Search results

1 – 10 of over 10000
Article
Publication date: 8 June 2020

Zafeiroula Georgiopoulou, Eleni-Laskarina Makri and Costas Lambrinoudakis

The purpose of this paper is to give a brief guidance on what a cloud provider should consider and what further actions to take to comply with General Data Protection Regulation…

Abstract

Purpose

The purpose of this paper is to give a brief guidance on what a cloud provider should consider and what further actions to take to comply with General Data Protection Regulation (GDPR).

Design/methodology/approach

This paper presents in detail the requirements for GDPR compliance of cloud computing environments, presents the GDPR roles (data controller and data processor) in a cloud environment and discusses the applicability of GDPR compliance requirements for each cloud architecture (Infrastructure as a Service, Platform as a Service, Software as a Service), proposes countermeasures for satisfying the aforementioned requirements and demonstrates the applicability of the aforementioned requirements and countermeasures to a PaaS environment offering services for building, testing, deploying and managing applications through cloud managed data centers. The applicability of the method has been demonstrated on in a PaaS environment that offers services for building, testing, deploying and managing applications through cloud managed data centers.

Findings

The results of the proposed GDPR compliance measures for cloud providers highlight the effort and criticality required from cloud providers to achieve compliance.

Originality/value

Details

Information & Computer Security, vol. 28 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 8 June 2020

Vasiliki Diamantopoulou, Aggeliki Tsohou and Maria Karyda

This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by…

Abstract

Purpose

This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.

Design/methodology/approach

This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.

Findings

The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.

Originality/value

This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

Details

Information & Computer Security, vol. 28 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 9 August 2021

Luís Leite, Daniel Rodrigues dos Santos and Fernando Almeida

This paper aims to explore the changes imposed by the general data protection regulation (GDPR) on software engineering practices. The fundamental objective is to have a…

Abstract

Purpose

This paper aims to explore the changes imposed by the general data protection regulation (GDPR) on software engineering practices. The fundamental objective is to have a perception of the practices and phases that have experienced the greatest changes. Additionally, it aims to identify a set of good practices that can be adopted by software engineering companies.

Design/methodology/approach

This study uses a qualitative methodology through four case studies involving Portuguese software engineering companies. Two of these companies are small and medium enterprises (SMEs) while the other remaining two are micro-companies. The thematic analysis is adopted to identify patterns in the performed interviews.

Findings

The findings indicate that significant changes have occurred at all stages of software development. In particular, the initial stages of identifying requirements and modeling processes were the stages that experienced the greatest changes. On the opposite, the technical development phase has not noticeably changed but, nevertheless, it is necessary to look at the importance of training software developers for GDPR rules and practices.

Research limitations/implications

Two relevant limitations were identified as follows: only four case studies involving micro-companies and SMEs were considered, and only the traditional software development methodology was considered. The use of agile methodologies was not explored in this study and the findings can only be mainly applied to the waterfall model.

Originality/value

This study offers mainly practical contributions by identifying a set of challenges that are posed to software engineering companies by the implementation of GDPR. Through their knowledge, it is expected to help these companies to better prepare themselves and anticipate the challenges they will necessarily face.

Details

Information & Computer Security, vol. 30 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

Open Access
Article
Publication date: 26 February 2019

Malkiat Thiarai, Sarunkorn Chotvijit and Stephen Jarvis

There is significant national interest in tackling issues surrounding the needs of vulnerable children and adults. This paper aims to argue that much value can be gained from the…

3724

Abstract

Purpose

There is significant national interest in tackling issues surrounding the needs of vulnerable children and adults. This paper aims to argue that much value can be gained from the application of new data-analytic approaches to assist with the care provided to vulnerable children. This paper highlights the ethical and information governance issues raised in the development of a research project that sought to access and analyse children’s social care data.

Design/methodology/approach

The paper documents the process involved in identifying, accessing and using data held in Birmingham City Council’s social care system for collaborative research with a partner organisation. This includes identifying the data, its structure and format; understanding the Data Protection Act 1998 and 2018 (DPA) exemptions that are relevant to ensure that legal obligations are met; data security and access management; the ethical and governance approval process.

Findings

The findings will include approaches to understanding the data, its structure and accessibility tasks involved in addressing ethical and legal obligations and requirements of the ethical and governance processes.

Originality/value

The aim of this research is to highlight the potential use of use new data-analytic techniques to examine the flow of children’s social care data from referral, through the assessment process, to the resulting service provision. Data held by Birmingham City Council are used throughout, and this paper highlights key ethical and information governance issues which were addressed in preparing and conducting the research. The findings provide insight for other data-led studies of a similar nature.

Details

Records Management Journal, vol. 29 no. 1/2
Type: Research Article
ISSN: 0956-5698

Keywords

Book part
Publication date: 8 July 2021

Allan Third and John Domingue

The Internet, the Web and social media have radically transformed a number of core pillars of our social fabric. The way billions of citizens work, interact and socialise is…

Abstract

The Internet, the Web and social media have radically transformed a number of core pillars of our social fabric. The way billions of citizens work, interact and socialise is underpinned by our global network infrastructure. Unfortunately, we have also seen a number of negative effects from this transformation. As has been widely publicised, undesirable impacts include the spread of disinformation and fake news; attacks on democratic elections and the ‘weaponisation’ of personal data. This article describes some of the technological approaches that are being taken to address some of the above issues. At the core of these technologies are notions around decentralisation. With blockchains it is possible that citizens can create their own ‘self-sovereign’ identity – the digital equivalent of writing one's name onto a piece of paper – and acquiring verification through blockchain-based techniques. An approach to alleviating the ‘weaponisation’ of personal and sensitive data is to give citizens their own data store. Initiatives such as Sir Tim Berners-Lee's Solid allow users to store, manage and control their own data according to any personal preferences or constraints. We believe that a combination of personal data stores and blockchains will lead to a new type of resilient communication and collaboration mechanism, whereby personal rights and empowerment are enhanced and transparency at the community level is integral.

