scholarly journals Description of Data Breaches Notifications in France and Lessons Learned for the Healthcare Stakeholders

2020 ◽  
Author(s):  
Marie Simon ◽  
Vincent Looten
Keyword(s):  
Data Privacy ◽  
Health Sector ◽  
Personal Data ◽  
Lessons Learned ◽  
Data Breach ◽  
Unauthorized Access ◽  
General Data Protection Regulation ◽  
General Data ◽  
Unauthorized Disclosure ◽  
Privacy Issues

Although the consequences of the General Data Protection Regulation (GDPR) have been widely discussed, the violations have not been described in medical literature. In this study, we focus our analyses on the data breach notifications, in France, defined in the article 4 of GDPR as “a breach of security resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data.” Among 3,824 data breach notifications reported between May 2018 and February 2020, 244 (6.4%) is related to the health sector. Loss of confidentiality is the most important breach (80.7%) in this sector, followed by the loss of availability (27.5%). Malicious cause occurred in 58.2% of them. We hypothesized a phenomenon of underreported data breach incidents in health due to a mismatch between cybersecurity and data privacy issues.

scholarly journals Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

2021 ◽  
Vol 11 (22) ◽  
pp. 10574
Author(s):  
Sung-Soo Jung ◽  
Sang-Joon Lee ◽  
Ieck-Chae Euom
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Compliance Audit ◽  
General Data ◽  
Data Controller ◽  
Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

Bulgarian public sector data breach reveals EU trend

2019 ◽  
Keyword(s):  
Public Sector ◽  
Data Privacy ◽  
Public Attention ◽  
Data Breach ◽  
Privacy And Security ◽  
Content Type ◽  
General Data Protection Regulation ◽  
High Profile ◽  
General Data ◽  
Sector Data

Subject Public sector and GDPR. Significance Public attention before and since the EU’s General Data Protection Regulation (GDPR) came into effect in May 2018 has largely focused on high-profile corporate data breaches and fines, such as recently at British Airways and the hotel chain Marriott. However, the data breach at the Bulgarian National Revenue Agency last month put public sector agencies, and their obligations under GDPR, under the spotlight. Impacts The upsurge in data breach notifications will stabilise as GDPR implementation progresses. Local public sector agencies are beginning to take data privacy and security seriously. Outsourcing of public services to private contractors is complicating cybersecurity.

Anonymization, tokenization, encryption. How to recover unrecoverable data

2018 ◽  
Vol 0 (6/2017) ◽  
pp. 9-13
Author(s):  
Olga Dzięgielewska
Keyword(s):  
Risk Analysis ◽  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
Insider Threat ◽  
General Data Protection Regulation ◽  
Analysis Phase ◽  
Data Layer ◽  
General Data ◽  
Financial Consequences

The data privacy is currently vastly commented topic among all the organizations which process personal data due to the introduction of the European Union’s General Data Protection Regulation. Existing methods of data protection are believed to be sufficient as they meet the risk-based approach requirements in every mature organization, yet the number of publicly known data breaches confirms that this assumption is false. The aftermath of such incidents in countless cases prove that the risk-based approach failed as the reputational and financial consequences by far exceed the original estimations. This paper stressed the importance of the data layer protection from the planning, through design, until maintenance stages in the database lifecycle, as numerous attack vectors originating from the insider threat and targeting the data layer still sneak through unnoticed during the risk analysis phase.

scholarly journals DIGITAL MARKETING REGULATIONS

2019 ◽  
Vol 13 (1) ◽  
pp. 25-30
Author(s):  
RAMONA-MIHAELA URZICEANU ◽  
VALENTINA-SIMONA PAŞCALĂU
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Digital Marketing ◽  
Incident Response ◽  
European Law ◽  
Data Breach ◽  
General Data Protection Regulation ◽  
General Data ◽  
Definition Of

The General Data Protection Regulation (GDPR) is a European law which grants rights regarding an individual’s personal data. Having been adopted in April 2016, its enforcement became effective as of 25th May 2018.This article aims to highlight who should do this, what exactly they should do and how to do it. Learn about the scope of GDPR in digital marketing, the definition of a personal data breach, the rights of data subjects, incident response under GDPR and more.

Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems (C.J.E.U.)

