The collection and long-term retention of excessive data enables organisations to process data for insights in non-primary processes. The discovery of insights is promoted to be useful both for organisations and the customers. However, long-term possession of data on one hand risks the privacy of data belonging beings in cases of data breaches and on the other hand results in the customers distrust.
General Data Protection Regulation (GDPR) abstractly defined the data processing boundaries of the personal data of European Union’s citizens. The processing principles of GDPR, in line with the spirit of privacy by design and default, provide directions on the collection, storage, and processing of personal data. Concomitantly, the data subject rights provide customers with necessary control over their personal data stationed at the data controller’s premises. The accountability principle of GDPR requires compliance in place and also the ability to demonstrate it.
In this work, authors are providing three solutions to enable GDPR compliance in business processes. First, they are proposing intra-process data degradation, a solution for continuous data minimisation during the course of business processes. The proposed approach results in reduced data maintenance and breach losses. Second, they adapt process mining techniques for ascertaining compliance of business process execution to data subject rights. Finally, they present a scheme to utilise differential privacy technique to enable GDPR-compliant business process discovery.