will providing a holistic, yet modular, solution supporting privacy-by-design throughout the entire lifecycle of an organisational process, based collectively on innovative approaches. In fact, BPR4GDPR is a project that has been conceived on the basis of by-design principles, and as such has been prior research that will be leveraged by the project, as well as the innovation activities that the project will execute.
The BPR4GDPR focus is on processes, being either business processes or compositions of services; in fact, service-orientation has evolved as the dominant paradigm in modern software systems, marking a clear shift in software engineering towards autonomous functional entities that interact with each other in a loosely-coupled manner and support the development of rapid, low-cost, interoperable, evolvable, and massively distributed applications. Software services, and workflows thereof, are used in business and data intensive applications, whereas the of the Internet of Things (IoT), Cyber-Physical Systems (CPS), Cloud and Fog computing, provided new ground for service-orientation and workflows, resulting in their broad, or emerging, use in respective application domains, including healthcare, energy, transportation, finance, telecommunications, manufacturing and logistics, critical infrastructures, and others. Therefore, workflows and service compositions that are inherently privacy-aware will contribute to a great extent to the application of privacy-by-design at large scale.
To this end, the BPR4GDPR framework contribution shall be considerable, by ensuring:
- the incorporation of comprehensive security and privacy policies in an intuitive manner in process models;
- the verification of process models and their transformation so that they are by design privacy-aware;
- the enforcement of policies during execution, along with active data protection by means of “a compliance toolkit” and enforcement of data subjects’ rights;
- continuous auditing and adaptation of both workflow models and running instances, by means of privacy-aware process mining, for coping with compliance discrepancies.
Furthermore, an intended BPR4GDPR deployment model is to be provided as part of Cloud infrastructures, thereby ensuring compliance of applications running there. We refer to this as Compliance-as-a-Service (CaaS), and it is anticipated to further promote privacy-by-design principles. In fact, there is a growing trend in the use of Cloud, due to flexibility and operational burden reliefs. Gartner predicts an 18% increase in the Public Cloud market in 2017, and adopts the projection that this market will nearly double in 2020 compared to 2016, approaching 400 million dollars. Compared to other software deployment models, IDC claims that by 2020, penetration of Software-as-a-service (SaaS) versus traditional software deployment will be over 25%, whereas packaged software will shrink to 10% of new enterprise installations11. Therefore, the Cloud presents enormous potential impact; in fact, according to a DBO report, the vast majority (74%) of technology CFOs consider Cloud computing as the technology with the most measurable impact on their business in 2017. Therefor, BPR4GDPR expect to exploit this potential and bring privacy-by-design into practice.