Antonio Capodieci,Luca Mainetti,Stefano Lisi,Roberto Paiano,Sara Matino,Mariavittoria Ugirashebuja

DOI: https://doi.org/10.1007/s11042-024-20308-6

IF: 2.577

2024-11-06

Multimedia Tools and Applications

Abstract:The European Parliament adopted the European General Data Protection Regulation (GDPR, EU 2016/679), which revolutionized the legislative framework for personal data protection within the European Union. The GDPR mandates organizations to shift from a passive approach, relying on minimum security measures outlined in the 1994 EU Directive, to a proactive accountability-based approach. Organizations are expected to implement verification systems, foster continuous improvement, and follow principles such as privacy by design and privacy by default. The latter principle emphasizes incorporating privacy considerations throughout the entire engineering process. The challenge for organizations lies in effectively auditing their compliance with the GDPR. This study proposes a structured approach based on the business process modeling to aid in GDPR compliance. It involves identifying crucial compliance points for the GDPR. A case study is presented where the method is applied to a purchase of a health insurance policy process in the context of the Secure Safe Apulia project.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Elias Grünewald,Jannis Kiesel,Siar-Remzi Akbayin,Frank Pallas

2023-06-05

Abstract:Transparency is one of the most important principles of modern privacy regulations, such as the GDPR or CCPA. To be compliant with such regulatory frameworks, data controllers must provide data subjects with precise information about the collection, processing, storage, and transfer of personal data. To do so, respective facts and details must be compiled and always kept up to date. In traditional, rather static system environments, this inventory (including details such as the purposes of processing or the storage duration for each system component) could be done manually. In current circumstances of agile, DevOps-driven, and cloud-native information systems engineering, however, such manual practices do not suit anymore, making it increasingly hard for data controllers to achieve regulatory compliance. To allow for proper collection and maintenance of always up-to-date transparency information smoothly integrating into DevOps practices, we herein propose a set of novel approaches explicitly tailored to specific phases of the DevOps lifecycle most relevant in matters of privacy-related transparency and accountability at runtime: Release, Operation, and Monitoring. For each of these phases, we examine the specific challenges arising in determining the details of personal data processing, develop a distinct approach and provide respective proof of concept implementations that can easily be applied in cloud native systems. We also demonstrate how these components can be integrated with each other to establish transparency information comprising design- and runtime-elements. Furthermore, our experimental evaluation indicates reasonable overheads. On this basis, data controllers can fulfill their regulatory transparency obligations in line with actual engineering practices.

Distributed, Parallel, and Cluster Computing,Cryptography and Security,Computers and Society,Software Engineering

Elias Grünewald,Johannes M. Halkenhäußer,Nicola Leschke,Johanna Washington,Cristina Paupini,Frank Pallas

DOI: https://doi.org/10.48550/arXiv.2302.10991

2023-04-17

Abstract:Transparency regarding the processing of personal data in online services is a necessary precondition for informed decisions on whether or not to share personal data. In this paper, we argue that privacy interfaces shall incorporate the context of display, personal preferences, and individual competences of data subjects following the principles of universal design and usable privacy. Doing so requires -- among others -- to consciously decouple the provision of transparency information from their ultimate presentation. To this end, we provide a general model of how transparency information can be provided from a data controller to data subjects, effectively leveraging machine-readable transparency information and facilitating versatile presentation interfaces. We contribute two actual implementations of said model: 1) a GDPR-aligned privacy dashboard and 2) a chatbot and virtual voice assistant enabled by conversational AI. We evaluate our model and implementations with a user study and find that these approaches provide effective and time-efficient transparency. Consequently, we illustrate how transparency can be enhanced using machine-readable transparency information and how data controllers can meet respective regulatory obligations.

Software Engineering,Cryptography and Security,Computers and Society

Elias Grünewald,Johannes M. Halkenhäußer,Nicola Leschke,Frank Pallas

DOI: https://doi.org/10.48550/arXiv.2309.00382

2023-09-05

Abstract:Transparency and accountability are indispensable principles for modern data protection, from both, legal and technical viewpoints. Regulations such as the GDPR, therefore, require specific transparency information to be provided including, e.g., purpose specifications, storage periods, or legal bases for personal data processing. However, it has repeatedly been shown that all too often, this information is practically hidden in legalese privacy policies, hindering data subjects from exercising their rights. This paper presents a novel approach to enable large-scale transparency information analysis across service providers, leveraging machine-readable formats and graph data science methods. More specifically, we propose a general approach for building a transparency analysis platform (TAP) that is used to identify data transfers empirically, provide evidence-based analyses of sharing clusters of more than 70 real-world data controllers, or even to simulate network dynamics using synthetic transparency information for large-scale data-sharing scenarios. We provide the general approach for advanced transparency information analysis, an open source architecture and implementation in the form of a queryable analysis platform, and versatile analysis examples. These contributions pave the way for more transparent data processing for data subjects, and evidence-based enforcement processes for data protection authorities. Future work can build upon our contributions to gain more insights into so-far hidden data-sharing practices.

