Figure - available from: SN Computer Science
This content is subject to copyright. Terms and conditions apply.
Source publication
Confidence in information and communication technology services and systems is crucial for the digital society which we live in, but this confidence is not possible without privacy-enhancing tools and technologies, nor without risks management frameworks that guarantee privacy, data protection, and secure digital identities. This paper provides inf...
Similar publications
![Fig. 1. DSM Position in the DEFeND Platform [27, 30] (DSM components...](profile/Luca-Piras-8/publication/350767365/figure/fig1/AS:11431281083491532@1662634175335/DSM-Position-in-the-DEFeND-Platform-27-30-DSM-components-and-modules-surrounded-by_Q320.jpg)
![Fig. 3. DSM components, modules and DSM Data Models [27, 30, 35, 36]...](profile/Luca-Piras-8/publication/350767365/figure/fig3/AS:11431281083528011@1662634175781/DSM-components-modules-and-DSM-Data-Models-27-30-35-36-green-rectangles_Q320.jpg)
![Fig. 5. The DSM Flow Phases and the Tools [27, 30]](profile/Luca-Piras-8/publication/350767365/figure/fig5/AS:11431281083499493@1662634176103/The-DSM-Flow-Phases-and-the-Tools-27-30_Q320.jpg)
In order to empower user data protection and user rights, the European General Data Protection Regulation (GDPR) has been enforced. On the positive side, the user is obtaining advantages from GDPR. However, organisations are facing many difficulties in interpreting GDPR, and to properly applying it, and, in the meanwhile, due to their lack of compl...
Citations
... The GDPR aims to standardize and modernize data protection legislation related to the Internet, social media and the digital market, and to ensure and expand the rights of EU citizens regarding the privacy of their data. R. Carvalho et al. note that the transfer of control over personal data to individuals in the EU with the granting of new rights to EU data subjects has an impact on how organizations work with personal information [40]. And it is the GDPR that has changed the way personal information is collected and managed, including the definition of new roles in data organizations. ...
Relevance. The relevance of the study lies in the need to develop theoretical ideas about this issue and identify promising areas for implementation in the legislation of the Republic of Kazakhstan, which today is not perfect in the context of legal regulation of personal data protection.Purpose. The purpose of the study was to study the features of personal data protection in the Republic of Kazakhstan and other countries (European Union countries, the United States of America, and Brazil).Methodology. The methodological basis of the article was the methods of statistical analysis, analogy and generalization, as well as comparative legal, formal legal and formal logical methods.Results. The study revealed the features of the legal regulation of the protection of personal data under the legislation of the Republic of Kazakhstan. In addition, it was found that the legislation of the European Union contains additional obligations that are aimed at maximum protection of personal data. However, the current legislation of Kazakhstan is fragmented and does not fully pay due attention to the protection of personal data. In this regard, it was proposed to revise and update the rules for the protection of personal data for specific industries, taking into account their specifics. In addition, the importance of raising citizens� awareness of the rights and responsibilities in the field of the digital sphere is emphasized, which includes the popularization of knowledge about the safe use of the Internet, means of protecting personal data and cyber hygiene.Conclusions. The role of active cooperation with international partners and organizations is noted, which will help to exchange experience and best practices in the field of digital security and personal data protection. Regular reviews and revisions of existing protection mechanisms, as well as the introduction of new technological solutions and innovations, will help ensure a sustainable and reliable digital ecosystem in the long term.
... Prior research has shed light on various aspects of GDPR compliance (e.g. de Carvalho et al., 2020;Mangini et al., 2020;Pathak et al., 2023;Politou et al., 2018); however, there remains a need to consolidate and synthesise the available literature to gain a comprehensive understanding of the challenges encountered by organisations (Teixeira et al., 2019). This study seeks to address this gap by conducting a systematic review of the existing literature to understand the factors influencing the ability of organisations to implement the regulation effectively and putting forth the following research questions: ...
