ABSTRACT
Context: Data privacy and data security became a priority among the problems faced by many Brazilian organizations that should be compliant with the Lei Geral de Proteção de Dados Pessoais (LGPD). This law defines the privacy rights on user data and penalties to the ones that break it. Problem: In a compliance program, business processes are of fundamental importance since they are the most important pillar of information security. However, an approach to guide companies to assess and achieve compliance with LGPD on their business processes is missing. Objective: This work proposes the LGPD4BP (LGPD for Business Process) method, which is composed by an evaluation questionnaire and a modelling method with a modelling patterns catalog. Method: To develop LGPD4BP, we carried out a literature review, an analysis of privacy laws, in particular the LGPD, and relevant works on the area. Results: The method was applied on a case study of Colégio de Aplicação from Federal University of Pernambuco and validated by a postgraduate class which applied the method and answered a questionnaire about easiness and completeness of the method. Conclusions: The results from students evaluations showed that the most hard step is the business process modeling and not the components from the proposed method.
- Simone Agostinelli, Fabrizio Maria Maggi, Andrea Marrella, and Francesco Sapio. 2019. Achieving GDPR compliance of BPMN process models. In International Conference on Advanced Information Systems Engineering. Springer, 10–22.Google ScholarCross Ref
- Amanda Andress. 2003. Surviving security: how to integrate people, process, and technology. CRC press.Google Scholar
- Muneera Bano, Didar Zowghi, Alessio Ferrari, Paola Spoletini, and Beatrice Donati. 2019. Teaching requirements elicitation interviews: an empirical study of learning from mistakes. Requirements Engineering 24, 3 (2019), 259–289.Google ScholarDigital Library
- Cesare Bartolini, Antonello Calabró, and Eda Marchetti. 2019. GDPR and business processes: An effective solution. In Proceedings of the 2nd International Conference on Applications of Intelligent Systems. 1–5.Google ScholarDigital Library
- Antonio Capodieci and Luca Mainetti. 2019. Business process awareness to support GDPR compliance. In Proceedings of the 9th International Conference on Information Systems and Technologies. 1–6.Google ScholarDigital Library
- Luiz Paulo Carvalho, Claudia Cappelli, and Flávia Santoro. 2020. BPMN pra GERAL, Business Process Models in a Citizen Language. In Anais do XVI Simpósio Brasileiro de Sistemas de Informação (Evento Online). SBC, Porto Alegre, RS, Brasil. https://doi.org/10.5753/sbsi.2020.13767Google Scholar
- Alessio Ferrari, Paola Spoletini, Muneera Bano, and Didar Zowghi. 2019. Learning requirements elicitation interviews with role-playing, self-assessment and peer-review. In 2019 IEEE 27th international requirements engineering conference (RE). IEEE, 28–39.Google Scholar
- GDPR. 2018. General Data Protection Regulation. https://eugdpr.org/.Google Scholar
- Irit Hadar, Tomer Hasson, Oshrat Ayalon, Eran Toch, Michael Birnhack, Sofia Sherman, and Arod Balissa. 2018. Privacy by designers: software developers’ privacy mindset. Empirical Software Engineering 23, 1 (2018), 259–289.Google ScholarDigital Library
- Christos Kalloniatis, Evangelia Kavakli, and Stefanos Gritzalis. 2008. Addressing privacy requirements in system design: the PriS method. Requirements Engineering 13, 3 (2008), 241–255.Google ScholarDigital Library
- LGPD. 2018. Lei Geral de Proteção de Dados Pessoais. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htmGoogle Scholar
- Raimundas Matulevičius, Jake Tom, Kaspar Kala, and Eduard Sing. 2020. A Method for Managing GDPR Compliance in Business Processes. In International Conference on Advanced Information Systems Engineering. Springer, 100–112.Google ScholarCross Ref
- Mariana Peixoto, Dayse Ferreira, Mateus Cavalcanti, Carla Silva, Jéssyka Vilela, João Araújo, and Tony Gorschek. 2020. On understanding how developers perceive and interpret privacy requirements research preview. In International Working Conference on Requirements Engineering: Foundation for Software Quality. Springer, 116–123.Google ScholarDigital Library
- Mariana Maia Peixoto, Carla Silva, Helton Maia, and Joao Araújo. 2020. Towards a Catalog of Privacy Related Concepts.. In REFSQ Workshops.Google Scholar
- Jake Tom. 2018. Assessing and Improving Compliance to Privacy Regulations in Business Processes. In Proceedings of the Doctoral Consortium Papers Presented at the 30th International Conference on Advanced Information Systems Engineering (CAiSE).Google Scholar
- Damiano Torre, Mauricio Alferez, Ghanem Soltana, Mehrdad Sabetzadeh, and Lionel Briand. 2020. Model Driven Engineering for Data Protection and Privacy: Application and Experience with GDPR. arXiv preprint arXiv:2007.12046(2020).Google Scholar
Index Terms
- Are My Business Process Models Compliant With LGPD? The LGPD4BP Method to Evaluate and to Model LGPD aware Business Processes
Recommendations
Semantic business process space for intelligent management of sales order business processes
A company's competitiveness relies heavily on its business processes and accurate knowledge to execute its business processes with agility and efficiency. Business Process Management (BPM) initially promised to provide the business world with suitable ...
A study on process evaluation and selection model for business process management
Research highlights We describe a business process evaluation model for BPM. A web-based business process evaluation system is also implemented. We demonstrate the applicability of fuzzy AHP and BSC in business process evaluation. Currently, BPM is ...
BDI-agents for agile goal-oriented business processes
AAMAS '08: Proceedings of the 7th international joint conference on Autonomous agents and multiagent systems: industrial trackBusiness processes are the core assets of enterprises. They turn the business potential into actual competitiveness on the market. To face the challenges posed by today's changing and uncertain business environment, traditional business process ...
Comments