Computers and Society,Cryptography and Security,Software Engineering,Social and Information Networks

Matteo Magnani,Danilo Montesi

DOI: https://doi.org/10.48550/arXiv.0907.1978

2009-07-12

Abstract:The design of business processes involves the usage of modeling languages, tools and methodologies. In this paper we highlight and address a relevant limitation of the Business Process Modeling Notation (BPMN): its weak data representation capabilities. In particular, we extend it with data-specific constructs derived from existing data modeling notations and adapted to blend gracefully into BPMN diagrams. The extension has been developed taking existing modeling languages and requirement analyses into account: we characterize our notation using the Workfl ow Data Patterns and provide mappings to the main XML-based business process languages.

Software Engineering,Databases

Fei Yu,Lipeng Guo,Liang Zhang

DOI: https://doi.org/10.1007/978-981-10-1019-4_3

2016-01-01

Abstract:The reality of big data opens up a new world for business process modeling. Omnipresent cases and workflow logs are getting accessible, which implies the chance to exploit important patterns hidden in them so as to cut down the modeling cost or to improve the quality of process models. To take the full advantage of big data in process-aware systems (PASs), we propose a novel business process modeling technique that leverages the modeling by cases and workflow logs analysis. It uses the average perceptron to analyze both of existing process structure of cases and co-occurrence relation of activities in workflow logs. In contrast to traditional manual efforts, it improves the performance significantly by recommending proved working patterns. Comparing to recent process mining strategies, it serves the modeling online with meaningful process segments. We evaluate our approach against a synthesis dataset (100 processes and 10,000 log items generated by the plugin PLG in ProM) and real data from public business processes (77 processes in the package Paul Fisher workflows for benchmarks PR and CA2 from the website myExperiment). The study reveals that 9.46 % improvement in precision can be gained by considering both case structure and log items in contrast to the structure only, or 5.94 % gaining in contrast to mere logs. Our evaluation validates the effectiveness of the proposed technique and efficiency when we applying it on real modeling scenarios.

Hugo A. López,Søren Debois,Tijs Slaats,Thomas T. Hildebrandt

DOI: https://doi.org/10.1007/978-3-030-45234-6_19

2020-01-01

Abstract:Legal compliance is an important part of certifying the correct behaviour of a business process. To be compliant, organizations might hard-wire regulations into processes, limiting the discretion that workers have when choosing what activities should be executed in a case. Worse, hard-wired compliant processes are difficult to change when laws change, and this occurs very often. This paper proposes a model-driven approach to process compliance and combines a) reference models from laws, and b) business process models. Both reference and process models are expressed in a declarative process language, The Dynamic Condition Response (DCR) graphs. They are subject to testing and verification, allowing law practitioners to check consistency against the intent of the law. Compliance checking is a combination of alignments between events in laws and events in a process model. In this way, a reference model can be used to check different process variants. Moreover, changes in the reference model due to law changes do not necessarily invalidate existing processes, allowing their reuse and adaptation. We exemplify the framework via the alignment of laws and business rules and a real contract change management process, Finally, we show how compliance checking for declarative processes is decidable, and provide a polynomial time approximation that contrasts NP complexity algorithms used in compliance checking for imperative business processes. All-together, this paper presents technical and methodological steps that are being used by legal practitioners in municipal governments in their efforts towards digitalization of work practices in the public sector.

Sabrina Kirrane,Javier D. Fernández,Piero Bonatti,Uros Milosevic,Axel Polleres,Rigo Wenning

DOI: https://doi.org/10.48550/arXiv.2001.09461

2020-01-26

Cryptography and Security

Abstract:The European General Data Protection Regulation (GDPR) brings new challenges for companies who must ensure they have an appropriate legal basis for processing personal data and must provide transparency with respect to personal data processing and sharing within and between organisations. Additionally, when it comes to consent as a legal basis, companies need to ensure that they comply with usage constraints specified by data subjects. This paper presents the policy language and supporting ontologies and vocabularies, developed within the SPECIAL EU H2020 project, which can be used to represent data usage policies and data processing and sharing events. We introduce a concrete transparency and compliance architecture, referred to as SPECIAL-K, that can be used to automatically verify that data processing and sharing complies with the data subjects consent. Our evaluation, based on a new compliance benchmark, shows the efficiency and scalability of the system with increasing number of events and users.

