Increase in the use of privacy-by-design principles in ICT systems and services

BPR4GDPR will providing a holistic, yet modular, solution supporting privacy-by-design throughout the entire lifecycle of an organisational process, based collectively on innovative approaches. In fact, BPR4GDPR is a project that has been conceived on the basis of by-design principles, and as such has been prior research that will be leveraged by the project, as well as the innovation activities that the project will execute.

The BPR4GDPR focus is on processes, being either business processes or compositions of services; in fact, service-orientation has evolved as the dominant paradigm in modern software systems, marking a clear shift in software engineering towards autonomous functional entities that interact with each other in a loosely-coupled manner and support the development of rapid, low-cost, interoperable, evolvable, and massively distributed applications. Software services, and workflows thereof, are used in business and data intensive applications, whereas the of the Internet of Things (IoT), Cyber-Physical Systems (CPS), Cloud and Fog computing, provided new ground for service-orientation and workflows, resulting in their broad, or emerging, use in respective application domains, including healthcare, energy, transportation, finance, telecommunications, manufacturing and logistics, critical infrastructures, and others. Therefore, workflows and service compositions that are inherently privacy-aware will contribute to a great extent to the application of privacy-by-design at large scale.

To this end, the BPR4GDPR framework contribution shall be considerable, by ensuring:

  1. the incorporation of comprehensive security and privacy policies in an intuitive manner in process models;
  2. the verification of process models and their transformation so that they are by design privacy-aware;
  3. the enforcement of policies during execution, along with active data protection by means of “a compliance toolkit” and enforcement of data subjects’ rights;
  4. continuous auditing and adaptation of both workflow models and running instances, by means of privacy-aware process mining, for coping with compliance discrepancies.

Furthermore, an intended BPR4GDPR deployment model is to be provided as part of Cloud infrastructures, thereby ensuring compliance of applications running there. We refer to this as Compliance-as-a-Service (CaaS), and it is anticipated to further promote privacy-by-design principles. In fact, there is a growing trend in the use of Cloud, due to flexibility and operational burden reliefs. Gartner predicts an 18% increase in the Public Cloud market in 2017, and adopts the projection that this market will nearly double in 2020 compared to 2016, approaching 400 million dollars. Compared to other software deployment models, IDC claims that by 2020, penetration of Software-as-a-service (SaaS) versus traditional software deployment will be over 25%, whereas packaged software will shrink to 10% of new enterprise installations11. Therefore, the Cloud presents enormous potential impact; in fact, according to a DBO report, the vast majority (74%) of technology CFOs consider Cloud computing as the technology with the most measurable impact on their business in 2017. Therefor, BPR4GDPR expect to exploit this potential and bring privacy-by-design into practice.