... However, complexities arise in the context of linked data and data aggregation, where personal data may be combined with other sources, making GDPR compliance difficult (Kutyłowski et al., 2020). This challenge becomes even more pronounced in the realm of complex IT systems (de Carvalho et al., 2020) and emerging technologies like blockchain and the Internet of Things, which involve sharing personal data across multiple parties (Kutyłowski et al., 2020;Politou et al., 2018). ...
... Additionally, implementing the right to be forgotten can pose technical challenges, particularly for organisations with vast data repositories stored in various systems (Mangini et al., 2020). This issue complicates the timely and effective management of data breaches and incidents (De Carvalho et al., 2020;Zaman and Hassani, 2019) suggest that developing stable online conformance checking and model repair techniques may offer a potential solution to this problem, ensuring compliance with the regulation. ...
Purpose
The general data protection regulation (GDPR) was designed to address privacy challenges posed by globalisation and rapid technological advancements; however, its implementation has also introduced new hurdles for companies. This study aims to analyse and synthesise the existing literature that focuses on challenges of GDPR implementation in business enterprises, while also outlining the directions for future research.
Design/methodology/approach
The methodology of this review follows the preferred reporting items for systematic reviews and meta-analysis guidelines. It uses an extensive search strategy across Scopus and Web of Science databases, rigorously applying inclusion and exclusion criteria, yielding a detailed analysis of 16 selected studies that concentrate on GDPR implementation challenges in business organisations.
Findings
The findings indicate a predominant use of conceptual study methodologies in prior research, often limited to specific countries and technology-driven sectors. There is also an inclination towards exploring GDPR challenges within small and medium enterprises, while larger enterprises remain comparatively unexplored. Additionally, further investigation is needed to understand the implications of emerging technologies on GDPR compliance.
Research limitations/implications
This study’s limitations include reliance of the search strategy on two databases, potential exclusion of relevant research, limited existing literature on GDPR implementation challenges in business context and possible influence of diverse methodologies and contexts of previous studies on generalisability of the findings.
Originality/value
The originality of this review lies in its exclusive focus on analysing GDPR implementation challenges within the business context, coupled with a fresh categorisation of these challenges into technical, legal, organisational, and regulatory dimensions.
... Maintaining the data and privacy protection required by current legislation when using cloud services is a new challenge, and it will likely receive much attention in the near future [10]. Several studies have already investigated the use of cloud services and the impact of the GDPR [7,9,18,20,30]. Despite these efforts, privacy issues surrounding cloud services and GDPR compliance remain a subject that needs further research [20,30]. In essence, previous studies on cloud services and GDPR have predominantly centered on the EU and its relationship with the United States (US). ...
... However, our findings also confirm existing knowledge by de Carvalho et al. [7] that users sometimes understand the risk due to increased awareness from the market. Our findings address how banks in Sweden have done this to minimize fraud related to the use of BankID. ...
... Recital 6 of the GDPR [11] informs that digitalization enables a free flow of personal information both within the EU and outside. The GDPR is intended to establish a framework that guides the use of personal information and simultaneously strengthens data protection rights [7]. Our findings confirm the preexisting knowledge of de Carvalho et al. [7] that to ensure GDPR compliance, all organizations must register and keep evidence of data processing activities. ...
The adoption of cloud services offers manifold advantages to public organizations; however, ensuring data privacy during data transfers has become increasingly complex since the inception of the General Data Protection Regulation (GDPR). This study investigates privacy concerns experienced by public organizations in Sweden, focusing on GDPR compliance. A qualitative interpretative approach was adopted, involving semi-structured interviews with seven employees from five public organizations in Sweden. Additionally, secondary data were gathered through an extensive literature review. The collected data were analyzed and classified using the seven privacy threat categories outlined in the LINDDUN framework. The key findings reveal several significant privacy issues when utilizing public cloud services, including unauthorized access, loss of confidentiality, lack of awareness, lack of trust, legal uncertainties, regulatory challenges, and loss of control. The study underscores the importance of implementing measures such as anonymization, pseudonymization, encryption, contractual agreements, and well-defined routines to ensure GDPR compliance. The findings emphasize the importance of implementing measures such as anonymization, pseudonymization, encryption, contractual agreements, and well-defined routines to ensure GDPR compliance. Furthermore, this research highlights the critical aspect of digital sovereignty in addressing privacy challenges associated with public cloud service adoption by public organizations in Sweden.