Finn Klessascheck,Stephan A. Fahrenkrog-Petersen,Jan Mendling,Luise Pufahl

2024-09-12

Abstract:To promote sustainable business practices, and to achieve climate neutrality by 2050, the EU has developed the taxonomy of sustainable activities, which describes when exactly business practices can be considered sustainable. While the taxonomy has only been recently established, progressively more companies will have to report how much of their revenue was created via sustainably executed business processes. To help companies prepare to assess whether their business processes comply with the constraints outlined in the taxonomy, we investigate in how far these criteria can be used for conformance checking, that is, assessing in a data-driven manner, whether business process executions adhere to regulatory constraints. For this, we develop a few-shot learning pipeline to characterize the constraints of the taxonomy with the help of an LLM as to the process dimensions they relate to. We find that many constraints of the taxonomy are useable for conformance checking, particularly in the sectors of energy, manufacturing, and transport. This will aid companies in preparing to monitor regulatory compliance with the taxonomy automatically, by characterizing what kind of information they need to extract, and by providing a better understanding of sectors where such an assessment is feasible and where it is not.

Computers and Society,Databases

Aleksander Slominski,Vinod Muthusamy

DOI: https://doi.org/10.48550/arXiv.1906.10415

2019-06-25

Computers and Society

Abstract:Authoring, developing, monitoring, and analyzing business processes has requires both domain and IT expertise since Business Process Management tools and practices have focused on enterprise applications and not end users. There are trends, however, that can greatly lower the bar for users to author and analyze their own processes. One emerging trend is the attention on blockchains as a shared ledger for parties collaborating on a process. Transaction logs recorded in a standard schema and stored in the open significantly reduces the effort to monitor and apply advanced process analytics. A second trend is the rapid maturity of machine learning algorithms, in particular deep learning models, and their increasing use in enterprise applications. These cognitive technologies can be used to generate views and processes customized for an end user so they can modify them and incorporate best practices learned from other users' processes. Keywords: BPM, cognitive computing, blockchain, privacy, machine learning

Kevin Andrews,Manfred Reichert

DOI: https://doi.org/10.48550/arXiv.2107.09753

2021-07-21

Abstract:Business process management systems from various vendors are used by companies around the globe. Most of these systems allow for the full or partial automation of business processes by ensuring that tasks and data are presented to the right person at the right time during process execution. However, almost all established BPMS employ the activity-centric process support paradigm, in which the various forms, i.e., the main way for users to input data into the process, have to be created by hand. Furthermore, traditional activity-centric process management systems are limited in their flexibility as all possible execution variants have to be taken into account by the process modeler. Therefore, large amounts of research have gone into developing alternative process support paradigms, with a large focus on enabling more flexibly executable processes. This article takes one of these paradigms, object-aware process management, and presents the concepts we developed while researching the possibility of bringing the power and flexibility of non-activity-centric process support paradigms to the people that matter: the end-users working with the processes. The contribution of this article are the concepts, ideas, and lessons learned during the development and evaluation of the PHILharmonicFlows runtime user interface, which allows for the generation of an entire user interface, complete with navigation and forms, based on an object-aware process model. This novel approach allows for the generation of entire information systems, complete with data storage, process logic, and now fully functional user interfaces in a fully generic fashion from data-centric object-aware process models.

Software Engineering

Diana Strutzenberger,Juergen Mangler,Stefanie Rinderle-Ma

DOI: https://doi.org/10.1007/s12599-023-00850-7

2024-01-31

Business & Information Systems Engineering

Abstract:The majority of (business) processes described in literature are discrete, i.e., they result in an identifiable and distinct outcome such as a settled customer claim or a produced part. However, there also exists a plethora of processes in process and control engineering that are continuous, i.e., processes that require real-time control systems with constant inlet and outlet flows as well as temporally stable conditions. Examples comprise chemical synthesis and combustion processes. Despite their prevalence and relevance a standard method for modeling continuous processes with BPMN is missing. Hence, the paper provides BPMN modeling extensions for continuous processes enabling an exact definition of the parameters and loop conditions as well as a mapping to executable processes. The BPMN modeling extensions are evaluated based on selected use cases from process and control engineering and interviews with experts from three groups, i.e., process engineers and two groups of process modelers, one with experience in industrial processes and one without. The results from the expert interviews are intended to identify (i) the key characteristics for the representation of continuous processes, (ii) how experts evaluate the current usability and comprehensibility of BPMN for continuous processes, and (iii) potential improvements can be identified regarding the introduced BPMN modeling extensions.

