From ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR compliance controls

2020 ◽  
Vol 28 (4) ◽  
pp. 645-662
Author(s):  
Vasiliki Diamantopoulou ◽  
Aggeliki Tsohou ◽  
Maria Karyda
Keyword(s):  
Data Protection ◽  
Common Ground ◽  
Gap Analysis ◽  
Content Type ◽  
General Data Protection Regulation ◽  
Security Controls ◽  
Management Actions ◽  
Iec 27001 ◽  
Iec 27002 ◽  
Control Modules

Purpose This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation. Design/methodology/approach This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013. Findings The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR. Originality/value This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

scholarly journals Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

2021 ◽  
Vol 13 (3) ◽  
pp. 66
Author(s):  
Dimitra Georgiou ◽  
Costas Lambrinoudakis
Keyword(s):  
Impact Assessment ◽  
Data Protection ◽  
Gap Analysis ◽  
Health Care Organization ◽  
Personal Data ◽  
Care Organization ◽  
The European Union ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Compliance Level

The General Data Protection Regulation (GDPR) harmonizes personal data protection laws across the European Union, affecting all sectors including the healthcare industry. For processing operations that pose a high risk for data subjects, a Data Protection Impact Assessment (DPIA) is mandatory from May 2018. Taking into account the criticality of the process and the importance of its results, for the protection of the patients’ health data, as well as the complexity involved and the lack of past experience in applying such methodologies in healthcare environments, this paper presents the main steps of a DPIA study and provides guidelines on how to carry them out effectively. To this respect, the Privacy Impact Assessment, Commission Nationale de l’Informatique et des Libertés (PIA-CNIL) methodology has been employed, which is also compliant with the privacy impact assessment tasks described in ISO/IEC 29134:2017. The work presented in this paper focuses on the first two steps of the DPIA methodology and more specifically on the identification of the Purposes of Processing and of the data categories involved in each of them, as well as on the evaluation of the organization’s GDPR compliance level and of the gaps (Gap Analysis) that must be filled-in. The main contribution of this work is the identification of the main organizational and legal requirements that must be fulfilled by the health care organization. This research sets the legal grounds for data processing, according to the GDPR and is highly relevant to any processing of personal data, as it helps to structure the process, as well as be aware of data protection issues and the relevant legislation.

In/acceptable marketing and consumers' privacy expectations: four tests from EU data protection law

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Gianclaudio Malgieri
Keyword(s):  
Data Protection ◽  
Legal Framework ◽  
Online Marketing ◽  
Step Test ◽  
The European Union ◽  
Content Type ◽  
General Data Protection Regulation ◽  
Managerial Implications ◽  
Data Protection Law ◽  
Legal Frameworks

Purpose This study aims to discover the legal borderline between licit online marketing and illicit privacy-intrusive and manipulative marketing, considering in particular consumers’ expectations of privacy. Design/methodology/approach A doctrinal legal research methodology is applied throughout with reference to the relevant legislative frameworks. In particular, this study analyzes the European Union (EU) data protection law [General Data Protection Regulation (GDPR)] framework (as it is one of the most advanced privacy laws in the world, with strong extra-territorial impact in other countries and consequent risks of high fines), as compared to privacy scholarship on the field and extract a compliance framework for marketers. Findings The GDPR is a solid compliance framework that can help to distinguish licit marketing from illicit one. It brings clarity through four legal tests: fairness test, lawfulness test, significant effect test and the high-risk test. The performance of these tests can be beneficial to consumers and marketers in particular considering that meeting consumers’ expectation of privacy can enhance their trust. A solution for marketers to respect and leverage consumers’ privacy expectations is twofold: enhancing critical transparency and avoiding the exploitation of individual vulnerabilities. Research limitations/implications This study is limited to the European legal framework scenario and to theoretical analysis. Further research is necessary to investigate other legal frameworks and to prove this model in practice, measuring not only the consumers’ expectation of privacy in different contexts but also the practical managerial implications of the four GDPR tests for marketers. Originality/value This study originally contextualizes the most recent privacy scholarship on online manipulation within the EU legal framework, proposing an easy and accessible four-step test and twofold solution for marketers. Such a test might be beneficial both for marketers and for consumers’ expectations of privacy.

scholarly journals Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform

2020 ◽  
Vol 28 (4) ◽  
pp. 531-553 ◽  
Author(s):  
Aggeliki Tsohou ◽  
Emmanouil Magkos ◽  
Haralambos Mouratidis ◽  
George Chrysoloras ◽  
Luca Piras ◽  
...  
Keyword(s):  
Technology Acceptance ◽  
Data Protection ◽  
Personal Data ◽  
Secondary Process ◽  
Multiple Perspectives ◽  
Data Governance ◽  
Content Type ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Eu Project

Purpose General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform. Design/methodology/approach The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors. Findings The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements. Practical implications The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry. Social implications It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives. Originality/value This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.

