scholarly journals Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform

2020 ◽  
Vol 28 (4) ◽  
pp. 531-553 ◽  
Author(s):  
Aggeliki Tsohou ◽  
Emmanouil Magkos ◽  
Haralambos Mouratidis ◽  
George Chrysoloras ◽  
Luca Piras ◽  
...  
Keyword(s):  
Technology Acceptance ◽  
Data Protection ◽  
Personal Data ◽  
Secondary Process ◽  
Multiple Perspectives ◽  
Data Governance ◽  
Content Type ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Eu Project

Purpose General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform. Design/methodology/approach The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors. Findings The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements. Practical implications The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry. Social implications It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives. Originality/value This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.

scholarly journals Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

2021 ◽  
Vol 13 (3) ◽  
pp. 66
Author(s):  
Dimitra Georgiou ◽  
Costas Lambrinoudakis
Keyword(s):  
Impact Assessment ◽  
Data Protection ◽  
Gap Analysis ◽  
Health Care Organization ◽  
Personal Data ◽  
Care Organization ◽  
The European Union ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Compliance Level

The General Data Protection Regulation (GDPR) harmonizes personal data protection laws across the European Union, affecting all sectors including the healthcare industry. For processing operations that pose a high risk for data subjects, a Data Protection Impact Assessment (DPIA) is mandatory from May 2018. Taking into account the criticality of the process and the importance of its results, for the protection of the patients’ health data, as well as the complexity involved and the lack of past experience in applying such methodologies in healthcare environments, this paper presents the main steps of a DPIA study and provides guidelines on how to carry them out effectively. To this respect, the Privacy Impact Assessment, Commission Nationale de l’Informatique et des Libertés (PIA-CNIL) methodology has been employed, which is also compliant with the privacy impact assessment tasks described in ISO/IEC 29134:2017. The work presented in this paper focuses on the first two steps of the DPIA methodology and more specifically on the identification of the Purposes of Processing and of the data categories involved in each of them, as well as on the evaluation of the organization’s GDPR compliance level and of the gaps (Gap Analysis) that must be filled-in. The main contribution of this work is the identification of the main organizational and legal requirements that must be fulfilled by the health care organization. This research sets the legal grounds for data processing, according to the GDPR and is highly relevant to any processing of personal data, as it helps to structure the process, as well as be aware of data protection issues and the relevant legislation.

Indonesian cybersecurity faces geopolitical hurdles

2021 ◽  
Keyword(s):  
United States ◽  
Civil Society ◽  
Data Protection ◽  
Personal Data ◽  
The United States ◽  
Digital Economy ◽  
Content Type ◽  
Personal Data Protection ◽  
State Surveillance ◽  
Data Protection Law

Significance Such programmes contribute not only to Indonesia’s efforts to boost the cyber readiness of its booming digital economy, but are also designed to maintain China's friendly relations with South-east Asia’s largest economy amid the intensifying technology tensions between China and the United States. Impacts The Personal Data Protection Law would need to clarify key provisions and concepts to be effective. The BSSN’s extensive powers will fuel civil society concerns about excessive state surveillance. Turning down Chinese technology suppliers carries cost and wider economic ramifications for Jakarta.

scholarly journals Capturing the Basics of the GDPR in a Well-Founded Legal Domain Modular Ontology

2021 ◽  
Author(s):  
Mirna El Ghosh ◽  
Habib Abdulrab
Keyword(s):  
Data Protection ◽  
Legal Reasoning ◽  
Conceptual Modeling ◽  
Personal Data ◽  
Process Ontology ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Modular Ontology ◽  
Legal Domain ◽  
Ontology Reuse

The primary goal of the General Data Protection Regulation (GDPR) is to regulate the rights and duties of citizens and organizations over personal data protection. Implementing the GDPR is recently gaining much importance for legal reasoning and compliance checking purposes. In this work, we aim to capture the basics of GDPR in a well-founded legal domain modular ontology named OPPD (Ontology for the Protection of Personal Data). Ontology-Driven Conceptual Modeling (ODCM), ontology layering, modularization, and reuse processes are applied. These processes aim to support the ontology engineer in overcoming the complexity of the legal knowledge and developing an ontology model faithful to reality. ODCM is used for grounding OPPD in the Unified Foundational Ontology (UFO). Ontology modularization and layering aim to simplify the ontology building process. Ontology reuse focuses on selecting and reusing Conceptual Ontology Patterns (COPs) from UFO and the legal core ontology UFO-L. OPPD intends to overcome the lack of a representation of legal procedures that most ontologies encountered. The potential use of OPPD is proposed to formalize the GDPR rules by combining ontological reasoning and Logic Programming.

scholarly journals Data Sharing Under the General Data Protection Regulation

Hypertension ◽  
2021 ◽  
Vol 77 (4) ◽  
pp. 1029-1035
Author(s):  
Antonia Vlahou ◽  
Dara Hallinan ◽  
Rolf Apweiler ◽  
Angel Argiles ◽  
Joachim Beige ◽  
...  
Keyword(s):  
European Union ◽  
Data Protection ◽  
Personal Data ◽  
Research Approach ◽  
The European Union ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Protection Legislation ◽  
General Data ◽  
Almost All

The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

Gender-based cybercrime is likely to rise in India

2021 ◽  
Keyword(s):  
Civil Society ◽  
Data Protection ◽  
Personal Data ◽  
Content Type ◽  
Digital Platforms ◽  
Customer Base ◽  
Personal Data Protection ◽  
Online Safety ◽  
Data Protection Law ◽  
Gender Based

Significance The experience of surfing the net is vastly different for women, who have been disproportionately at the receiving end of cybercrimes that undermine their safety online. As elsewhere, the forms of online offence included bullying, stalking, impersonation and non-consensual pornography. Impacts Lack of online safety will limit the female customer base of digital platforms. Entrenched weaknesses of the judicial systems impede reporting and conviction of cybercrime. Civil society demands for a personal data protection law will rise.