computer science, information systems

Stefan Schulte,Christian Janiesch,Srikumar Venugopal,Ingo Weber,Philipp Hoenisch

DOI: https://doi.org/10.1016/j.future.2014.09.005

IF: 7.307

2015-05-01

Future Generation Computer Systems

Abstract:With the advent of cloud computing, organizations are nowadays able to react rapidly to changing demands for computational resources. Not only individual applications can be hosted on virtual cloud infrastructures, but also complete business processes. This allows the realization of so-called elastic processes, i.e., processes which are carried out using elastic cloud resources. Despite the manifold benefits of elastic processes, there is still a lack of solutions supporting them.In this paper, we identify the state of the art of elastic Business Process Management with a focus on infrastructural challenges. We conceptualize an architecture for an elastic Business Process Management System and discuss existing work on scheduling, resource allocation, monitoring, decentralized coordination, and state management for elastic processes. Furthermore, we present two representative elastic Business Process Management Systems which are intended to counter these challenges. Based on our findings, we identify open issues and outline possible research directions for the realization of elastic processes and elastic Business Process Management.

English Else

Laura Marcus,Sebastian Johannes Schmid,Franziska Friedrich,Maximilian Röglinger,Philipp Grindemann

DOI: https://doi.org/10.1007/s12599-024-00908-0

2024-11-23

Business & Information Systems Engineering

Abstract:Process mining (PM) technology evolves around the analysis, design, implementation, and ongoing improvement of business processes. While it has experienced a lot of attention and significant technological advancements, contributions to the field have mostly revolved around technical matters, neglecting managerial and organizational aspects. Thus, researchers have called for a more holistic view of the application and adoption of PM in enterprises. To address this gap, this paper presents a taxonomy for organizational PM setups. Its applicability and usefulness are shown in three exemplary cases. This study extends the descriptive knowledge at the intersection of PM and business process management governance, highlighting the unique governance requirements associated with PM that cannot be effectively addressed through traditional governance approaches. The taxonomy provides practitioners with orientation when developing an effective PM setup and helps to characterize existing setups.

computer science, information systems

Valentin Zieglmeier,Alexander Pretschner

DOI: https://doi.org/10.48550/arXiv.2103.10769

2023-05-19

Abstract:Individuals lack oversight over systems that process their data. This can lead to discrimination and hidden biases that are hard to uncover. Recent data protection legislation tries to tackle these issues, but it is inadequate. It does not prevent data misusage while stifling sensible use cases for data. We think the conflict between data protection and increasingly data-based systems should be solved differently. When access to data is given, all usages should be made transparent to the data subjects. This enables their data sovereignty, allowing individuals to benefit from sensible data usage while addressing potentially harmful consequences of data misusage. We contribute to this with a technical concept and an empirical evaluation. First, we conceptualize a transparency framework for software design, incorporating research on user trust and experience. Second, we instantiate and empirically evaluate the framework in a focus group study over three months, centering on the user perspective. Our transparency framework enables developing software that incorporates transparency in its design. The evaluation shows that it satisfies usability and trustworthiness requirements. The provided transparency is experienced as beneficial and participants feel empowered by it. This shows that our framework enables Trustworthy Transparency by Design.

Software Engineering,Human-Computer Interaction

Tobias Seyffarth,Stephan Kühnel,Stefan Sackmann

DOI: https://doi.org/10.1007/978-3-319-65015-9_5

2017-01-01

Abstract:Dynamic markets and new technology developments lead to an increasing number of compliance requirements. Thus, affected business processes must be flexible and adaptable. Ensuring business processes compliance (BPC) is traditionally operationalized by means of controls, which can be described as simple target-performance comparisons. Since such controls are not always suitable for achieving BPC, the view is extended by so-called compliance processes. However, the definition and design of appropriate compliance processes for effective BPC depend on a multitude of process characteristics. To address this issue on a general level, we developed a taxonomy for compliance processes consisting of 9 dimensions and 37 characteristics. As a result, the taxonomy allows researchers and practitioners to classify compliance processes according to the state of the art in a formal way. Furthermore, it provides a systematic fundament for greater flexibility, i.e. an ad hoc integration of compliance processes into ongoing business processes to ensure BPC during runtime.

