Zaman, R., Hassani, M., & van Dongen, B. F. (Accepted/In press). Data Minimisation as Privacy and Trust Instrument in Business Processes. In Business Process Management Workshops (BPM 2020) Springer.
Data is vital for almost all sorts of business processes and workflows. However, the possession of personal data of other beings bear consequences. Data is prone to abuses through the exposure to adversaries in case of data breaches or insider’s illegitimate access and processing, hence adding to customer distrust. The data minimisation principle of the General Data Protection Regulation (GDPR), as a proactive approach, requires the collection of personal data to be limited to what is necessary for the legitimate processing purpose(s). Data degradation advocates for periodic inter-process data minimisation in a multi-process environment. In this context, we are proposing intra-process data degradation as a continuous data minimisation function during the process life. In our solution, the granularity or the information level of the process data is reduced at suitable instances in the process life to the minimum sufficient level for a successful completion of the remaining process. We devise three effective data degradation policies to realise and guide intra-process data degradation in business processes. We show through a proof-of-concept implementation the applicability of the introduced concept and the effectiveness of one of the policies. Our proposed approach intrinsically reduces privacy infringement damages which contribute to end-users trust in the processes.