China’s personal data protection regime takes shape

2020 ◽  
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Foreign Firms ◽  
Considerable Importance ◽  
Content Type ◽  
Personal Data Protection ◽  
Cross Border ◽  
The Law ◽  
Foreign Governments ◽  
Security Inspection

Significance Once finalised and promulgated, probably sometime in late 2021 or 2022, it will be China’s first comprehensive piece of legislation to govern the collection, processing and use of personal data. There are significant ramifications for domestic and foreign businesses. Impacts Security inspection requirements for cross-border transfers of personal data could have considerable importance for foreign firms. The law may be used to sanction foreign firms or retaliate against foreign governments. The law aims to settle a long-running turf war between regulators, to eliminate duplicate licensing, enforcement and inspection regimes.

scholarly journals The State Archives of the Republic of Macedonia: Use of Archival Material and Data Protection Pursuant to the Law on Personal Data Protection and the General Data Protection Regulation

Atlanti ◽  
2018 ◽  
Vol 28 (2) ◽  
pp. 91-98
Author(s):  
Svetlana Usprcova
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
The State ◽  
General Data Protection Regulation ◽  
Archival Material ◽  
Personal Data Protection ◽  
Republic Of Macedonia ◽  
Other Information ◽  
The Republic ◽  
State Archives

The aim of this paper is to explain the position of the State Archives of the Republic of Macedonia as guardian of the archival material, which is a subject of use for scientific, academic, administrative, public, publishing, exhibition and other purposes. In the process of use of the archival material, the archivists must be very careful in order to protect confidential, sensitive, legal and other information contained in the archival material, and take some measures in relation to the personal data protection. Herein, the author, also talks about the current Law on personal data protection and the harmonisation of the national law with the European legislation.

scholarly journals GDPR implementation as the main reason for the regional fragmentation in the online mediasphere

2021 ◽  
Vol 273 ◽  
pp. 08099
Author(s):  
Mikhail Smolenskiy ◽  
Nikolay Levshin
Keyword(s):  
European Union ◽  
Data Protection ◽  
Personal Data ◽  
Main Role ◽  
The European Union ◽  
Protection Measures ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
The Usa ◽  
General Data

The EU’s General Data Protection Regulation (GDPR) applies not only to the territory of the European Union, but also to all information systems containing data of EU’s citizens around the world. Misusing or carelessly handling personal data bring fines of up to 20 million euros or 4% of the annual turnover of the offending company. This article analyzes the main trends in the global implementation of the GDPR. Authors considered and analyzed results of personal data protection measures in nineteen regions: The USA, Canada, China, France, Germany, India, Kazakhstan, Nigeria, Russia, South Korea and Thailand, as well as the European Union and a handful of other. This allowed identifying a direct pattern between the global tightening of EU’s citizens personal data protection and the fragmentation of the global mediasphere into separate national segments. As a result of the study, the authors conclude that GDPR has finally slowed down the globalization of the online mediasphere, playing a main role in its regional fragmentation.

scholarly journals Credit-Based Insurance Scores: some Observations in the Light of the European General Data Protection Regulation

2020 ◽  
pp. 155-186
Author(s):  
María Dolores Mas Badia
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Insurance Companies ◽  
The European Union ◽  
History Data ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Credit History ◽  
Automated Processing ◽  
General Data

Despite the differences between credit risk and insurance risk, in many countries large insurance companies include credit history amongst the information to be taken into account when assigning consumers to risk pools and deciding whether or not to offer them an auto or homeowner insurance policy, or to determine the premium that they should pay. In this study, I will try to establish some conclusions concerning the requirements and limits that the use of credit history data by insurers in the European Union should be subject to. In order to do this, I shall focus my attention primarily on Regulation (EU) 2016/679. This regulation, that came into force on 24 May 2018, not only forms the backbone of personal data protection in the EU, but is also set to become a model for regulation beyond the borders of the Union. This article will concentrate on two main aspects: the lawful basis for the processing of credit history data by insurers, and the rules that should apply to decisions based solely on automated processing, including profiling.Received: 30 December 2019Accepted: 07 February 2020Published online: 02 April 2020

scholarly journals Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

2021 ◽  
Vol 11 (22) ◽  
pp. 10574
Author(s):  
Sung-Soo Jung ◽  
Sang-Joon Lee ◽  
Ieck-Chae Euom
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Compliance Audit ◽  
General Data ◽  
Data Controller ◽  
Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

Sign in / Sign up

Export Citation Format

Share Document