Identifying the Context of Data Usage to Diagnose Privacy Issues through Process Mining

In recent years, data privacy issues are increasingly concerned by organisations and governments. Organisations often define a set of rules as privacy policies for protecting sensitive data of their business. Regulations like the European General Data Protection Regulation (GDPR) added another layer of importance to data security emphasizing personal data protection, making it not only a business requirement but also a legal requirement. Existing access control mechanisms are not sufficient for data protection. They are only preventive and cannot guarantee that data is accessed for the intended purposes. This paper presents the underlying theory of a novel approach for multi-perspective conformance checking which considers the process control-flow, data and privacy perspectives simultaneously. In addition to detecting deviations in each perspective, the approach is able to detect hidden deviations where non-conformity relates to either a combination of two or all three aspects of a business process. Moreover, by reconciling the process, data and privacy aspects, it can detect spurious data access and identify privacy infringements where data have been processed for unclear or secondary purposes by an authorised role. The approach has been implemented in the open source ProM framework and was evaluated through controlled experiments using synthetic and real logs.