The ethics of “smart” advertising and regulatory initiatives in the consumer intelligence industry

Info ◽  
2014 ◽  
Vol 16 (3) ◽  
pp. 22-39 ◽  
Author(s):  
Rachel L. Finn ◽  
Kush Wadhwa
Keyword(s):  
Data Protection ◽  
Ethical Issues ◽  
Mobile Media ◽  
Media Environment ◽  
Content Type ◽  
General Data Protection Regulation ◽  
Smart Surveillance ◽  
The Us ◽  
General Data ◽  
Consumer Intelligence

Purpose – This paper aims to study the ethics of “smart” advertising and regulatory initiatives in the consumer intelligence industry. Increasingly, online behavioural advertising strategies, especially in the mobile media environment, are being integrated with other existing and emerging technologies to create new techniques based on “smart” surveillance practices. These “smart” surveillance practices have ethical impacts including identifiability, inequality, a chilling effect, the objectification, exploitation and manipulation of consumers as well as information asymmetries. This article examines three regulatory initiatives – privacy-by-design considerations, the proposed General Data Protection Regulation of the EU and the US Do-Not-Track Online Act of 2013 – that have sought to address the privacy and data protection issues associated with these practices. Design/methodology/approach – The authors performed a critical literature review of academic, grey and journalistic publications surrounding behavioural advertising to identify the capabilities of existing and emerging advertising practices and their potential ethical impacts. This information was used to explore how well-proposed regulatory mechanisms might address current and emerging ethical and privacy issues in the emerging mobile media environment. Findings – The article concludes that all three regulatory initiatives fall short of providing adequate consumer and citizen protection in relation to online behavioural advertising as well as “smart” advertising. Originality/value – The article demonstrates that existing and proposed regulatory initiatives need to be amended to provide adequate citizen protection and describes how a focus on privacy and data protection does not address all of the ethical issues raised.

The benefits and challenges of general data protection regulation for the information technology sector

2019 ◽  
Vol 21 (5) ◽  
pp. 510-524 ◽  
Author(s):  
Nazar Poritskiy ◽  
Flávio Oliveira ◽  
Fernando Almeida
Keyword(s):  
Information Technology ◽  
Data Protection ◽  
The State ◽  
Quantitative Methodology ◽  
Content Type ◽  
General Data Protection Regulation ◽  
European Data ◽  
General Data ◽  
The Right ◽  
The Impact

PurposeThe implementation of European data protection is a challenge for businesses and has imposed legal, technical and organizational changes for companies. This study aims to explore the benefits and challenges that companies operating in the information technology (IT) sector have experienced in applying the European data protection. Additionally, this study aims to explore whether the benefits and challenges faced by these companies were different considering their dimension and the state of implementation of the regulation.Design/methodology/approachThis study adopts a quantitative methodology, based on a survey conducted with Portuguese IT companies. The survey is composed of 30 questions divided into three sections, namely, control data; assessment; and benefits and challenges. The survey was created on Google Drive and distributed among Portuguese IT companies between March and April of 2019. The data were analyzed using the Stata software using descriptive and inferential analysis techniques using the ANOVA one-way test.FindingsA total of 286 responses were received. The main benefits identified by the application of European data protection include increased confidence and legal clarification. On the other hand, the main challenges include the execution of audits to systems and processes and the application of the right to erasure. The findings allow us to conclude that the state of implementation of the general data protection regulation (GDPR), and the type of company are discriminating factors in the perception of benefits and challenges.Research limitations/implicationsThis study has essentially practical implications. Based on the synthesis of the benefits and challenges posed by the adoption of European data protection, it is possible to assess the relative importance and impact of the benefits and challenges faced by companies in the IT sector. However, this study does not explore the type of challenges that are placed at each stage of the adoption of European data protection and does not take into account the specificities of the activities carried out by each of these companies.Originality/valueThe implementation of the GDPR is still in an initial phase. This study is pioneering in synthesizing the main benefits and challenges of its adoption considering the companies operating in the IT sector. Furthermore, this study explores the impact of the size of the company and the status of implementation of the GDPR on the perception of the established benefits and challenges.

