A Privacy Impact Assessment Method for Organizations Implementing IoT for Occupational Health and Safety

Internet of Things (IoT) technologies are increasingly being integrated into occupational health and safety (OHS) practices; however, their adoption raises significant privacy concerns. The General Data Protection Regulation (GDPR) has established the requirement for organizations to conduct Privacy Impact Assessments (PIAs) prior to processing personal data, emphasizing the need for privacy safeguards in the workplace. Despite this, the GDPR provisions related to the IoT, particularly in the area of OHS, lack clarity and specificity. This research aims to bridge this gap by proposing a tailored method for conducting PIAs in the OHS context, with a particular focus on addressing the how to aspect of the assessment process. The proposed method integrates insights from domain experts, relevant literature sources, and GDPR regulations, ultimately leading to the development of an online PIA tool

A Consent Framework for the Internet of Things in the GDPR Era

The Internet of Things (IoT) is an environment of connected physical devices and objects that communicate amongst themselves over the internet. The IoT is based on the notion of always-connected customers, which allows businesses to collect large volumes of customer data to give them a competitive edge. Most of the data collected by these IoT devices include personal information, preferences, and behaviors. However, constant connectivity and sharing of data create security and privacy concerns. Laws and regulations like the General Data Protection Regulation (GDPR) of 2016 ensure that customers are protected by providing privacy and security guidelines to businesses. Data subjects (users) should be informed on what information is being collected about them and if they consent or not. This dissertation proposes a consent framework that consists of data collection, consent collection, consent management, consent enforcement, and consent auditing. In the framework, there are GDPR requirements embedded in different components of the framework. The consent framework can help organizations to be GDPR consent compliant. In our evaluation of the solution, the results show that our solution has coverage over GDPR consent based on our use case. Our main contributions are the consent framework, consent manager, and the consent auditing tool

A Decentralized Personal Data Store based on Ethereum: Towards GDPR Compliance

Sharing personal data with service providers is a fundamental resource for the times we live in. But data sharing represents an unavoidable issue, due to improper data treatment, lack of users\u27 awareness to whom they are sharing with, wrong or excessive data sharing from end users who ignore they are exposing personal information. The problem becomes even more complicate if we try to consider the devices around us: how to share devices we own, so that we can receive pervasive services, based on our contexts and device functionalities. The European Authority has provided the General Data Protection Regulation (GDPR), in order to implement protection of sensitive data in each EU member, throughout certification mechanisms (according to Art. 42 GDPR). The certification assures compliance to the regulation, which represent a mandatory requirement for any service which may come in contact with sensitive data. Still the certification is an open process and not constrained by strict rule. In this paper we describe our decentralized approach in sharing personal data in the era of smart devices, being those considered sensitive data as well. Having in mind the centrality of users in the ownership of the data, we have proposed a decentralized Personal Data Store prototype, which stands as a unique data sharing endpoint for third party services. Even if blockchain technologies may seem fit to solve the issue of data protection, because of the absence of a central authority, they lay to additional concerns especially relating such technologies with specifications described in the regulation. The current work offers a contribution in the advancements of personal data sharing management systems in a distributed environment by presenting a real prototype and an architectural blueprint, which advances the state of the art in order to meet the GDPR regulation. Address those arisen issues, from a technological perspective, stands as an important challenge, in order to empower end users in owning their personal data for real

PERSONAL DATA PROTECTION RULES! GUIDELINES FOR PRIVACY-FRIENDLY SMART ENERGY SERVICES

Privacy-friendly processing of personal data is proving to be increasingly challenging in today’s energy systems as the amount of data grows. Smart energy services provide value creation and co-creation by processing sensible user data collected from smart meters, smart home devices, storage systems, and renewable energy plants. To address this challenge, we analyze key topics and develop design requirements and design principles for privacy-friendly personal data processing in smart energy services. We identify these key topics through expert interviews, text-mining, and topic modelling techniques based on 149 publications. Following this, we derive our design requirements and principles and evaluate these with experts and an applicability check with three real-world smart energy services. Based on our results and findings, we establish a further research agenda consisting of five specific research directions

ID-based user-centric data usage auditing scheme for distributed environments

Recent years have witnessed the trend of increasingly relying on remote and distributed infrastructures, mainly owned and managed by third parties. This increased the number of reported incidents of security breaches compromising users' personal data, where involved entities may massively collect and process massive amounts of such data. Toward these challenges, this paper combines hierarchical Identity Based Cryptographic (IBC) mechanisms with emerging blockchain technologies and introduces a blockchain-based data usage auditing architecture ensuring availability and accountability in a personal data-preserving fashion. The proposed approach relies on smart auditable contracts deployed in blockchain infrastructures. Thus, it offers transparent and controlled data access, sharing and processing, so that unauthorized entities cannot process data without data subjects' consent. Moreover, thanks to the usage of hierarchical ID-based encryption and signature schemes, the proposed solution protects and ensures the confidentiality of users' personal data shared with multiple data controllers and processors. It also provides auditing capacities with tamper-proof evidences for data usage compliance, supported by the intrinsic properties of the blockchain technology

The UX of things: exploring UX principles to inform security and privacy design in the smart home

Smart homes are under attack. Threats can harm both the security of these homes and the privacy of their inhabitants. As a result, in addition to delivering pleasant and aesthetic experiences, smart devices need to protect households from vulnerabilities and attacks. Further, the need for user-centered security and privacy design is particularly important for such an environment, given that inhabitants are demographically-diverse (e.g., age, gender, educational level) and have different skills and (dis)abilities. Prior work has explored different usable security and privacy solutions for smart homes; however, the applicability of user eXperience (UX) principles to security and privacy design is under-explored. This research project aims to address the on-going challenge of security and privacy in the smart home through the lens of UX design. The objective of this thesis is two-fold. First, to investigate how UX factors and principles affect the security and privacy of smart home users. Secondly, to inform product design through the development of an empirically-tested framework for UX design of security and privacy in smart home products. In the first step, we explored the relationship between UX, security, and privacy in smart homes from user and designer perspectives: through (i) conducting a qualitative interview study with smart home users (n=13) and (ii) analyzing an ethnomethodologically informed study of six UK households living in smart homes (n=6); and, we then explored the role of UX in the design of security, privacy and data protection in smart homes through qualitative semi-structured interviews with smart home users, designers and business leaders through two rounds of interviews (n=20, n=20). In the second step, using conceptual framework analysis, we systematically analyzed our previously collected data and the literature to construct a framework of design heuristics for consent and permission in smart homes. We applied these heuristics in four participatory co-design workshops and reported on their use. We further analyzed the use of the heuristics through thematic analysis highlighting how the heuristics were used, their purpose, and their effectiveness. By bringing UX design to the smart home security and privacy table, we believe that this research project will have a significant impact on academia, industry, and government organizations. Our thesis will improve design practices for security and privacy in domestic smart devices while addressing wider challenges, opportunities, and future work

Privacy Dashboards for Citizens and GDPR Services for Small Data Holders: A Literature Review

Citizens have gained many rights with the GDPR, e.g. the right to get a copy of their personal data. In practice, however, this is fraught with problems for citizens and small data holders. We present a literature review on solutions promising relief in the form of privacy dashboards for citizens and GDPR services for small data holders. Covered topics are analyzed, categorized and compared. This is ought to be a step towards both enabling citizens to exercise their GDPR rights and supporting small data holders to comply with their GDPR duties.Comment: 27 page