Marcus Fischer,Adrian Hofmann,Florian Imgrund,Christian Janiesch,Axel Winkelmann

DOI: https://doi.org/10.1016/j.is.2020.101689

2020-11-26

Abstract:Digital transformation forces companies to rethink their processes to meet current customer needs. Business Process Management (BPM) can provide the means to structure and tackle this change. However, most approaches to BPM face restrictions on the number of processes they can optimize at a time due to complexity and resource restrictions. Investigating this shortcoming, the concept of the long tail of business processes suggests a hybrid approach that entails managing important processes centrally, while incrementally improving the majority of processes at their place of execution. This study scrutinizes this observation as well as corresponding implications. First, we define a system of indicators to automatically prioritize processes based on execution data. Second, we use process mining to analyze processes from multiple companies to investigate the distribution of process value in terms of their process variants. Third, we examine the characteristics of the process variants contained in the short head and the long tail to derive and justify recommendations for their management. Our results suggest that the assumption of a long-tailed distribution holds across companies and indicators and also applies to the overall improvement potential of processes and their variants. Across all cases, process variants in the long tail were characterized by fewer customer contacts, lower execution frequencies, and a larger number of involved stakeholders, making them suitable candidates for distributed improvement.

Software Engineering,Computers and Society

Lars Ackermann,Martin Käppel,Laura Marcus,Linda Moder,Sebastian Dunzer,Markus Hornsteiner,Annina Liessmann,Yorck Zisgen,Philip Empl,Lukas-Valentin Herm,Nicolas Neis,Julian Neuberger,Leo Poss,Myriam Schaschek,Sven Weinzierl,Niklas Wördehoff,Stefan Jablonski,Agnes Koschmider,Wolfgang Kratsch,Martin Matzner,Stefanie Rinderle-Ma,Maximilian Röglinger,Stefan Schönig,Axel Winkelmann

2024-06-04

Abstract:The rapid development of cutting-edge technologies, the increasing volume of data and also the availability and processability of new types of data sources has led to a paradigm shift in data-based management and decision-making. Since business processes are at the core of organizational work, these developments heavily impact BPM as a crucial success factor for organizations. In view of this emerging potential, data-driven business process management has become a relevant and vibrant research area. Given the complexity and interdisciplinarity of the research field, this position paper therefore presents research insights regarding data-driven BPM.

Databases,Artificial Intelligence

Jianwen Su,Lijie Wen,Jian Yang

DOI: https://doi.org/10.1109/edoc.2017.11

2017-01-01

Abstract:Conceptual elevation of data in business process modeling was first formulated in 2003. The research community responded to this new idea enthusiastically. In the past decade, there have been numerous research activities concerning the interactions between business processes/activities and data in many aspects of business process management. Many of the advancements have or will have impacted on design/modeling, analysis, implementation of business processes in practice. However, there is still a lack of techniques for developing a suite of "interrelated" processes realizing a business service. Interrelated processes are a cluster of processes that share data and other resources, are collectively constrained by regulations and policies, influence KPIs as a group. Many current practical applications of business workflow systems are in urgent need for tools and techniques for process clusters. In this paper, we formulate a broad notion of an "Enterprise Process Framework" (EPF) to address this need and outline several interesting research challenges arising from EPFs.

Chong Wang,Zhong Luo,Xiuwei Zhang,Keqing He,Xu Chen

DOI: https://doi.org/10.1504/ijbpim.2015.071256

2015-01-01

Abstract:To facilitate business collaboration and interoperation among enterprises, it is critical to discover and reuse appropriate business processes modelled in different languages and stored in different repositories. Therefore, it is a challenge to register them in a unified manner without changing their original representations and semantics. This paper proposes a reference metamodel for process model registration (PMR) to register selected metadata and semantics of heterogeneous business processes. PMR is mainly designed to register business process automatically, facilitate the semantic discovery of business processes across enterprises, and promote process interoperation and business collaboration. Considering the popularity of BPEL in business process description, our approach takes BPEL as an example to illustrate how to specify the mappings from BPEL to PMR when performing PMR-based registration of business processes in a specific modelling language. Finally, a prototype of web-based business process registration tool named PMRegister is developed to demonstrate the feasibility and capability of our approach.