Blockchain can both enhance and undermine compliance but is not inherently at odds with EU privacy laws

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Lokke Moerel ◽  
Marijn Storm
Keyword(s):  
Data Protection ◽  
Design Methodology ◽  
New Technology ◽  
Extensive Experience ◽  
Content Type ◽  
General Data Protection Regulation ◽  
Blockchain Technology ◽  
Privacy Laws ◽  
General Data ◽  
The Eu

Purpose To explain the authors’ position that the use of blockchain technology is not incompatible with European Union privacy laws and in particular the EU General Data Protection Regulation (GDPR). Design/methodology/approach Explains the basics of blockchain technology and the GDPR, several reasons why some scholars consider BC not to be compatible with the GDPR, and why the authors believe that the GDPR will be able to regulate the use of blockchain technology. Findings The current perception is that blockchain is not compatible with EU privacy laws. The authors disagree that this is the case and explain why none of the issues identified by legal scholars and stakeholders are likely to pose issues for blockchain technology. Their conclusion is that EU privacy laws are well able to regulate also this new technology. This does however not mean that blockchain will thus be suitable for all use and deployment cases. Originality/value Practical guidance and explanation of complex issues by lawyers with extensive experience and expertise in dealing with data protection, cybersecurity, privacy, intellectual property and related issues.

Brazil’s data protection failings may harm innovation

2019 ◽  
Keyword(s):  
Data Protection ◽  
Digital Economy ◽  
Content Type ◽  
General Data Protection Regulation ◽  
Data Protection Authority ◽  
Protection Legislation ◽  
General Data ◽  
Data Protection Law ◽  
Set Up ◽  
Protection Authority

Subject Brazil's new data protection law. Significance Brazil’s General Data Protection Law (LGPD) will come into effect in August 2020. Largely mirroring the EU’s General Data Protection Regulation (GDPR), the new legislation seeks to strengthen citizen privacy while also giving legal certainty to businesses engaging in data transfers. However, unlike EU jurisdictions, Brazil will not set up an autonomous data authority to enforce its legislation. Rather, its new National Data Protection Authority (ANPD) will be directly linked to the presidency and have no budgetary independence. Impacts A reduced talent pool will limit the growth of Brazilian firms in the digital economy. Shortages of relevant talent will affect companies’ ability to innovate. The shortcomings of Brazil’s data protection legislation could add a serious hurdle to the development of its digital economy.

Consumers’ security and trust for online shopping after GDPR: examples from Poland and Ukraine

2020 ◽  
Vol 22 (4) ◽  
pp. 289-305
Author(s):  
Artur Strzelecki ◽  
Mariia Rizun
Keyword(s):  
Data Protection ◽  
Online Shopping ◽  
Ease Of Use ◽  
Privacy Policy ◽  
Important Conclusion ◽  
Content Type ◽  
General Data Protection Regulation ◽  
Price Comparison ◽  
Online Payment ◽  
Online Stores

Purpose This paper aims to consider the question of changes brought to consumers’ trust and security issues by the implementation of the General Data Protection Regulation (GDPR) in electronic commerce. Design/methodology/approach Online shopping policies in Poland and Ukraine are compared from the perspective of four factors as follows: application of terms of service and privacy policy, usage of online payment systems, presence in price comparison engines and grade of secure sockets layer security certificates. Comparison is conducted within the framework of three research questions (complemented by eight hypotheses) set to reveal whether: policies of personal data protection and server security for online stores in both countries are the same; all online stores in both countries obey the existing e-commerce rules; e-commerce policies in the two countries differ significantly. The sample for analysis contains 40 Polish and 40 Ukrainian online stores, representing four industries, namely, electronics, entertainment, fashion and goods for children. Findings The research allowed to reveal major differences in the privacy policy of the two countries, caused, mainly, by the absence of GDPR in Ukraine. It also disclosed much stronger cooperation of online stores and price comparison engines in Poland compared to Ukraine. At the same time, research results allow to state that server security in both countries is on the same rather high level and that online stores use transparent and safe methods of online payment. Research limitations/implications This research opens a way to other, expanded observations which will include more countries and larger scopes of data. Its main limitation is that GDPR influence is only studied in two countries, not in all countries where it is implemented. Originality/value This research contributes from security and trust perspectives by analyzing the situation in two countries as follows: the EU member (Poland) and a non-EU country (Ukraine). The value of exploring the situation of Ukrainian e-commerce consists of understanding how online stores function without implementing the GDPR. Observation of shopbots application allows drawing an important conclusion of the necessity for online stores to cooperate with such services. It was also revealed that consumers’ trust in both countries depends a lot on the payment methods applied by an online store and on the ease of use of these methods.

Sign in / Sign up

Export Citation Format

Share Document