The critical success factors of GDPR implementation - a systematic literature review

Purpose: The digital paradigm people live in today, which drastically increased the consumption of data, is a threat to their privacy. To create a high level of privacy protection for its citizens, the European Union proposed the General Data Protection Regulation (GDPR), which introduces obligations for organizations regarding the storing, processing, collecting and disclosing of data. This paper aims to identify the critical success factors of GDPR implementation. Design/methodology/approach: A systematic literature review was conducted by following a strict review protocol, where 32 documents were found relevant to perform the review and to answer to the proposed research questions. Findings: The critical success factors of GDPR implementation were identified, including barriers and enablers. Furthermore, benefits of complying with GDPR were identified. Research limitations/implications: As GDPR is a relatively recent subject, there are still few scientific papers about it. Therefore, the authors were unable to neither identify nor present a robust conclusion regarding specific topics, such as practical outcomes. Originality/value: On the basis of the literature, the identified critical success factors may be useful for organizations as these can be better prepared to achieve compliance by prioritizing the enablers and avoiding the barriers.info:eu-repo/semantics/acceptedVersio

Information security failures identified and measured – ISO/IEC 27001:2013 controls ranked based on GDPR penalty case analysis

This paper identifies the failures and impacts of information security, as well as the most effective controls to mitigate information security risks in organizations.Root cause analysis was conducted on all year 2020 GDPR penalty cases (n = 81) based on misconduct as defined in GDPR article 32: “security of processing.” ISO/IEC 27,001 controls were used as failure identifiers in the analysis. As a result, this study presents both the most frequent and most expensive information security failures and correspondingly ranks and presents the correlation of the controls observed in the analysis. From a theoretical perspective, our study contributes by bridging the gap between regulation and information security and introduces a statistical method to analyze the GDPR penalty cases, and provides previously unreported findings about information security failures and their respective solutions. From a practical perspective, the results of our study are useful for organizations which aspire to manage information security more effectively in order to prevent the most typical and expensive information security failures. Organizations, as well as auditors implementing and assuring the ISO 27001, may use our results as a guideline whereby controls should be applied and verified first in sequential order based on their impact and interdependence.© 2023 The Author(s). Published with license by Taylor & Francis Group, LLC. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The terms on which this article has been published allow the posting of the Accepted Manuscript in a repository by the author(s) or with their consent.fi=vertaisarvioitu|en=peerReviewed

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Public Policy and Artificial Intelligence: Vantage Points for Critical Inquiry

This chapter introduces three key lines of critical inquiry to address the relationship of artificial intelligence (AI) and public policy. We provide three vantage points to better understand this relationship, in which dominant narratives about AI’s merits for public sector decisions and service provision often clash with real world experiences of their limitations and illegal effects. First, we critically examine the politicaldrivers for, and significance of, how we define AI, its role and workings in the policy world; and how we demarcate the scope of regulation. Second, we explore the AI/policy relationship, by focusing on how it unfolds through specific, but often contradictory and ambivalent, practices, that in different settings, combine meaning, strategic action, technological affordances, as well as material/digital objects and their effects. Our third vantage point critically assesses how these practices are situated in an uneven political economy of AI technology production, and with what implications for global justice

