Deriving Workflow Privacy Patterns from Legal Documents

Abstract

The General Data Protection Regulation (GDPR) has strengthened the importance of data privacy and protection for enterprises offering their services in the EU. An important part of intensified efforts towards better privacy protection is enterprise workflow (re)design. In particular, the GDPR as strengthen the imperative to apply the privacy by design principle when (re)designing workflows. A conforming and promising approach is to model privacy relevant workflow fragments as Workflow Privacy Patterns (WPPs). Such WPPs allow to specify abstract templates for recurring data-privacy problems in workflows. Thus, WPPs are intended to support workflow engineers, auditors and privacy officers by providing pre-validated patterns that comply with existing data privacy regulations. However, it is unclear yet how to obtain WPPs systematically with an appropriate level of detail. In this paper, we introduce our approach to derive WPPs from legal texts and similar normative regulations. We propose a structure of a WPP, which we derive from pattern approaches from other research areas. We also introduce a framework that allows to design WPPs which make legal regulations accessible for persons who do not possess in-depth legal expertise. We have applied our approach to different articles of the GDPR, and we have obtained evidence that we can transfer legal text into a structured WPP representation. If a workflow correctly implements a WPP that has been designed that way, the workflow automatically complies to the respective fragment of the underlying legal text.