Are My Business Process Models Compliant With LGPD? The LGPD4BP Method to Evaluate and to Model LGPD aware Business Processes
ResumoContext: Data privacy and data security became a priority among the problems faced by many Brazilian organizations that should be compliant with the Lei Geral de Proteção de Dados Pessoais (LGPD). This law defines the privacy rights on user data and penalties to the ones that break it. Problem: In a compliance program, business processes are of fundamental importance since they are the most important pillar of information security. However, an approach to guide companies to assess and achieve compliance with LGPD on their business processes is missing. Objective: This work proposes the LGPD4BP (LGPD for Business Process) method, which is composed by an evaluation questionnaire and a modelling method with a modelling patterns catalog. Method: To develop LGPD4BP, we carried out a literature review, an analysis of privacy laws, in particular the LGPD, and relevant works on the area. Results: The method was applied on a case study of Colégio de Aplicação from Federal University of Pernambuco and validated by a postgraduate class which applied the method and answered a questionnaire about easiness and completeness of the method. Conclusions: The results from students evaluations showed that the most hard step is the business process modeling and not the components from the proposed method.
Amanda Andress. 2003. Surviving security: how to integrate people, process, and technology. CRC press.
Muneera Bano, Didar Zowghi, Alessio Ferrari, Paola Spoletini, and Beatrice Donati. 2019. Teaching requirements elicitation interviews: an empirical study of learning from mistakes. Requirements Engineering 24, 3 (2019), 259–289.
Cesare Bartolini, Antonello Calabró, and Eda Marchetti. 2019. GDPR and business processes: An effective solution. In Proceedings of the 2nd International Conference on Applications of Intelligent Systems. 1–5.
Antonio Capodieci and Luca Mainetti. 2019. Business process awareness to support GDPR compliance. In Proceedings of the 9th International Conference on Information Systems and Technologies. 1–6.
Luiz Paulo Carvalho, Claudia Cappelli, and Flávia Santoro. 2020. BPMN pra GERAL, Business Process Models in a Citizen Language. In Anais do XVI Simpósio Brasileiro de Sistemas de Informação (Evento Online). SBC, Porto Alegre, RS, Brasil. https://doi.org/10.5753/sbsi.2020.13767
Alessio Ferrari, Paola Spoletini, Muneera Bano, and Didar Zowghi. 2019. Learning requirements elicitation interviews with role-playing, self-assessment and peer-review. In 2019 IEEE 27th international requirements engineering conference (RE). IEEE, 28–39.
GDPR. 2018. General Data Protection Regulation. https://eugdpr.org/.
Irit Hadar, Tomer Hasson, Oshrat Ayalon, Eran Toch, Michael Birnhack, Sofia Sherman, and Arod Balissa. 2018. Privacy by designers: software developers’ privacy mindset. Empirical Software Engineering 23, 1 (2018), 259–289.
Christos Kalloniatis, Evangelia Kavakli, and Stefanos Gritzalis. 2008. Addressing privacy requirements in system design: the PriS method. Requirements Engineering 13, 3 (2008), 241–255.
LGPD. 2018. Lei Geral de Proteção de Dados Pessoais. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm
Raimundas Matulevičius, Jake Tom, Kaspar Kala, and Eduard Sing. 2020. A Method for Managing GDPR Compliance in Business Processes. In International Conference on Advanced Information Systems Engineering. Springer, 100–112.
Mariana Peixoto, Dayse Ferreira, Mateus Cavalcanti, Carla Silva, Jéssyka Vilela, João Araújo, and Tony Gorschek. 2020. On understanding how developers perceive and interpret privacy requirements research preview. In International Working Conference on Requirements Engineering: Foundation for Software Quality. Springer, 116–123.
Mariana Maia Peixoto, Carla Silva, Helton Maia, and Joao Araújo. 2020. Towards a Catalog of Privacy Related Concepts.. In REFSQ Workshops.
Jake Tom. 2018. Assessing and Improving Compliance to Privacy Regulations in Business Processes. In Proceedings of the Doctoral Consortium Papers Presented at the 30th International Conference on Advanced Information Systems Engineering (CAiSE).
Damiano Torre, Mauricio Alferez, Ghanem Soltana, Mehrdad Sabetzadeh, and Lionel Briand. 2020. Model Driven Engineering for Data Protection and Privacy: Application and Experience with GDPR. arXiv preprint arXiv:2007.12046(2020)