European (energy) data exchange reference architecture 3.0

This is the third version of Data Exchange Reference Architecture – DERA 3.0. BRIDGE report on energy data exchange reference architecture aims at contributing to the discussion and practical steps towards truly interoperable and business process agnostic data exchange arrangements on European scale both inside energy domain and across different domains.DERA 3.0Recommendations related to the implementation of DERA:A. Leverage Smart Grid Architecture Model (SGAM) usage by completing it with data governance requirements, specifically from end-customer perspective, and map it to the reference architectures of other sectors (similar to the RAMI4.0 for industry – Reference Architecture Model Industrie 4.0; and CREATE-IoT 3D RAM for health – Reference Architecture Model of CREATE-IoT project), incl. for basic interoperability vocabulary with non-energy sectors.B. Facilitate European strategy, regulation (harmonisation of national regulations) and practical tools for cross-sector exchange of any type of both private data and public data, e.g. through reference models for data space, common data governance and data interoperability implementing acts.C. Ensure cooperation between appropriate associations, countries and sector representatives to work on cross-sector and cross-border data management by establishing European data cooperation agency. This involves ongoing empowering/restructuring of the Data Management WG of the BRIDGE Initiative to engage other sectors and extend cooperation with projects that are not EU-funded and with European Standardisation Organisations (CEN-CENELEC-ETSI).D. Harmonise the development, content and accessibility of data exchange business use cases for cross-sector domain through BRIDGE use case repository. Track tools that identify common features on use cases, e.g. interfaces between sectors, and enable the alignment with any potential peer repositories for other domains. Also, the use case repository must rely on the HEMRM with additional roles created by some projects or roles coming from other associations (related to another sector than the electricity/energy sector).E. Use BRIDGE use case repository for aligning the role selection. Harmonise data roles across electricity and other energy domains by developing HERM – Harmonised Energy Role Model and ensure access to model files. Look for consistency with other domains outside energy based on this HERM – cross-sectoral roles. Harmonised EnergyData EndpointsData SpaceConnectorData ProcessingStandard CommunicationProtocols& FormatsData HarmonizationData PersistanceVocabularyProviderCredentialManagerIdentityManagerMonitoring& OrchestrationData DiscoveryData IndexerLocal AI/ML ServicesDigital TwinsMarketplace BackendStandard CommunicationProtocols& FormatsMarketplace FrontendFederatedUse Cases and Business needsLocal Use Cases and Business needsEnergy RegulationEU Re-gulationActorsBusinessFunctionInformationComp.CommsNon-personal dataSecurity/ResilienceUserAcceptanceSovereigntyOpen SourceInteroperabilityLocalFederatedInteroperabilityTrustData valueGovernance9DATA MANAGEMENT WORKING GROUPEuropean (energy) data exchange reference architecture 3.0Role Model shall have clear implications and connections with data (space) roles such as data provider/consumer, service provider etc.F. Define and harmonise functional data processes for cross-sector domain, using common vocabulary, template and repository for respective use cases’ descriptions. Harmonisation of functional data processes for cross-sector data ecosystems including Vocabulary provider, Federated catalogue, Data quality, Data accounting processes, Clearing process (audit, logging, etc.) and Data tracking and provenance.G. Define and maintain a common reference semantic data model, and ensure access to its model files facilitating cross-sector data exchange, by leveraging existing data models like Common Information Model (CIM) of International Electrotechnical Commission (IEC) and ontologies like Smart Appliances Reference Ontology (SAREF).H. Develop cross-sector data models and profiles, with specific focus on private data exchange. Enable open access to model files whenever possible.I. Ensure protocol agnostic approach to cross-sector data exchange by selecting standardised and open ones.J. Ensure data format agnostic approach to cross-sector data exchange. The work done by projects like TDX-ASSIST and EU-SysFlex (using IEC CIM), and PLATOON (using SAREF) must be shared and made known to consolidate the approach in order to reach semantic interoperability. Metadata must also be taken into account.K. Promote business process agnostic DEPs (Data Exchange Platforms) and make these interoperable by developing APIs (Application Programming Interfaces) which enable for data providers and data users easy connection to any European DEP but also create the possibility whereby connecting to one DEP ensures data exchange with any other stakeholder in Europe. DEPs shall explore the integration of data space connectors towards their connectivity with other DEPs including cross-sector ones.L. Develop universal data applications which can serve any domain. Develop open data driven services that promote also cross-sector integration collectively available in application repositories.Possible next steps (“sub-actions”) for 2023/2024:➢ Release BRIDGE Federated Service Catalogue tool and associated process.➢ Release DERA interactive visualisation tool.➢ Follow up the implementation of DERA 3.0 in BRIDGE projects (mapping to DERA)➢ Update recommendations to comply with DERA 3.0.➢ Develop / enhance the “data role model”

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Data Ecosystem Business Models: Value and control in Data Ecosystems

