Process mining meets GDPR compliance: the right to be forgotten as a use case

In a bid to ensure privacy of personal data of data subjects, the General Data Protection Regulation(GDPR) entails stringent obligations on organizations and businesses qualifying as data controllers and data processors. The regulation additionally bestow data subjects certain rights over their personal data, right to be forgotten generally being perceived the landmark. Fulfilling the GDPR’s obligatory requirements and provisioning of the data subject’s rights implicates considerable changes to the existing (pre-GDPR era) business and organizational processes. Being a non-trivial task, several technical as well as procedural challenges are associated. The case for organizations having intertwined or cascaded business processes and business processes stretched over multiple organizations is even more complicated. Process mining discipline has been found highly effective in automatically discovering, conformance/compliance analysis, and enhancement of business processes, organizational workflows, healthcare procedures/guidelines to name a few. Process mining techniques therefore have a great potential to assist and guide the transformation of pre-GDPR era (presumably GDPR non-compliant) business or organizational processes into GDPR-compliant processes, and afterwards monitor the compliance during execution. In addition to the current state of the art offline process mining techniques, stable online conformance checking and online model repair techniques needs to be developed for ensuring compliance to the regulation. We are highlighting the challenges associated with implementation of the right to be forgotten, and the GDPR in general.