Search results

This paper investigates the European Union's General Data Protection Regulation (GDPR) in information systems (ISs). The GDPR consists of 99 articles, and two articles are emphasised – namely Article 15, which deals with rights of access by the data subject, and Article 20, which deals with the right to data portability.

15 companies operating in the Norwegian consumer market were randomly selected. Each company received an inquiry pertaining to rights of access by the data subject (Article 15) and the right to data portability (Article 20). The research team carefully analysed the answers received and categorised the responses according to the two articles emphasised.

The findings show extensive variations among the companies in terms of response time, quality of feedback and how companies handle requests concerning rights of access by the data subject (Article 15) and the right to data portability (Article 20). Differences are also pertaining to the types of files, along with the content of these files. It should be noted, however, that most of the companies replied to the inquiry before the deadline. The findings show that companies comply better with Article 20 than Article 15. However, it appears that they do not differentiate between the two articles.

This study explores a research topic that is relatively new. It addresses a gap in the extant research by highlighting how the GDPR works in practice from a consumer's perspective. In addition, guidelines are offered to the consumers and companies affected by the GDPR.

This paper aims to describe the cyber-insurance market in Norway but offers conclusions that are interesting to a wider audience.

The study is based on semi-structured interviews with supply-side actors: six general insurance companies, one marine insurance company and two insurance intermediaries.

The Norwegian cyber-insurance market supply-side has grown significantly in the past two years. The General Data Protection Regulation (GDPR) is found to have had a modest effect on the market so far but has been used by the supply-side as an icebreaker to discuss cyber-insurance with customers. The NIS Directive has had little or no impact on the Norwegian cyber-insurance market until now. Informants also indicate that Norway is still the least mature of the four Nordic markets.

Some policy lessons for different stakeholders are identified.

Empirical investigation of cyber-insurance is still rare, and the paper offers original insights on market composition and actor motivations, ambiguity of coverage, the NIS Directive and GDPR.

Many organizations are challenged by different and, perhaps, opposite, registration and protection obligations of information regarding their employees. The purpose of this paper is to explore how organizations balance the registration obligations of the Icelandic equal pay standard (EPS) and the protection requirements of the general data protection regulation (GDPR). It aims to raise awareness of how information professionals can ensure that documentation on the education and skills of employees is authentic, traceable and secure.

The analytical framework covered multiple-cases and semi-structured interviews with various professionals and comprehensive documentary analysis.

The findings indicate that the organizations were not properly prepared for the implementation of the EPS and were hesitant regarding further registration of personal information due to GDPR. Documentary analysis also revealed critical attitudes towards the legal endorsement of the standard and its potential success.

There is a lack of studies explaining the juxtaposition of information and records management and the legal and regulatory environment. This paper provides a unique description of how information and recordkeeping practices function with the requirements of the EPS whilst complying with GDPR. The results could bring valuable opportunities for the information profession regarding the development, implementation, administration and maintenance of documentary evidence regarding the requirements of international and national standards and legislations and advance their collaboration with other professionals in the management of information.

To explain the authors’ position that the use of blockchain technology is not incompatible with European Union privacy laws and in particular the EU General Data Protection Regulation (GDPR).

Explains the basics of blockchain technology and the GDPR, several reasons why some scholars consider BC not to be compatible with the GDPR, and why the authors believe that the GDPR will be able to regulate the use of blockchain technology.

The current perception is that blockchain is not compatible with EU privacy laws. The authors disagree that this is the case and explain why none of the issues identified by legal scholars and stakeholders are likely to pose issues for blockchain technology. Their conclusion is that EU privacy laws are well able to regulate also this new technology. This does however not mean that blockchain will thus be suitable for all use and deployment cases.

Practical guidance and explanation of complex issues by lawyers with extensive experience and expertise in dealing with data protection, cybersecurity, privacy, intellectual property and related issues.

This paper aims to consider the question of changes brought to consumers’ trust and security issues by the implementation of the General Data Protection Regulation (GDPR) in electronic commerce.