Purpose: Organizations evolve from using and governing data internally towards the exchange of data in multi-organizational data ecosystems. The purpose of this research is to determine a business model framework for actors operating in and/or entering a data ecosystem. Methodology: To determine a business model framework in data ecosystems. an analysis was made based on how the research fields of “business models”, “data governance”, “data ecosystems”, “data sharing”, “business ecosystem” complement each other. A business model framework was created, which was applied to three use case studies in the field of Smart Cities and Urban Digital Twins: The Helsinki Digital Twin, the Rotterdam Digital Twin, and the Smart Retail Dashboard in Flanders. Findings: The business model of actors in a data ecosystem is determined by value and control factors. Value is determined by the capability to create value through the exchange of data in the ecosystem, and to capture value through revenue (sharing) models and cost (sharing) models. Control is determined by ecosystem control. Governance models on the ecosystem level are required to enable the collaboration and to ensure trust to allow for the willingness to share data. Additionally, data governance on an ecosystem level is required, enabling the data exchange between the actors. Research Limitations: The model was applied to three use cases in Smart Cities and Urban Digital Twins. Consequently, the data ecosystems concern a high presence of public actors, yet also includes private companies. The applicability needs to be identified in other sectors in further research. Additionally, as the scope of the study was on business models, data governance, data-sharing and data ecosystems, abstraction was made of fields of study beyond these topics. Value and practical implications: The Data Ecosystem Business Model framework can serve as a guideline for organizations entering a data ecosystem, as well as for actors aiming to establish novel data ecosystems. Additionally, the framework can serve as a high-level overview for further research into the field of business models in data ecosystems.

The Elements of Big Data Value

This open access book presents the foundations of the Big Data research and innovation ecosystem and the associated enablers that facilitate delivering value from data for business and society. It provides insights into the key elements for research and innovation, technical architectures, business models, skills, and best practices to support the creation of data-driven solutions and organizations. The book is a compilation of selected high-quality chapters covering best practices, technologies, experiences, and practical recommendations on research and innovation for big data. The contributions are grouped into four parts: · Part I: Ecosystem Elements of Big Data Value focuses on establishing the big data value ecosystem using a holistic approach to make it attractive and valuable to all stakeholders. · Part II: Research and Innovation Elements of Big Data Value details the key technical and capability challenges to be addressed for delivering big data value. · Part III: Business, Policy, and Societal Elements of Big Data Value investigates the need to make more efficient use of big data and understanding that data is an asset that has significant potential for the economy and society. · Part IV: Emerging Elements of Big Data Value explores the critical elements to maximizing the future potential of big data value. Overall, readers are provided with insights which can support them in creating data-driven solutions, organizations, and productive data ecosystems. The material represents the results of a collective effort undertaken by the European data community as part of the Big Data Value Public-Private Partnership (PPP) between the European Commission and the Big Data Value Association (BDVA) to boost data-driven digital transformation

Data spaces and the (trans)formations of data innovation and governance

In this thesis, I theorize data innovation and governance as simultaneous processes and account for the distinctive nature of data. Utilizing the concept of space, I show how data innovation and governance in multi-actor environments unfold across certain structures of possible forms, and how the realities data refer to condition the forms innovation and governance can take. The uniqueness of data entities has been of interest to information systems scholars, imparting distinct value-creation possibilities and dedicated governance approaches. In the literature on digital innovation, data have been referred to as semantic entities whose value can be open-endedly explored once assigned meaning by actors to fulfill various goals and purposes. Across the literature on data governance, data have been referred to as strategic assets that are governed by organizations. This duality of data – as valuable resources that at the same time require proper governance – has also been central in practical debates, such as the European Union’s aspirations for developing data spaces as shared infrastructures for innovating with data, while preserving European values, laws and regulations. Data innovation commonly requires recombining data that are produced, copied, shared, and used across multiple actors, requiring forms of governance extending beyond the boundaries of single organizations. In this thesis, I build on the process-oriented, realist ontology of assemblage theory to account for data’s distinctive nature and utilize the concept of space to theorize processes of innovation and governance in multi-actor environments. Data spaces, as argued in this thesis, are neither solely geometrical, nor networked; instead, provide forms across which processes of data innovation and governance can change their spatial configurations. Empirically, I study data spaces through an embedded case study in the highly regulated Norwegian healthcare sector dealing with personal and sensitive health data. The cases take an information infrastructure perspective on studying how health data (including electronic patient record data and patient-generated health data) were innovated with and governed across multiple public and private actors. Overall, the meta-analysis shows how innovation and governance with health data took on different forms as data were processed for various purposes across multiple intertwined data spaces. This thesis is aimed at theory-building and its contribution is two-fold. First, it shows how the concept of data spaces can be used to study processes of data innovation and governance as unfolding across various organizations, digital technologies, legal basis, and data sources, by changing their spatial configurations as certain thresholds are reached. Second, it shows how data do not simply decouple from the realities they refer to, rather, these realities condition the forms data innovation and governance can take and are shaped by these processes in return.publishedVersio