... European legislation, GDPR, establishes rules regarding the protection of natural persons concerning the processing of personal data and rules regarding the free movement of personal data [6], protects the fundamental rights and freedoms of natural persons and, in particular, the citizen's right to the protection of personal data. The GDPR standardizes and modernizes data protection laws relating to the Internet, social media and digital marketplaces [9]. ...
... Difficulty in the data anonymization process [6], [7], [9], [12] 4 D6 ...
... Of the 37 articles analyzed, 9 methods, technologies and practices used to comply with the GDPR were identified, as shown in Table 7. Cryptography [2], [6], [9], [12], [18], [19], [36] 7 ...
... Collaboration between governments, industry, and international organizations is shaping the landscape of the future by promoting consistent and effective breach management practices. In our dynamic digital world, breach notification practices are a constant reminder that data protection is an ongoing effort, not a one-off endeavor (de Carvalho et al., 2020). By taking proactive measures, organizations can not only meet legal requirements but also their ethical responsibility to protect individuals' privacy. ...
... In this approach, when a request is received and transferred by the request dispatcher, it is further sequentially received by multiple sub-PDPs, at each sub-PDP request is matched with the authorization policy. In paper [32], the authors have proposed a 4PDP4E toolset to protect users data travelling online. This toolset was proposed for data protection directives given by the European Union. ...
Cloud computing allows accessing data from anywhere; Cloud databases play an important role in storing requests for access management. These requests require authorization management which has become a crucial area in access control. The request-response paradigm plays an important role in the PEP–PDP architecture. Many applications are available in literature based on the centralized PEP–PDP architecture. In this architecture, performance degrades with the increase in requests. Failure of PDP increases while handling requests from multiple PEPs. The proposed work extends the existing centralized PEP–PDP architecture to distributed architecture with PEP side caching to achieve scalability. In the proposed architecture, all PEPs employ side caching to improve efficiency. Various simulations and validation checks are performed to validate the architecture. Simulation results show proposed architecture is significantly efficient in handling large requests in contrast to existing single PEP-PDP and multiple PEP-single PEP architectures.
... Beyond cryptography and legacy security technologies, various research areas have spawned, including pseudonymisation [4], anonymisation [5], privacyaware access control [6], differential privacy [7], privacy assessment [8], location privacy [9], privacy-preserving data analysis [10], and users rights' enforcement [11], among others, whereas in the Business Process Management (BPM) domain, most privacy-related research has focused on the annotation of processes and workflows with authorisation constraints and/or other data protection concerns (e.g., [12] [13]). The protection of privacy -and compliance thereof-is also the focus of several European projects, among which BPR4GDPR, together comprising the "GDPR Cluster", and proposing complementary solutions [14]. ...
With the aim to facilitate compliance with the GDPR, particularly for SMEs, this paper summarises the results of the H2020 BPR4GDPR project. With a focus on business processes, the project has proposed a holistic approach able to support compliant processes, while fulfilling requirements covering diverse application domains. The main pillars of the solution are: i) a policy-based access and usage control system, for setting the operational rules; ii) a framework for automatically re-engineering processes, so that they become compliant by design; iii) a run-time environment for the enforcement of privacy constraints and data subjects’ rights; iv) a process mining framework, devised for ex post compliance analysis and conformance checking leveraging the process execution traces.
... Particularly focusing on the work related to GDPR, the European Commission has funded the GDPR cluster projects to help tackle the GDPR implementation challenges faced by organisations [49]. Those projects have developed both organisational and technical techniques to facilitate the implementation. ...
... They also provide solutions to the identified challenges. de Carvalho et al. [49] has summarised the solutions proposed by these projects. ...
