Practical evaluation of a reference architecture for the management of privacy level agreements

Purpose The enforcement of the General Data Protection Regulation imposes specific privacy- and -security related requirements that any organisation that processes European Union citizens’ personal data must comply with. The application of privacy- and security-by-design principles are assisting organisation in achieving compliance with the Regulation. The purpose of this study is to assist data controllers in their effort to achieve compliance with the new Regulation, by proposing the adoption of the privacy level agreement (PLA). A PLA is considered as a formal way for the data controllers and the data subjects to mutually agree the privacy settings of a service provisioned. A PLA supports privacy management, by analysing privacy threats, vulnerabilities and information systems’ trust relationships. Design/methodology/approach However, the concept of PLA has only been proposed on a theoretical level. To this aim, two different domains have been selected acting as real-life case studies, the public administration and the health care, where special categories of personal data are processed. Findings The results of the evaluation of the adoption of the PLA by the data controllers are positive. Furthermore, they indicate that the adoption of such an agreement facilitates data controllers in demonstrating transparency of their processes. Regarding data subjects, the evaluation process revealed that the use of the PLA increases trust levels on data controllers. Originality/value This paper proposes a novel reference architecture to enable PLA management in practice and reports on the application and evaluation of PLA management.

Download Full-text

Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform

Information and Computer Security ◽

10.1108/ics-01-2020-0002 ◽

2020 ◽

Vol 28 (4) ◽

pp. 531-553 ◽

Cited By ~ 1

Author(s):

Aggeliki Tsohou ◽

Emmanouil Magkos ◽

Haralambos Mouratidis ◽

George Chrysoloras ◽

Luca Piras ◽

...

Keyword(s):

Technology Acceptance ◽

Data Protection ◽

Personal Data ◽

Secondary Process ◽

Multiple Perspectives ◽

Data Governance ◽

Content Type ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Eu Project

Purpose General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform. Design/methodology/approach The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors. Findings The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements. Practical implications The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry. Social implications It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives. Originality/value This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.

Download Full-text

Bulgarian public sector data breach reveals EU trend

Emerald Expert Briefings ◽

10.1108/oxan-db245651 ◽

2019 ◽

Keyword(s):

Public Sector ◽

Data Privacy ◽

Public Attention ◽

Data Breach ◽

Privacy And Security ◽

Content Type ◽

General Data Protection Regulation ◽

High Profile ◽

General Data ◽

Sector Data

Subject Public sector and GDPR. Significance Public attention before and since the EU’s General Data Protection Regulation (GDPR) came into effect in May 2018 has largely focused on high-profile corporate data breaches and fines, such as recently at British Airways and the hotel chain Marriott. However, the data breach at the Bulgarian National Revenue Agency last month put public sector agencies, and their obligations under GDPR, under the spotlight. Impacts The upsurge in data breach notifications will stabilise as GDPR implementation progresses. Local public sector agencies are beginning to take data privacy and security seriously. Outsourcing of public services to private contractors is complicating cybersecurity.

Download Full-text

Implementation of the personal data minimization principle in financial institutions: Lithuania’s case

Journal of Money Laundering Control ◽

10.1108/jmlc-11-2020-0128 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Marius Laurinaitis ◽

Darius Štitilis ◽

Egidijus Verenius

Keyword(s):

Financial Institutions ◽

Personal Data ◽

Legal Framework ◽

Legal Regulation ◽

Point Of View ◽

Content Type ◽

General Data Protection Regulation ◽

Minimization Principle ◽

General Data ◽

The One

Purpose The purpose of this paper is to assess such processing of personal data for identification purposes from the point of view of the principle of data minimisation, as set out in the EU’s General Data Protection Regulation (GDPR) and examine whether the processing of personal data for these purposes can be considered proportionate, i.e. whether it is performed for the purposes defined and only as much as is necessary. Design/methodology/approach In this paper, the authors discuss and present the relevant legal regulation and examine the goals and implementation of such regulation in Lithuania. This paper also examines the conditions for the lawful processing of personal data and their application for the above-mentioned purposes. Findings This paper addresses the problem that, on the one hand, financial institutions must comply with the objectives of collecting as much personal data as possible under the AML Directive (this practice is supported by the supervisory authority, the Bank of Lithuania), and, on the other hand, they must comply with the principle of data minimisation established by the GDPR. Originality/value Financial institutions process large amounts of personal data. These data are processed for different purposes. One of the purposes of processing personal data is (or may be) related to the prevention of money laundering and terrorist financing. In implementing the Know Your Customer principle and the relevant legal framework derived from the EU AML Directive, financial institutions collect various data, including projected account turnovers, account holders' relatives involved in politics, etc.

