Integrating compliance checking with business processes has become increasingly essential to ensure adherence to regulatory standards from both the process and legal domains. However, compliance oficers and process modelers face significant challenges in eliciting regulatory requirements, integrating them into business process models, and understanding their outcomes. Therefore, this PhD aims to reconcile their needs while increasing transparency and understandability of the digitalization of regulatory requirements such as the General Data Protection Regulation (GDPR). The expected key contributions are: 1) Develop a formal framework to unify the terminology to extract and model compliance and normative feasibility of digitalization, 2) Provide formal methods and techniques to ofer a global compliance perspective and increase the expressiveness of business process model languages to support normative requirements and their efects, 3) Develop understandable compliance checking outcomes.
Compliance checking allows organizations to review and analyze the levels of adherence to
organizational processes and their outcomes with regulatory documents. This minimizes the risk of
noncompliance, avoiding potential financial and trust-related losses. Typically, compliance checking
involves the specification/extraction of engineering requirements, business process model design,
definitions of compliance checks, choice of a compliance strategy1 and the analysis of the outcomes [
From the compliance perspective, there are four key concepts: regulatory requirements, as external
rules to comply with (e.g., General Data Protection Regulation (GDPR), Health Insurance Portability
and Accountability Act (HIPAA), and EU AI Act), compliance requirements [
ICPM 2024 Doctoral Consortium, October 14–18, 2024, Kongens Lyngby $ jcavi@dtu.dk (J. Caballero-Villalobos) 0000-0002-4915-0961 (J. Caballero-Villalobos)
© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). 1Compliance strategies might be included design-time controls, ensuring compliance by design from early stages; run-time, when processes are being executed; audits, post-mortem analysis of the logs; or hybrid approaches, which ensuring monitoring while ofering significant flexibility to domain-specific applications, e.g., extensions of business process model languages with goal-oriented languages or embedding normative requirements into business language semantics
Compliance requirements have been extracted using conceptual models, taxonomies, and ontologies
described in [
After the design phase, model-checking techniques are applied to verify that the model represents the
extracted requirements; industries must define their compliance strategy, mechanisms, and measures to
ensure compliance. One of the techniques that have been used to assure adherence to regulations is
conformance checking [
Our motivation comes from the challenges identified in digitalizing compliance and normative requirements and their efects. We envision a unified approach supporting the compliance checking process for legal and process domains. This project considers the following research questions (RQ): • RQ.1: How can compliance oficers and process modelers be supported to elicit and categorize compliance and normative requirements and their efects from the regulations? • RQ.2: How can process modelers be supported in integrating compliance and normative requirements and their efects into business process models? • RQ.3: How can compliance oficers and process modelers be supported in understanding the outcomes of compliance-checking?
This research has as a main objective to increase the transparency3 and understandability4 of compliance checking, by providing a framework of specification, modeling, verification and visualization of business processes compliance. As running examples (GDR RunE), we will use some of the articles in Chapter 3.5 of the General Data Protection Regulation, Rights of the Data Subject. At a minimum, we anticipate the framework encompassing the methods and tools described below. As we are in an early stage of the research, some limitations of the methods and discussion of the results are not currently considered. 2https://fluxicon.com/disco/ 3Ability to represent and infer relevant inherent information and behaviors in the compliance-checking decision-making process that are not currently captured by business process model language expressiveness. 4Facilitate the interpretation of the compliance-checking outcomes, making it reliable for analysis in diferent levels of abstraction and easy to integrate with the systems of the organization. 5https://gdpr-info.eu/chapter-3/
To support the formalization and extraction of feasible6 normative and compliance requirements, we will develop a conceptual model for integrating and aligning run-time compliance checks within compliance processes. The main outcome will be a conceptual model to categorize, identify, and align compliance and normative requirements of a GDR RunE.
Completed and current work: We mapped the compliance and normative requirements of articles 13, 14, 32, and 5 of GDPR to evaluate the feasibility of automation of these requirements. Later, we discussed our results with compliance oficers and refined our models and interpretation of inherent ambiguities. As a result, we propose a first mapping of substantive and procedural elements of the article and their corresponding normative and compliance requirements. Some of them are feasible to map as workflow and temporal constraints. Meanwhile, legal dependencies, normative efects, and annotations to avoid ambiguous interpretation are not explicit in most business process models, making its traceability dificult. Currently, we are working on validating and adjusting our definitions with lawyers.
Next Steps: We will establish the deontic efects (antecedent-consequence, classes, and relationships) of cross-reference elements (e.g., recitals, internal reference to another provision of the regulation). Then, we will align legal jargon with formalization terms and categories by providing a unified representation of the feasible normative and compliance requirements for later formalization. Automating the requirements extraction with techniques such as natural language processing is not currently considered at this stage.
