An Approach for Evaluating Organizational Data Processing Activities for GDPR Compliance

Selle lõputöö eesmärk oli leida lähenemine, mille abil hinnata GDPR vastavust ning seda lähenemist reaalse ettevõtte peal proovida. Teoreetilises osas analüüsiti GDPR-i põhilisi väljakutseid ning mõ-ningaid juhiseid, mille põhjal kavandati sobilik lähenemine. Lähenemist prooviti väikese B2B mude-liga ettevõtte peal, mille käigus kaardistati isikuandmete töötlusega seotud äriprotsessid ja koostati register töötlemistoimingutest. Ettevõttele pakuti välja ka edasised sammud saavutamaks täielikku GDPR vastavust.The goal of the thesis was to find an approach to assess GDPR compliance and test the approach on an actual company. In the theoretical part, GDPR’s main challenges and several guidelines were analysed, and a suitable approach was devised. The approach was tested on a small business-to-business company, during which business processes related to personal data were mapped and a reg-istry containing data processing activities was created. The company was also given recommenda-tions in achieving full compliance

Security governance as a service on the cloud

Small companies need help to detect and to respond to increasing security related threats. This paper presents a cloud service that automates processes that make checks for such threats, implement mitigating procedures, and generally instructs client companies on the steps to take. For instance, a process that automates the search for leaked credentials on the Dark Web will, in the event of a leak, trigger processes that instruct the client on how to change passwords and perhaps a micro-learning process on credential management. The security governance service runs on the cloud as it needs to be managed by a security expert and because it should run on an infrastructure separated from clients. It also runs as a cloud service for economy of scale: the processes it runs can service many clients simultaneously, since many threats are common to all. We also examine how the service may be used to prove to independent auditors (e.g., cyber-insurance agents) that a company is taking the necessary steps to implement its security obligations

Refinement of the General Data Protection Regulation (GDPR) Model: Administrative Fines Perspective

Isikuandmete kaitse üldmääruse (2016/679/EL; edaspidi ÜM) nõuetele vastamiseks vajavad organisatsioonid raamistikku, mis võimaldab hinnata oma äriprotsesside vastavust ÜM-ile. Sel eesmärgil on Tartu Ülikooli Arvutiteaduste Insituudi teadurid loomas tarkvaralist lahendust, mis võimaldab äriprotsesside vastavust ÜM-ile pool-automatiseerida. Lahenduse nimeks on hetkel pakutud Data Protection Observation Engine (edaspidi DPOE). Seni tehtud teadustöö on loonud DPOE kontseptuaalse mudeli, mis katab üldisi ÜM-i nõudeid UML formaadis kirjeldades peamisi olemeid, artefakte ja suhteid nende vahel (edaspidi DPOE Mudel). DPOE Mudel vajab aga valideerimist ÜM-i täielikkuse aspektist (st. kui palju ÜM-st on kaetud DPOE Mudeliga). Käesolev magistritöö täiendab olemasolevat teadustööd DPOE Mudeli õigusliku valideerimise näol. Valideerimine toimub ÜM artiklite 83(4) ja 83(5) baasil, mis kirjeldab võtmeartiklid, mille rikkumine võib kaasa tüüa rahatrahvid. Selline valideeriline võimaldab DPOE peamistel kasutajatel – andmekaitseametnikel – saada kindlust, et DPOE poolt genereeritud tulemused ja tõstatatud võimalikud mittevastavused on olulised, kuna need puudutavad võtmeartikleid. See omakorda tagab DPOE tulemuste terviklikkuse. Sellega luuakse ka võimalus võrrelda DPOE Mudeli hetkeversiooni täiustatud DPOE Mudeliga õigusliku täielikkuse (s.t. ÜM artiklite katmise) vaatest. DPOE Mudeli hetkeversiooni ja täiustatud versiooni rakendatakse äriprotsessile (ÕIS2 sisselogimine), et võrrelda, kui palju ÜM-i artikleid Mudelid katavad. Valideerimise ja mudelite rakendamisel äriprotsessile suurendatakse lõpptulemusena DPOE Mudeli küpsust.To meet the requirements of the General Data Protection Regulation (2016/679/EU; herein-after GDPR), organizations need a framework for assessing compliance of their business processes. For such purpose, a Data Protection Observation Engine (hereinafter DPOE) – a software tool enabling business process GDPR compliance check semi-automatically – is created by the researchers of Institute of Computer Science of University of Tartu. Current research on the DPOE has produced a conceptual model covering general GDPR require-ments in an UML format describing the key entities, artefacts and relationships between these (hereinafter DPOE Model). The DPOE Model, however, requires validation in terms of legal completeness (i.e. GDPR coverage). The thesis adds to the existing research by legally validating the DPOE Model from the perspective of Article 83(4) and 83(5) of the GDPR concerning administrative fines. These articles describe key GDPR requirements which’ infringement bring about fines up to 20,000,000 EUR. Thus, these are the require-ments every organization must treat with special attention in order to be compliant with the GDPR. This validation also enables the prime users of DPOE, the data protection officers, to trust the results generated by the DPOE as they know the potential incompliance issues raised are of key importance. This in turn ensures the integrity of the output of the DPOE. As such, the basis for comparing the current version of the DPOE Model to the refined DPOE Model in terms of legal completeness (i.e. GDPR article coverage) is created. In order to measure how legal completeness has in fact improved, the results generated by the refined DPOE Model are compared to the results generated by current version of the DPOE Model on an actual business process (ÕIS2 login process). As a result of the validation and the comparison of the current version of the Model to the refined Model, the maturity of the Model is enhanced

