Towards Data Protection Compliance

Privacy and data protection are fundamental issues nowadays for every organization. This paper calls for the development of methods, techniques and infrastructure to allow the deployment of privacy-aware IT systems, in which humans are integral part of the organizational processes and accountable for their possible misconduct. In particular, we discuss the challenges to be addressed in order to improve organizations privacy practices, as well as the approach to ensure compliance with legal requirements and increasing efficiency

Comparing the protection and use of online personal information in South Africa and the United Kingdom in line with data protection requirements

Purpose: This research investigates the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in comparison with a country that is preparing for compliance. Design/methodology/approach: An insurance industry multi-case study within the online insurance services environment was conducted. Personal Information (PI) of four newly created consumer profiles was deposited to 10 random insurance organisation websites in each country to evaluate a number of data privacy requirements of the Data Protection Act (DPA) and Protection of Personal Information Act (POPIA). Findings: The results demonstrate that not all the websites honored the selected opt-out preferences as direct marketing material from the insurance organisations in the sample was sent to both the SA and UK consumer profiles. Forty-two unsolicited third party contacts were received by the SA consumer profiles whereas the UK consumer profiles did not re-ceive any third party direct marketing. It was also found that the minimality principle is not always met by both SA and UK organisations. Research implications: As a jurisdiction with a heavy stance towards privacy implementation and regulation, it was found that the UK is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study, however not fully compliant. Originality/value: Based upon the results obtained from this research, it suggests that the SA insurance organisations should ensure that the non-compliance aspects relating to direct marketing and sharing data with third parties are addressed. SA insurance companies should learn from the manner in which the UK insurance organisations implement these privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking and the minimality principle. The study indicate the positive role that data protection legislation plays in a county like the UK with a more mature stance toward compliance with data protection legislation.This research is supported by the Women in Research (WiR) Grant from the University of South Africa.School of Computin

Building data management capabilities to address data protection regulations: Learnings from EU-GDPR

The European Union’s General Data Protection Regulation (EU-GDPR) has initiated a paradigm shift in data protection toward greater choice and sovereignty for individuals and more accountability for organizations. Its strict rules have inspired data protection regulations in other parts of the world. However, many organizations are facing difficulty complying with the EU-GDPR: these new types of data protection regulations cannot be addressed by an adaptation of contractual frameworks, but require a fundamental reconceptualization of how companies store and process personal data on an enterprise-wide level. In this paper, we introduce the resource-based view as a theoretical lens to explain the lengthy trajectories towards compliance and argue that these regulations require companies to build dedicated, enterprise-wide data management capabilities. Following a design science research approach, we propose a theoretically and empirically grounded capability model for the EU-GDPR that integrates the interpretation of legal texts, findings from EU-GDPR-related publications, and practical insights from focus groups with experts from 22 companies and four EU-GDPR projects. Our study advances interdisciplinary research at the intersection between IS and law: First, the proposed capability model adds to the regulatory compliance management literature by connecting abstract compliance requirements to three groups of capabilities and the resources required for their implementation, and second, it provides an enterprise-wide perspective that integrates and extends the fragmented body of research on EU-GDPR. Practitioners may use the capability model to assess their current status and set up systematic approaches toward compliance with an increasing number of data protection regulations

Social acceptability of a marine protected area: The case of Reunion Island

This paper examines variations in social acceptability of a Marine Protected Area (MPA) prior to implementation. The influence of a number of factors, including socio-economic characteristics, perception of coral resources state of health and attitudes towards non-compliance with regulations are analysed. During May 2006, 640 questionnaires were distributed to school children around Reunion Island, Western Indian Ocean, for completion by their parents, following an informal educational activity made in school. From a 73% (n = 469) response rate, results showed that 78% of participants were in favour of the MPA. Analysis further identified that those supportive of the MPA were generally from higher socio-professional categories, had a negative perception of the coral reef ecosystem's health and were not originally from Reunion. In contrast, locals (born in Reunion) from lower socio-professional categories or with no employment activity and having a positive perception of the health status of coral reefs offered no opinion on the MPA. Attitudes towards enforcement and compliance highlighted that SCUBA divers, fishers and jet skiers attributed a higher value to the protection of the coral reef environment through enforcement of MPA regulations than to their own use of the coral reef resource. When asked about the use of penalties to deter non-compliance, swimmers were awarded the lowest fines, followed by SCUBA divers, fishers then jet skiers being awarded the highest fines. Thus, the more severe the act of non-compliance by a resource user group was perceived to be, the more these users themselves disapproved of non-compliant behaviour and supported use of high penalties. The survey design through focusing on school children's parents, demonstrated a simple and cost-effective method for data collection while providing environmental education, which could be employed in similar case studies elsewhere

Towards Software-Defined Data Protection: GDPR Compliance at the Storage Layer is Within Reach

