Building data management capabilities to address data protection regulations: Learnings from EU-GDPR

The European Union’s General Data Protection Regulation (EU-GDPR) has initiated a paradigm shift in data protection toward greater choice and sovereignty for individuals and more accountability for organizations. Its strict rules have inspired data protection regulations in other parts of the world. However, many organizations are facing difficulty complying with the EU-GDPR: these new types of data protection regulations cannot be addressed by an adaptation of contractual frameworks, but require a fundamental reconceptualization of how companies store and process personal data on an enterprise-wide level. In this paper, we introduce the resource-based view as a theoretical lens to explain the lengthy trajectories towards compliance and argue that these regulations require companies to build dedicated, enterprise-wide data management capabilities. Following a design science research approach, we propose a theoretically and empirically grounded capability model for the EU-GDPR that integrates the interpretation of legal texts, findings from EU-GDPR-related publications, and practical insights from focus groups with experts from 22 companies and four EU-GDPR projects. Our study advances interdisciplinary research at the intersection between IS and law: First, the proposed capability model adds to the regulatory compliance management literature by connecting abstract compliance requirements to three groups of capabilities and the resources required for their implementation, and second, it provides an enterprise-wide perspective that integrates and extends the fragmented body of research on EU-GDPR. Practitioners may use the capability model to assess their current status and set up systematic approaches toward compliance with an increasing number of data protection regulations

The critical success factors of GDPR implementation - a systematic literature review

Purpose: The digital paradigm people live in today, which drastically increased the consumption of data, is a threat to their privacy. To create a high level of privacy protection for its citizens, the European Union proposed the General Data Protection Regulation (GDPR), which introduces obligations for organizations regarding the storing, processing, collecting and disclosing of data. This paper aims to identify the critical success factors of GDPR implementation. Design/methodology/approach: A systematic literature review was conducted by following a strict review protocol, where 32 documents were found relevant to perform the review and to answer to the proposed research questions. Findings: The critical success factors of GDPR implementation were identified, including barriers and enablers. Furthermore, benefits of complying with GDPR were identified. Research limitations/implications: As GDPR is a relatively recent subject, there are still few scientific papers about it. Therefore, the authors were unable to neither identify nor present a robust conclusion regarding specific topics, such as practical outcomes. Originality/value: On the basis of the literature, the identified critical success factors may be useful for organizations as these can be better prepared to achieve compliance by prioritizing the enablers and avoiding the barriers.info:eu-repo/semantics/acceptedVersio

Constructing privacy aware blockchain solutions: design guidelines and threat analysis techniques

Blockchain is an incipient technology that offers many strengths compared to traditional systems, such as decentralization, transparency and traceability. However, if the technology is to be used for processing personal data, complementary mechanisms must be identified that provide support for building systems that meet security and data protection requirements. In this work we study the integration of off-chain capabilities in blockchain-based solutions, moving data or computational operations outside the core blockchain network. Additionally, we develop a thorough analysis of the European and Uruguayan data protection regulation and discuss the weaknesses and strengths, regarding the security and privacy requirements established by that regulation, of solutions built using blockchain technology. Based on this analysis, we present a system architecture for the design of privacy aware solutions that are built using blockchain technology. We also put forward a systematic approach for performing a security and privacy threat analysis of such kind of solutions. Finally, we illustrate the use of the proposed methodological tools, presenting and discussing both the design and the security and privacy assessment of a system that provides services to handle, store and validate digital academic certificates.Blockchain es una tecnología incipiente que ofrece muchas fortalezas en comparación con los sistemas tradicionales, como la descentralización, la transparencia y la trazabilidad. Sin embargo, si se va a utilizar esta tecnología para el procesamiento de datos personales, se deben identificar mecanismos complementarios que brinden soporte a los sistemas de construcción que cumplan con los requisitos de seguridad y protección de datos. En este trabajo estudiamos la integración de capacidades de soluciones offchain en soluciones basadas en blockchain, moviendo datos u operaciones computacionales fuera de blockchain. Adicionalmente, desarrollamos un análisis exhaustivo del reglamento europeo y uruguayo de protección de datos personales y discutimos las debilidades y fortalezas, en cuanto a los requisitos de seguridad y privacidad que establece dicho reglamento, de las soluciones construidas con tecnología blockchain. En base a este análisis, presentamos un marco metodológico para el diseño de soluciones basadas en tecnología blockchain, pensando en la privacidad. También presentamos un enfoque sistemático para realizar un análisis de amenazas a la seguridad y la privacidad de este tipo de soluciones. Finalmente, ilustramos el uso de las herramientas metodológicas propuestas, presentando y discutiendo tanto el diseño como la evaluación de seguridad y privacidad de un sistema que brinda servicios para manejar, almacenar y validar certificados académicos digitales

