Integrating access control and business process for GDPR compliance: A preliminary study

Currently, the scientific communities and private companies are actively working to provide theoretical and practical solutions for enforcing the adoption of the General Data Protection Regulation (GDPR) and its compliance problem. In line with the principle of data protection by design, the paper proposes an approach for the automation and enforcement of GDPR requirements. The idea is to extend the currently adopted access control mechanisms so to leverage them to the enforcement of GDPR compliance during business activities of data management and analysis. From a practical point of view, this means to integrate into the existing business processes specific facilities for assisting in the design, development, maintenance, and verification of the GDPR requirements as well as to modify the language and architecture of the access control systems so as to let the management of GDPR principles and obligations. For this, the basic steps of the proposed approach are provided as well as an example used to clarify the integrated use of access control systems and business process models.