Enforcing data protection and privacy rules within large data processing applications is becoming increasingly important, especially in the light of GDPR and similar regulatory frameworks. Most modern data processing happens on top of a distributed storage layer, and securing this layer against accidental or malicious misuse is crucial to ensuring global privacy guarantees. However, the performance overhead and the additional complexity for this is often assumed to be significant -- in this work we describe a path forward that tackles both challenges. We propose "Software-Defined Data Protection" (SDP), an adoption of the "Software-Defined Storage" approach to non-performance aspects: a trusted controller translates company and application-specific policies to a set of rules deployed on the storage nodes. These, in turn, apply the rules at line-rate but do not take any decisions on their own. Such an approach decouples often changing policies from request-level enforcement and allows storage nodes to implement the latter more efficiently. Even though in-storage processing brings challenges, mainly because it can jeopardize line-rate processing, we argue that today's Smart Storage solutions can already implement the required functionality, thanks to the separation of concerns introduced by SDP. We highlight the challenges that remain, especially that of trusting the storage nodes. These need to be tackled before we can reach widespread adoption in cloud environments

General Data Protection Regulation: Preparing HR for Change

The European General Data Protection Regulation (GDPR) replaces the outdated Data Pro-tection Directive that was introduced in 1995 by the European Parliament. The new directive will be stricter than the earlier one. The General Data Protection Regulation is a legal outline for organizations that gather and process the personal data of European residents. The regu-latory framework provides people with the right to data confidentiality and principles for pro-cessing personal data, while also imposing hefty fines for organizations that fail to comply with the law. The aim of this thesis is to look at how the case company´s subsidiaries´ Human Resource departments are prepared to implement the new legislation. The focus is on whether the sub-sidiary group companies´ HR managers are taking the necessary steps to move towards adopting the General Data Protection Regulation that was set by the European Parliament and Council for storing personal data by 25 May 2018. The study will also identify the procedures that need to be developed to comply with the regulation through content analysis. The questionnaire was created together with the commissioning company's thesis supervisor to ensure a clear structure that provides coherent results. The study was thus conducted through a qualitative research approach, utilizing methods such as questionnaires as a prima-ry source of information and secondary desk-top data research. The findings show that the subsidiary group companies´ were not ready with the implementa-tion of the necessary processes towards GDPR compliance. As the case company is central-ising its operations, an action plan for HR´s policies and procedures is needed towards GDPR compliance. The HR is recommended to audit its data in order to understand what documents, policies and procedures are currently compliant with the GDPR

Enabling the new economic actor: personal data regulation and the digital economy

This paper offers a sociological perspective on data protection regulation and its relevance to the design of digital technologies that exploit or ‘trade in’ personal data. From this perspective, proposed data protection regulations in Europe and the US seek to create a new economic actor – the consumer as personal data trader – through new legal frameworks that shift the locus of agency and control in data processing towards the individual. The sociological perspective on proposed data regulation recognises the reflexive relationship between law and the social order, and the commensurate need to balance the demand for compliance with the design of tools and resources that enable this new economic actor; tools that provide both data protection to the individual and allow the individual to exploit personal data to become an active player in the emerging data economy

Identity principles in the digital age: a closer view

Identity and its management is now an integral part of web-based services and applications. It is also a live political issue that has captured the interest of organisations, businesses and society generally. As identity management systems assume functionally equivalent roles, their significance for privacy cannot be underestimated. The Centre for Democracy and Technology has recently released a draft version of what it regards as key privacy principles for identity management in the digital age. This paper will provide an overview of the key benchmarks identified by the CDT. The focus of this paper is to explore how best the Data Protection legislation can be said to provide a framework which best maintains a proper balance between 'identity' conscious technology and an individual's expectation of privacy to personal and sensitive data. The central argument will be that increased compliance with the key principles is not only appropriate for a distributed privacy environment but will go some way towards creating a space for various stakeholders to reach consensus applicable to existing and new information communication technologies. The conclusion is that securing compliance with the legislation will prove to be the biggest governance challenge. Standard setting and norms will go some way to ease the need for centralised regulatory oversight

Privacy, security, legal and technology acceptance requirements for a GDPR compliance platform.

GDPR entered into force in May 2018 for enhancing user data protection. Even though GDPR leads towards a radical change with many advantages for the data subjects it turned out to be a significant challenge. Organizations need to make long and complex changes for the personal data processing activities to become GDPR compliant. Citizens as data subjects are empowered with new rights, which however they need to become aware of and understand. Finally, the role of data protection authorities changes as well as their expectations from organizations. GDPR compliance being a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of the Data govErnance For supportiNg gDpr (DEFeND) EU Project is to deliver such a platform. To succeed, the platform needs to satisfy legal and privacy requirements, be effective in supporting organizations in GDPR compliance, and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, we describe the process, within the DEFeND EU Project, for eliciting and analyzing requirements for such a complex platform, by involving stakeholders from the banking, energy, health and public administration sectors, and using advanced frameworks for privacy requirements and acceptance requirements. The paper also contributes by providing elicited privacy and acceptance requirements concerning a holistic platform for supporting GDPR compliance