Orchestrating Privacy Enhancing Technologies and Services with BPM Tools: The WITDOM Data Protection Orchestrator

Privacy is a highly complex subject, especially when it comes to balancing data subjects' expectations, requirements and needs with i) the objectives of service providers and data controllers, and ii) the variety of legal obligations that dictate protection rights of data subjects and responsibilities of data controllers. This requires to provide technical solutions capable of matching different and adequate levels of privacy, while still attending to data subjects' preferences and business objectives. The Data Protection Orchestrator (DPO) developed in the context of the WITDOM project1 meets this challenge by interacting with different Protection Enhancing Technologies or Services following a set of pre-defined protection processes, so as to support automated management trade-offs between privacy, performance and utility. By leveraging Business Process Management standards, the DPO is capable of making data protection processes and practices (such as automated anonymization or management of data subject's consent) integral to other business core services, as intended with the data protection by design and by default approach in the EU's GDPR. The DPO capabilities will be explained in the context of two complementary scenarios: the eHealth scenarios, where the DPO will be used for protecting genomic data and the financial scenario where the DPO will be responsible for protecting the transaction history and personal attributes of the bank's customers.