Online shopping policies in Poland and Ukraine are compared from the perspective of four factors as follows: application of terms of service and privacy policy, usage of online payment systems, presence in price comparison engines and grade of secure sockets layer security certificates. Comparison is conducted within the framework of three research questions (complemented by eight hypotheses) set to reveal whether: policies of personal data protection and server security for online stores in both countries are the same; all online stores in both countries obey the existing e-commerce rules; e-commerce policies in the two countries differ significantly. The sample for analysis contains 40 Polish and 40 Ukrainian online stores, representing four industries, namely, electronics, entertainment, fashion and goods for children.

The research allowed to reveal major differences in the privacy policy of the two countries, caused, mainly, by the absence of GDPR in Ukraine. It also disclosed much stronger cooperation of online stores and price comparison engines in Poland compared to Ukraine. At the same time, research results allow to state that server security in both countries is on the same rather high level and that online stores use transparent and safe methods of online payment.

This research opens a way to other, expanded observations which will include more countries and larger scopes of data. Its main limitation is that GDPR influence is only studied in two countries, not in all countries where it is implemented.

This research contributes from security and trust perspectives by analyzing the situation in two countries as follows: the EU member (Poland) and a non-EU country (Ukraine). The value of exploring the situation of Ukrainian e-commerce consists of understanding how online stores function without implementing the GDPR. Observation of shopbots application allows drawing an important conclusion of the necessity for online stores to cooperate with such services. It was also revealed that consumers’ trust in both countries depends a lot on the payment methods applied by an online store and on the ease of use of these methods.

The study focusses on the legal issues surrounding artificial intelligence (AI), which are being investigated and debated about several European Union initiatives to manage and regulate Information and Communication Technologies. The goal is to discuss the benefits and drawbacks of adopting AI technology and the ramifications for the articulations of law and politics in democratic constitutional countries. Thus, the study aims to identify socio-legal concerns and possible solutions to protect individuals’ interests. The exploratory study is based on statutes, rules, and committee reports. The study has used news pieces, reports issued by organisations and legal websites. The study revealed computer security vulnerabilities, unfairness, bias and discrimination, and legal personhood and intellectual property issues. Issues with privacy and data protection, liability for harm, and lack of accountability will all be discussed. The vulnerability framework is utilised in this chapter to strengthen comprehension of key areas of concern and to motivate risk and impact mitigation solutions to safeguard human welfare. Given the importance of AI’s effects on weak individuals and groups as well as their legal rights, this chapter contributes to the discourse, which is essential. The chapter advances the conversation while appreciating the legal work done in AI and the fact that this sector needs constant review and flexibility. As AI technology advances, new legal challenges, vulnerabilities, and implications for data privacy will inevitably arise, necessitating increased monitoring and research.

The context of this chapter is the use of data and advanced data analytics in a commercial setting. Privacy is considered as protection from vulnerability, whereby vulnerability is understood as the state of being exposed to the possibility of being harmed, either physically or emotionally, or in fundamental rights other than privacy. Therefore, privacy's policy instruments, in particular data protection law, could be seen as a means to reduce the risk of harm resulting from data use. Such harm is probabilistic and often uncertain, which, however, does not exclude analyzing costs and benefits of regulatory data protection policies. When balancing privacy protections and opportunities for knowledge gain, regulatory policy could be viewed as superior, when it expands the range of possible trade-offs between vulnerability protection and gaining socially beneficial knowledge.

This paper aims to investigate the impact of the General Data Protection Regulation (GDPR) infringement fine announcements on the market value of mostly European publicly listed companies with a view to reinforcing the importance of data privacy compliance, thereby informing cyber security investment strategies for organisations.

Previous studies have shown (varying degrees of) evidence of a negative impact of data breach announcements on the share price of publicly listed companies. Following on from this research, further studies have been carried out in assessing the economic impact of the introduction of legislation in this area to encourage firms to invest in cyber security and protect the privacy of data subjects. Existing research has been predominantly US centric.

Using event study techniques, a data set of 25 GDPR fine announcement events was analysed, and statistically significant cumulative abnormal returns of around 1% on average up to three days after the event were identified. In almost all cases, this negative economic impact on market value far outweighed the monetary value of the fine itself, and relatively minor fines could result in major market valuation losses for companies, even those having large market capitalisations.

This research would be of benefit to business management, practitioners of cyber security, investors and shareholders as well as researchers in cyber security or related fields (pointers to future research are given). Data protection authorities may also find this work of interest.