Extending Business Process Management for Regulatory Transparency
Jannis Kiesel, Elias Grünewald
TL;DR
The paper tackles the lack of regulatory transparency in business process management (BPM) within cloud-native environments by proposing a tripartite approach that extends BPMN to encode transparent processing details, introduces a cloud-native transparency logging framework, and applies process mining for conformance checking. It advances three interconnected contributions (C1-C3): a BPMN-TILT extension with a Camunda plugin to model ex ante transparency, a logging layer that records regulatory data in a machine-readable JSON format, and process mining-based validation to compare observed processing with normative transparency models. Prototypes implement these ideas using Camunda Modeler, OpenTelemetry, Fluentd, and Elasticsearch, illustrating end-to-end modeling, logging, and analysis to support GDPR-related transparency and accountability. The work enables both ex ante design-time transparency and ex post runtime analysis of personal data flows, aiming to reduce privacy risks and improve regulatory compliance in dynamic, distributed cloud-native systems.
Abstract
Ever-increasingly complex business processes are enabled by loosely coupled cloud-native systems. In such fast-paced development environments, data controllers face the challenge of capturing and updating all personal data processing activities due to considerable communication overhead between development teams and data protection staff. To date, established business process management methods generate valuable insights about systems, however, they do not account for all regulatory transparency obligations. For instance, data controllers need to record all information about data categories, legal purpose specifications, third-country transfers, etc. Therefore, we propose to bridge the gap between business processes and application systems by providing three contributions that assist in modeling, discovering, and checking personal data transparency through a process-oriented perspective. We enable transparency modeling for relevant business activities by providing a plug-in extension to BPMN featuring regulatory transparency information. Furthermore, we utilize event logs to record regulatory transparency information in realistic cloud-native systems. On this basis, we leverage process mining techniques to discover and analyze personal data flows in business processes, e.g., through transparency conformance checking. We design and implement prototypes for all contributions, emphasizing the appropriate integration and modeling effort required to create business-process-oriented transparency. Altogether, we connect current business process engineering techniques with regulatory needs as imposed by the GDPR and other legal frameworks.