To model compliance processes, mainly imperative business process model languages have been used [
Completed and current work: We modeled the GDPR articles explored in RQ.1 in Dynamic
Condition Response Graphs 2D Simulator7 as an initial approach to evaluate the capacity to represent
compliance, normative requirements from regulations, and their efects. The preliminary results indicate
that a global compliance perspective and some normative requirements and their efects are currently
not supported by the semantics, which makes its traceability dificult. To tackle that, we formalized
compliance requirements as goals based on intentional elements of i* framework (e.g., goals, links). To
do so, we identified the compliance requirements of article 13. of GDPR, "Information to be provided
where personal data are collected from the data subject," and mapped them into intentional elements8
6A normative or compliance requirement that can be automatically or semi-automatically enforced or monitored by a
compliance strategy without human judgment. We infer that a feasible requirement must be precise, measurable, and
automatable (e.g., provision of information to data subjects during data collection).
7https://www.dcrgraphs.net/
8As an example, we define a top-goal of transparency. This ensures that one knows how one’s data is collected, utilized, and
managed. This main goal could be decomposed into sub-goals, such as ensuring transparency in data collection, accountability
in data handling, a legal basis for data processing, compliance with cross-references, and so forth. The relationships between
For our extension, a goal represents the rationale and motivations underlying complying with a business
compliance requirement, the "why." It can be decomposed into relevant domain-specific sub-goals. The
fulfillment satisfaction of the goals is defined as executing a subset of normative requirements. The
latter represents what the law should do, the "how." We modeled it using the dynamic condition response
graphs semantics elements9. As a result, we diferentiate goals from the events given their objectives,
decomposition, and strengths10. Currently, we are focusing on formalizing our previous definitions,
encoding the goals into BNF notation, and performing formal evaluations of the expressiveness of DCR
semantics [
Next Steps: We will integrate the goals into the DCR semantics by developing a feasibility check
function to determine whether a goal is achievable and assess the current marking (trace) and the latest
event executed. Then, we will introduce an algorithm based on the evaluation measures proposed in the
compliance Requirements Framework to compute the satisfaction degree (compliance goal fulfillment)
of high-level intentional elements. This will support the non-binary (Yes/No) decision-making process,
measuring the extent to which the method is compliant based on the compliance checks defined in
the previous phase. Later, we will extend our last semantics, incorporating normative requirements
using regular grammar, and we will develop an algorithm to compute the efects of the normative
requirements (e.g., compensation). Both extensions will validated as described in [
Consequently, after validating our formal approaches, we would like to ofer understandable outcomes for users in the legal and process domains. We infer that graphical representations that refer a modelling pattern make easier to understand the process, dependencies and their relationships. However, we need to determine i) what are the key elements that play a diferential role in the interpretation and understandability of compliance checking outcomes, and ii) what type of representations are considered helpful for the end users. The primary outcome of this phase will be to explore, create, or extend 2D and 3D artifacts to simulate the process and show the outcomes of the process understandably.
Completed and current work: We extended the 3D DCR Simulator 11 with some of the features that we infer increase the understandability of compliance checking outcomes. By including real-time logs annotations with integrations to real-time analysis using SQL Queries in Unity Cloud and integration of post-mortem analysis with process mining tools such as Disco. The tool contributes to two use cases in compliance checking: elicitation and discovery of process variants using unrestricted process models and simulations of process models. Currently, we are working to extend the support of these immersive representations.
Next Steps: We will conduct empirical studies with end users of the compliance checking process from both legal and process domains to determine the elements and environments (e.g., 2D, 3D) that make relevant, useful, and understandable the process outcomes. As an initial approach, we will extend the 2D DCR Simulator (e.g., adding new SVG visualizations to reflect the semantics extensions proposed in the previous phase) and 3D DCR Simulator (e.g., adding computer aid design models to tailored these goals could be expressed with intentional relationships and goal dependency. 9Taking the sub-goal "ensuring accountability in data handling". We define at least the normative requirements of tracking all interactions with personal data, granting data subjects access to their data upon request, and timely notifying authorities and data subjects of any personal data breaches. We used the DCR semantics to represent the specific, measurable GDPR events and their inherent relationships. 10While goals focus on a high level of compliance-checking, the DCR events focus on workflow controls. Moreover, the first one allows one to decompose compliance requirements into measurable sub-goals, while the DCR elements representing normative requirements, including events, are modeled as normative triggers. Finally, goals bring a global compliance perspective that is useful for strategic planning. Meanwhile, DCR elements (including events) efectively ensure operational compliance. 11https://bit.ly/sourcecode3DCRBeta domain-specific representations) by mapping the requirements extracted in the empirical studies. Then, we will conduct a second phase of empirical studies to compare the cognitive load between both representations and validate the efectiveness of our developments.
I thank my PhD supervisors, Hugo-Andrés López-Acosta and Andrea Burattin, and DICE members Olga Kokoulina and Alexandra Andhov for their guidance and support. This work is supported by the research grant “Center for Digital CompliancE (DICE)” (VIL57420) from VILLUM FONDEN. Moreover, it is part of a EuroTech Alliance project entitled "Explainable Compliant Process-driven Platforms", a joint work with the Technical University of Eindhoven.