In an increasingly digital world, collecting, processing, and exchanging personal data are critical drivers for enacting enterprise business processes. However, the long-term retention and access of personal data expose organizations to data breaches, in which sensitive and protected data are disclosed and exploited unauthorizedly. To mitigate the damage that data breaches can cause, in the European Union (EU), the right to data privacy is enforced through the General Data Protection Regulation (GDPR), which defines how organizations must store and manage EU citizens’ data. GDPR is highly influencing how organizations approach data privacy, forcing them to rethink and upgrade their business processes to become GDPR compliant, which can be daunting. In this paper, in line with the privacy-by-design principles of GDPR, we propose a methodology that shows how to capture the main privacy GDPR constraints in the form of design patterns and integrate them into business process models specified in BPMN (Business Process Model and Notation). This allows us to achieve full transparency of privacy constraints in business processes, making it possible to ensure their compliance with GDPR at design-time. We adopt a design science research approach to present our methodology and make design decisions explicit. We also introduce GDPR-Pilot, a BPMN editor that assists process designers and Data Controllers in integrating GDPR patterns into existing models. The methodology is evaluated through real-world use cases against structural, usage, and environmental requirements.
Design patterns for GDPR-aware process modeling in BPMN / Agostinelli, S.; De Luzi, F.; Maggi, F. M.; Marrella, A.; Volpi, A.. - In: INFORMATION SYSTEMS. - ISSN 0306-4379. - 137:(2026). [10.1016/j.is.2025.102646]
Design patterns for GDPR-aware process modeling in BPMN
Agostinelli S.;De Luzi F.;Maggi F. M.;Marrella A.;Volpi A.
2026
Abstract
In an increasingly digital world, collecting, processing, and exchanging personal data are critical drivers for enacting enterprise business processes. However, the long-term retention and access of personal data expose organizations to data breaches, in which sensitive and protected data are disclosed and exploited unauthorizedly. To mitigate the damage that data breaches can cause, in the European Union (EU), the right to data privacy is enforced through the General Data Protection Regulation (GDPR), which defines how organizations must store and manage EU citizens’ data. GDPR is highly influencing how organizations approach data privacy, forcing them to rethink and upgrade their business processes to become GDPR compliant, which can be daunting. In this paper, in line with the privacy-by-design principles of GDPR, we propose a methodology that shows how to capture the main privacy GDPR constraints in the form of design patterns and integrate them into business process models specified in BPMN (Business Process Model and Notation). This allows us to achieve full transparency of privacy constraints in business processes, making it possible to ensure their compliance with GDPR at design-time. We adopt a design science research approach to present our methodology and make design decisions explicit. We also introduce GDPR-Pilot, a BPMN editor that assists process designers and Data Controllers in integrating GDPR patterns into existing models. The methodology is evaluated through real-world use cases against structural, usage, and environmental requirements.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