Download Full-text

The goose that laid the golden eggs: personal data and the Internet of Things

Journal of Business Strategy ◽

10.1108/jbs-10-2018-0176 ◽

2019 ◽

Vol 40 (1) ◽

pp. 48-52 ◽

Cited By ~ 3

Author(s):

Peter Buell Hirsch

Keyword(s):

Internet Of Things ◽

Data Privacy ◽

Social Issues ◽

Personal Data ◽

The Internet ◽

Privacy And Security ◽

Content Type ◽

Secondary Sources ◽

Blockchain Technology ◽

The Internet Of Things

Purpose This viewpoint is intended to examine the issue of the monetization of personal data and the risks to companies that fail to understand this trend. Design/methodology/approach This paper reviews the recent literature on the use and abuse of personal data to identify relevant trends and issues. Findings It is likely, whether through blockchain technology or some other means, that individual consumers will be able to monetize their data. Research limitations/implications As a review of secondary sources rather than original sources, the findings are anecdotal and not comprehensive. Practical implications In the rapidly changing environment of data privacy and security, one should anticipate that the findings may become outdated by sudden events such as a new global data privacy breach. Social implications Ownership of personal data and its use or abuse is one of the single most important social issues in today’s world, with profound implications for civil society. Originality/value While there have been numerous studies cataloguing attempts to create monetization platforms for consumer data, there are not many studies on the reputational risks for companies in handling data from the Internet of Things.

Download Full-text

Europe's national regulators hold key to GDPR success

Emerald Expert Briefings ◽

10.1108/oxan-db243916 ◽

2019 ◽

Keyword(s):

Data Protection ◽

Public Awareness ◽

Personal Data ◽

Content Type ◽

General Data Protection Regulation ◽

Right To Be Forgotten ◽

General Data ◽

The Right ◽

Robust Regulation

Subject GDPR appraisal and outlook. Significance May 25, 2019 is the first anniversary of the EU’s General Data Protection Regulation (GDPR). The GDPR enhanced the rights of citizens regarding their personal data, including by giving them the ‘right to be forgotten’, and tightened controls on how organisations and businesses collect, store and process such data. Impacts A key shortcoming is ensuring the compliance of business beyond ‘big tech’. Public awareness of the GDPR in smaller EU states will lag that in larger states. Criticism of the Irish regulator will rise if it fails to demonstrate a clearer commitment towards robust regulation.

Download Full-text

Reengineering the user: privacy concerns about personal data on smartphones

Information and Computer Security ◽

10.1108/ics-10-2014-0071 ◽

2015 ◽

Vol 23 (4) ◽

pp. 394-405 ◽

Cited By ~ 10

Author(s):

Matina Tsavli ◽

Pavlos S. Efraimidis ◽

Vasilios Katos ◽

Lilian Mitrou

Keyword(s):

Operating Systems ◽

User Study ◽

Personal Data ◽

Point Of View ◽

Smart Devices ◽

User Privacy ◽

Privacy And Security ◽

Content Type ◽

Privacy Concerns ◽

The Impact

Purpose – This paper aims to discuss the privacy and security concerns that have risen from the permissions model in the Android operating system, along with two shortcomings that have not been adequately addressed. Design/methodology/approach – The impact of the applications’ evolutionary increment of permission requests from both the user’s and the developer’s point of view is studied, and finally, a series of remedies against the erosion of users’ privacy is proposed. Findings – The results of this work indicate that, even though providing access to personal data of smartphone users is by definition neither problematic nor unlawful, today’s smartphone operating systems do not provide an adequate level of protection for the user’s personal data. However, there are several ideas that can significantly improve the situation and mitigate privacy concerns of users of smart devices. Research limitations/implications – The proposed approach was evaluated through an examination of the Android’s permission model, although issues arise in other operating systems. The authors’ future intention is to conduct a user study to measure the user’s awareness and concepts surrounding privacy concerns to empirically investigate the above-mentioned suggestions. Practical implications – The proposed suggestions in this paper, if adopted in practice, could significantly improve the situation and mitigate privacy concerns of users of smart devices. Social implications – The recommendations proposed in this paper would strongly enhance the control of users over their personal data and improve their ability to distinguish legitimate apps from malware or grayware. Originality/value – This paper emphasises two shortcomings of the permissions models of mobile operating systems which, in authors’ view, have not been adequately addressed to date and propose an inherent way for apps and other entities of the mobile computing ecosystem to commit to responsible and transparent practices on mobile users’ privacy.