Responsible Design Patterns for Machine Learning Pipelines

Integrating ethical practices into the AI development process for artificial intelligence (AI) is essential to ensure safe, fair, and responsible operation. AI ethics involves applying ethical principles to the entire life cycle of AI systems. This is essential to mitigate potential risks and harms associated with AI, such as algorithm biases. To achieve this goal, responsible design patterns (RDPs) are critical for Machine Learning (ML) pipelines to guarantee ethical and fair outcomes. In this paper, we propose a comprehensive framework incorporating RDPs into ML pipelines to mitigate risks and ensure the ethical development of AI systems. Our framework comprises new responsible AI design patterns for ML pipelines identified through a survey of AI ethics and data management experts and validated through real-world scenarios with expert feedback. The framework guides AI developers, data scientists, and policy-makers to implement ethical practices in AI development and deploy responsible AI systems in production.Comment: 20 pages, 4 figures, 5 table

Data Spaces

This open access book aims to educate data space designers to understand what is required to create a successful data space. It explores cutting-edge theory, technologies, methodologies, and best practices for data spaces for both industrial and personal data and provides the reader with a basis for understanding the design, deployment, and future directions of data spaces. The book captures the early lessons and experience in creating data spaces. It arranges these contributions into three parts covering design, deployment, and future directions respectively. The first part explores the design space of data spaces. The single chapters detail the organisational design for data spaces, data platforms, data governance federated learning, personal data sharing, data marketplaces, and hybrid artificial intelligence for data spaces. The second part describes the use of data spaces within real-world deployments. Its chapters are co-authored with industry experts and include case studies of data spaces in sectors including industry 4.0, food safety, FinTech, health care, and energy. The third and final part details future directions for data spaces, including challenges and opportunities for common European data spaces and privacy-preserving techniques for trustworthy data sharing. The book is of interest to two primary audiences: first, researchers interested in data management and data sharing, and second, practitioners and industry experts engaged in data-driven systems where the sharing and exchange of data within an ecosystem are critical

An advanced data fabric architecture leveraging homomorphic encryption and federated learning

Data fabric is an automated and AI-driven data fusion approach to accomplish data management unification without moving data to a centralized location for solving complex data problems. In a Federated learning architecture, the global model is trained based on the learned parameters of several local models that eliminate the necessity of moving data to a centralized repository for machine learning. This paper introduces a secure approach for medical image analysis using federated learning and partially homomorphic encryption within a distributed data fabric architecture. With this method, multiple parties can collaborate in training a machine-learning model without exchanging raw data but using the learned or fused features. The approach complies with laws and regulations such as HIPAA and GDPR, ensuring the privacy and security of the data. The study demonstrates the method's effectiveness through a case study on pituitary tumor classification, achieving a significant level of accuracy. However, the primary focus of the study is on the development and evaluation of federated learning and partially homomorphic encryption as tools for secure medical image analysis. The results highlight the potential of these techniques to be applied to other privacy-sensitive domains and contribute to the growing body of research on secure and privacy-preserving machine learning

Data Spaces

This open access book aims to educate data space designers to understand what is required to create a successful data space. It explores cutting-edge theory, technologies, methodologies, and best practices for data spaces for both industrial and personal data and provides the reader with a basis for understanding the design, deployment, and future directions of data spaces. The book captures the early lessons and experience in creating data spaces. It arranges these contributions into three parts covering design, deployment, and future directions respectively. The first part explores the design space of data spaces. The single chapters detail the organisational design for data spaces, data platforms, data governance federated learning, personal data sharing, data marketplaces, and hybrid artificial intelligence for data spaces. The second part describes the use of data spaces within real-world deployments. Its chapters are co-authored with industry experts and include case studies of data spaces in sectors including industry 4.0, food safety, FinTech, health care, and energy. The third and final part details future directions for data spaces, including challenges and opportunities for common European data spaces and privacy-preserving techniques for trustworthy data sharing. The book is of interest to two primary audiences: first, researchers interested in data management and data sharing, and second, practitioners and industry experts engaged in data-driven systems where the sharing and exchange of data within an ecosystem are critical