Orchestrating Privacy Enhancing Technologies and Services with BPM Tools

Nicolas Notario, Alberto Crespo, Eduardo Gonzalez (Atos), Eleonora Ciceri, Ilio Catallo, Sauro Vicini (FSCR)

Privacy is a highly complex subject, especially when it comes to balancing data subjects’ expectations, requirements and needs with i) the objectives of service providers and data controllers, and ii) the variety of legal obligations that dictate protection rights of data subjects and responsibilities of data controllers. This requires to provide technical solutions capable of matching different and adequate levels of privacy, while still a‹ending to data subjects’ preferences and business objectives. The Data Protection Orchestrator (DPO) developed in the context of the WITDOM project meets this challenge by interacting with different Protection Enhancing Technologies or Services following a set of pre-de€ned protection processes, so as to support automated management trade-o‚s between privacy, performance and utility. By leveraging Business Process Management standards , the DPO is capable of making data protection processes and practices (such as automated anonymization or management of data subject’s consent) integral to other business core services, as intended with the data protection by design and by default approach in the EU’s GDPR. ‘e DPO capabilities will be explained in the context of two complementary scenarios: the eHealth scenarios where the DPO will be used for protecting genomic data and the €nancial scenario where the DPO will be responsible for protecting the transaction history and personal attributes of the bank’s customers.