... The Business Process Re-engineering and functional toolkit for GDPR compliance project 2 (BPR4GDPR) provides an approach and a toolkit to support end-to-end GDPRcomplaint business processes, particularly for small and medium-sized enterprises (SMEs) [50]. The deliverables include the policy-based access and usage control framework, specification of workflow models and tools for cryptography, access management and enforcement of data subjects' rights [49]. ...
Digital and physical footprints are a trail of user activities collected over the use of software applications and systems. As software becomes ubiquitous, protecting user privacy has become challenging. With the increasing of user privacy awareness and advent of privacy regulations and policies, there is an emerging need to implement software systems that enhance the protection of personal data processing. However, existing privacy regulations and policies only provide high-level principles which are difficult for software engineers to design and implement privacy-aware systems. In this paper, we develop a taxonomy that provides a comprehensive set of privacy requirements based on four well-established personal data protection regulations and privacy frameworks, the General Data Protection Regulation (GDPR), ISO/IEC 29100, Thailand Personal Data Protection (PDPA) and Asia-Pacific Economic Cooperation (APEC) privacy framework. These requirements are extracted, classified and refined into a level that can be used to map with issue reports. We have also performed a study on how two large open-source software projects (Google Chrome and Moodle) address the privacy requirements in our taxonomy through mining their issue reports. The paper discusses how the collected issues were classified, and presents the findings and insights generated from our study.
... As analysis of that integrity and reliability of evidence data cannot be guaranteed through an existing centralized system method; certain studies focused on blockchain (BC) as a personal data storage, management, and GDPR [17][18][19][20][21][22]. However, to date, no realistic and reliable method to protect the data subject's right to request for the processing of personal data has been proposed [6,23,24]. Most of the previous systems and methods have proposed schemes to share personal data or to manage records of the processing of personal data from the perspective of service providers; this cannot guarantee the integrity and reliability of the data subject's request records necessary for the GDPR compliance audit. ...
... The method that involves the management of data only from the perspective of the service provider cannot secure an objective view on credibility, while the method of storing all records of accessing or processing the data in a BC conflicts with GDPR regulations such as the right to be forgotten. Consequently, if further personal data are stored, the privacy problem associated with BC reproduces itself further [22][23][24][25][26]. ...
... Features of BC such as integrity, transparency, reliability, and traceability are effective when they are applied to tasks that require compliance management. To manage personal data or GDPR compliance, many researchers have performed research based on BC [8,[15][16][17][18][19][20][21][22][23][24][25][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42]. ...
With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.
... Several works identified the challenges of its applicability in which argued that smart city (and smart home) occupants can be jointly responsible for legal compliance with the GDPR, and that in these complex systems it is hard to determine responsibility among smart home users, account holders, IoT device vendors (Urquhart and Chen 2020). Another work (Carvalho et al. 2020) analysed several EU projects that address GDPR provisions for citizens of smart cities. They identified that there are already ongoing researches for allowing citizens to track their personal data and manage their permissions, and for enabling analytics operations on encrypted data without exposure. ...
The recently emerged advances in ICT, such as cloud computing, the Internet of Things, and artificial intelligence, enabled the rapid creation of smart environments. Smart devices have appeared in our everyday life gaining access to personal data by monitoring our behavior and needs. To react to this new situation, the European Union introduced the General Data Protection Regulation in 2018 that must be applied as the general legal framework for personal data protection in smart environments as well. This chapter contributes to the ongoing discussions in the EU related to data protection in this new era, and it aims to analyze how smart appliances, specifically social robots, use AI technologies in smart homes. The authors introduce a case study of utilizing smart social robots in smart homes and analyze its privacy and data protection implications. To this end, the work presents a hypothetical case study, in which liability questions are in the focus. The analysis discusses the possible liability of the smart citizens using social robots at their households and compares the found implication with related expert opinions. This chapter reflects work conducted through the project supported by the Hungarian Scientific Research Fund under the grant number OTKA FK 131793.