Process business modeling of emerging security threats with BPMN extension

Effective and rational management of a company cannot take place without the use of information technologies. Additionally, according to specific security requirements to protect the IT system against different threats, the development of a security system is significant for the companies and their clients and satisfactory common cooperation. The BPMN (Business Process Model and Notation) can be used for this purpose; however, the basic version of BPMN and its current extensions do not support the service of security threats. For this reason, we propose to extend the BPMN to be possible to model the chosen security issues coming from company business processes. The paper deals with the selected aspects of security requirements modeling in terms of emerging threats on the example of existing extensions of business process modeling language and the proposition of BPMN extension for chosen security issues together with the definition of information security policy

Personal Data Protection Inside and Out Integrating - Data Protection Requirements in the Data Lifecycle

Personal data is increasingly positioned as a valuable asset. While individuals generate and expose ever-expanding volumes of personal information online, certain tech companies have built their business models on the personal data they gather. In this context, lawmakers are revising data protection regulations in order to provide individuals with enhanced rights and set new rules regarding the way corporations collect, manage, and share personal information. We argue that recent data protection regulatory frameworks such as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) are fundamentally about data management. Yet, there have been no attempts to analyze the regulations in terms of their implications on the data life cycle. In this paper, we systematically analyze the GDPR and the CCPA, and identify their implications on the data life cycle. To synthesize our findings, we propose a semi-formal notation of the resulting changes on the personal data life cycle, in the form of a process and data model governed by business rules, consolidated in a reference personal data life cycle model for data protection. To the best of our knowledge, this study represents one of the first attempts to provide a data-centric view on data protection regulatory requirements

Modelling Inter-Organizational Business Processes Governance

Digital transformation requires decentralizing business process governance due to the increasing interdependencies of organizations and more complex business pipelines enabled by information technologies. We present a modelling approach to assist companies in their inter-organizational business process governance (IO-BPG). The results emerge from a design science research conducted with a major European telecommunications service provider. They include (1) the key domain attributes, (2) a domain-specific ontology, and (3) a BPMN extension instantiated in IO-BPG scenarios of Software-as-a-Service, covering structure, processes, and relational mechanisms. For theory, this paper extends the literature on business process governance with a modelling approach evaluated in one of the most regulated and dynamic economic sectors. For practice, our proposal may help appraise accountability, confidentiality, compliance, autonomy, authority, traceability, and collaboration configurations that are crucial to IO-BPG