Details

Media, Technology and Education in a Post-Truth Society
Type: Book
ISBN: 978-1-80043-907-8

Keywords

Article
Publication date: 10 April 2023

Natasja Van Buggenhout, Wendy Van den Broeck, Ine Van Zeeland and Jo Pierson

Media users daily exchange personal data for “free” personalised media. Is this a fair trade, or user “exploitation”? Do personalisation benefits outweigh privacy risks?

Abstract

Purpose

Media users daily exchange personal data for “free” personalised media. Is this a fair trade, or user “exploitation”? Do personalisation benefits outweigh privacy risks?

Design/methodology/approach

This study surveyed experts in three consecutive online rounds (e-Delphi). The authors explored personal data processing value for media, personalisation relevance, benefits and risks for users. The authors scrutinised the value-exchange between media and users and determined whether media communicate transparently, or use “dark patterns” to obtain more personal data.

Findings

Communication to users must be clear, correct and concise (prevent user deception). Experts disagree on “payment” with personal data for “free” personalised media. This study discerned obstacles and solutions to substantially balance the interests of media and users (fair value exchange). Personal data processing must be transparent, profitable to media and users. Media can agree “sector-wide” on personalisation transparency. Fair, secure and transparent information disclosure to media is possible through shared responsibility and effort.

Originality/value

This study’s innovative contribution is threefold: Firstly, focus on professional stakeholders’ opinion in the value network. Secondly, recommendations to clearly communicate personalised media value, benefits and risks to users. This allows media to create codes of conduct that increase user trust. Thirdly, expanding literature explaining how media realise personal data value, deal with stakeholder interests and position themselves in the data processing debate. This research improves understanding of personal data value, processing benefits and potential risks in a regional context and European regulatory framework.

Details

Digital Policy, Regulation and Governance, vol. 25 no. 3
Type: Research Article
ISSN: 2398-5038

Keywords

Article
Publication date: 3 June 2019

Gonçalo Almeida Teixeira, Miguel Mira da Silva and Ruben Pereira

The digital paradigm people live in today, which drastically increased the consumption of data, is a threat to their privacy. To create a high level of privacy protection for its…

3061

Abstract

Purpose

The digital paradigm people live in today, which drastically increased the consumption of data, is a threat to their privacy. To create a high level of privacy protection for its citizens, the European Union proposed the General Data Protection Regulation (GDPR), which introduces obligations for organizations regarding the storing, processing, collecting and disclosing of data. This paper aims to identify the critical success factors of GDPR implementation.

Design/methodology/approach

A systematic literature review was conducted by following a strict review protocol, where 32 documents were found relevant to perform the review and to answer to the proposed research questions.

Findings

The critical success factors of GDPR implementation were identified, including barriers and enablers. Furthermore, benefits of complying with GDPR were identified.

Research limitations/implications

As GDPR is a relatively recent subject, there are still few scientific papers about it. Therefore, the authors were unable to neither identify nor present a robust conclusion regarding specific topics, such as practical outcomes.

Originality/value

On the basis of the literature, the identified critical success factors may be useful for organizations as these can be better prepared to achieve compliance by prioritizing the enablers and avoiding the barriers.

Details

Digital Policy, Regulation and Governance, vol. 21 no. 4
Type: Research Article
ISSN: 2398-5038

Keywords

Book part
Publication date: 6 December 2018

Albena Kuyumdzhieva

The chapter deliberates on research ethics and the unanticipated side effects that technological developments have brought in the past decades. It looks at data protection and…

Abstract

The chapter deliberates on research ethics and the unanticipated side effects that technological developments have brought in the past decades. It looks at data protection and privacy through the prism of ethics and focuses on the need for safeguarding the fundamental rights of the research participants in the new digital era. Acknowledging the benefits of data analytics for boosting scientific process, the chapter reflects on the main principles and specific research derogations, introduced by the EU General Data Protection Regulation. Further on, it discusses some of the most pressing ethics concerns, related to the use, reuse, and misuse of data; the distinction between publicly available and open data; ethics challenges in online recruitment of research participants; and the potential bias and representativeness problems of Big Data research. The chapter underscores that all challenges should be properly addressed at the outset of research design. Highlighting the power asymmetries between Big Data studies and individuals’ rights to data protection, human dignity, and respect for private and family life, the chapter argues that anonymization may be reasonable, yet not the ultimate ethics solution. It asserts that while anonymization techniques may protect individual data protection rights, the former may not be sufficient to prevent discrimination and stigmatization of entire groups of populations. Finally, the chapter suggests some approaches for ensuring ethics compliance in the digital era.

Details

Ethics and Integrity in Health and Life Sciences Research
Type: Book
ISBN: 978-1-78743-572-8

Keywords

Article
Publication date: 4 September 2019

Konstantina Vemou and Maria Karyda

This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and…

Abstract

Purpose

This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research.

Design/methodology/approach

This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard’s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed.

Findings

This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners.

Practical implications

The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance).

Originality/value

This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.

Details

Information & Computer Security, vol. 28 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

1 – 10 of over 10000