Download Full-text

Investigating the role of contextual factors in effectively executing communication evaluation and measurement

Journal of Communication Management ◽

10.1108/jcom-12-2018-0131 ◽

2019 ◽

Vol 23 (3) ◽

pp. 228-245 ◽

Cited By ~ 1

Author(s):

Stefania Romenti ◽

Grazia Murtarelli ◽

Angelo Miglietta ◽

Anne Gregory

Keyword(s):

Program Evaluation ◽

Contextual Factors ◽

Real Life ◽

Evaluation Process ◽

Strategic Communication ◽

Content Type ◽

Management Processes ◽

Professional Perspective ◽

And Performance

PurposeEvaluation and measurement (E&M) remains a critical and debated topic among communication scholars and practice. Substantial research and professional efforts have been devoted to discussing what should be measured and which methods should be applied. Most of the E&M models seem to carry a positivist imprint. But, in real-life, organizations could not have clear aims, enough resources, or adequate informative systems to support E&M. Moreover, several contextual factors could affect the implementation of E&M management processes. The communication literature rarely highlights these factors. To fulfill this gap, the purpose of this paper is to theorize the contextual factors relevant to the management of the evaluation process.Design/methodology/approachA scoping literature review was carried out exploring the role of contextual factors and impact of contextual factors on E&M management processes. More specifically, the review examines the contribution provided by program evaluation and performance measurement (PM) fields of research.FindingsThe paper provides a scoping review of program evaluation and PM approaches. Additionally, it explains how both streams of thought argued the importance of contextual factors, such as organizational, relational, cultural and communicative factors, for the success of any evaluation processes. The study underlined that the main evaluation models used in the field of communication have overlooked these studies and put on evidence the role of contextual factors in effectively executing communication E&M.Originality/valueThe paper enriches the dominant rationale concerning the E&M management processes by incorporating literature on: program evaluation; and PM. The analysis could provide useful insights also from a professional perspective, by helping practitioners for a contextual assessment of strategic communication programs and activities.

Download Full-text

Privacy Management System for the Purpose of Managing Personal Data Protection Challenges Regarding Monitoring of Employees: Hungary Specific Code of Conduct

SSRN Electronic Journal ◽

10.2139/ssrn.2288137 ◽

2012 ◽

Author(s):

Balazs Ratai

Keyword(s):

Data Protection ◽

Management System ◽

Code Of Conduct ◽

Personal Data ◽

Privacy Management ◽

Personal Data Protection

Download Full-text

The Risk-Based Approach to Data Protection

10.1093/oso/9780198837718.001.0001 ◽

2020 ◽

Author(s):

Raphaël Gellert

Keyword(s):

Risk Management ◽

Data Protection ◽

Personal Data ◽

Management Tools ◽

General Data Protection Regulation ◽

Regulation Theory ◽

Régulation Theory ◽

General Data ◽

Data Protection Law ◽

The Way

The main goal of this book is to provide an understanding of what is commonly referred to as “the risk-based approach to data protection”. An expression that came to the fore during the overhaul process of the EU’s General Data Protection Regulation (GDPR)—even though it can also be found in other statutes under different acceptations. At its core it consists in endowing the regulated organisation that process personal data with increased responsibility for complying with data protection mandates. Such increased compliance duties are performed through risk management tools. It addresses this topic from various perspectives. In framing the risk-based approach as the latest model of a series of regulation models, the book provides an analysis of data protection law from the perspective of regulation theory as well as risk and risk management literatures, and their mutual interlinkages. Further, it provides an overview of the policy developments that led to the adoption of such an approach, which it discusses in the light of regulation theory. It also includes various discussions pertaining to the risk-based approach’s scope and meaning, to the way it has been uptaken in statutes including key provisions such as accountability and data protection impact assessments, or to its potential and limitations. Finally, it analyses how the risk-based approach can be implemented in practice by providing technical analyses of various data protection risk management methodologies.

Download Full-text

Application of Blockchain in Education: GDPR-Compliant and Scalable Certification and Verification of Academic Information

Applied Sciences ◽

10.3390/app11104537 ◽

2021 ◽

Vol 11 (10) ◽

pp. 4537

Author(s):

Christian Delgado-von-Eitzen ◽

Luis Anido-Rifón ◽

Manuel J. Fernández-Iglesias

Keyword(s):

Data Protection ◽

Personal Data ◽

General Data Protection Regulation ◽

Certification System ◽

Proposed Model ◽

Different Types ◽

International Regulations ◽

Innovative Solution ◽

General Data ◽

Academic Information

Blockchain technologies are awakening in recent years the interest of different actors in various sectors and, among them, the education field, which is studying the application of these technologies to improve information traceability, accountability, and integrity, while guaranteeing its privacy, transparency, robustness, trustworthiness, and authenticity. Different interesting proposals and projects were launched and are currently being developed. Nevertheless, there are still issues not adequately addressed, such as scalability, privacy, and compliance with international regulations such as the General Data Protection Regulation in Europe. This paper analyzes the application of blockchain technologies and related challenges to issue and verify educational data and proposes an innovative solution to tackle them. The proposed model supports the issuance, storage, and verification of different types of academic information, both formal and informal, and complies with applicable regulations, protecting the privacy of users’ personal data. This proposal also addresses the scalability challenges and paves the way for a global academic certification system.

Download Full-text