2021 ◽  
Vol 60 (1) ◽  
pp. 53-98
Author(s):  
Michael S. Aktipis ◽  
Ron B. Katwan
Keyword(s):  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
The United States ◽  
Transfer Mechanism ◽  
The European Union ◽  
Privacy Concerns ◽  
General Data Protection Regulation ◽  
General Data ◽  
The Eu

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its ruling in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, commonly known as Schrems II, invalidating the EU–U.S. Privacy Shield as a valid transfer mechanism under the EU's General Data Protection Regulation (GDPR) and creating significant legal uncertainty for the continued availability of another widely used transfer mechanism, Standard Contractual Clauses (SCCs), for transfers of EU personal data from commercial entities in the EU to the United States. The widely anticipated ruling marked the second time in five years that the CJEU had invalidated the legal foundation for such data transfers, which in both cases had been the result of a carefully negotiated compromise balancing European data privacy concerns with statutory and constitutional limitations of the U.S. system (see Schrems I).

scholarly journals Designing a Distributed Ledger Technology System for Interoperable and General Data Protection Regulation–Compliant Health Data Exchange: A Use Case in Blood Glucose Data (Preprint)

2019 ◽  
Author(s):  
David Hawig ◽  
Chao Zhou ◽  
Sebastian Fuhrhop ◽  
Andre S Fialho ◽  
Navin Ramachandran
Keyword(s):  
Blood Glucose ◽  
Data Privacy ◽  
Data Exchange ◽  
Personal Data ◽  
Use Case ◽  
Concept System ◽  
General Data Protection Regulation ◽  
The Public ◽  
Distributed Ledger ◽  
General Data

BACKGROUND Distributed ledger technology (DLT) holds great potential to improve health information exchange. However, the immutable and transparent character of this technology may conflict with data privacy regulations and data processing best practices. OBJECTIVE The aim of this paper is to develop a proof-of-concept system for immutable, interoperable, and General Data Protection Regulation (GDPR)–compliant exchange of blood glucose data. METHODS Given that there is no ideal design for a DLT-based patient-provider data exchange solution, we proposed two different variations for our proof-of-concept system. One design was based purely on the public IOTA distributed ledger (a directed acyclic graph-based DLT) and the second used the same public IOTA ledger in combination with a private InterPlanetary File System (IPFS) cluster. Both designs were assessed according to (1) data reversal risk, (2) data linkability risks, (3) processing time, (4) file size compatibility, and (5) overall system complexity. RESULTS The public IOTA design slightly increased the risk of personal data linkability, had an overall low processing time (requiring mean 6.1, SD 1.9 seconds to upload one blood glucose data sample into the DLT), and was relatively simple to implement. The combination of the public IOTA with a private IPFS cluster minimized both reversal and linkability risks, allowed for the exchange of large files (3 months of blood glucose data were uploaded into the DLT in mean 38.1, SD 13.4 seconds), but involved a relatively higher setup complexity. CONCLUSIONS For the specific use case of blood glucose explored in this study, both designs presented a suitable performance in enabling the interoperable exchange of data between patients and providers. Additionally, both systems were designed considering the latest guidelines on personal data processing, thereby maximizing the alignment with recent GDPR requirements. For future works, these results suggest that the conflict between DLT and data privacy regulations can be addressed if careful considerations are made regarding the use case and the design of the data exchange system.

scholarly journals Can Visual Design Provide Legal Transparency? The Challenges for Successful Implementation of Icons for Data Protection

Design Issues ◽  
2020 ◽  
Vol 36 (3) ◽  
pp. 82-96
Author(s):  
Arianna Rossi ◽  
Monica Palmirani
Keyword(s):  
Data Protection ◽  
Participatory Design ◽  
Data Privacy ◽  
Personal Data ◽  
Successful Implementation ◽  
The European Union ◽  
General Data Protection Regulation ◽  
General Data ◽  
Legal Ontologies ◽  
Machine Readable

Design is a key player in the future of data privacy and data protection. The General Data Protection Regulation (GDPR) established by the European Union aims to rebalance the information asymmetry between the organizations that process personal data and the individuals to which that data refers. Machine-readable, standardized icons that present a “meaningful overview of the intended processing” are suggested by the law as a tool to enhance the transparency of information addressed to data subjects. However, no specific guidelines have been provided, and studies on privacy iconography are very few. This article describes research conducted on the creation and evaluation of icons representing data protection concepts. First, we introduce the methodology used to design the Data Protection Icon Set (DaPIS): participatory design methods combined with legal ontologies and machine-readable representations. Second, we discuss some of the challenges that have been faced in the development and evaluation of DaPIS and similar icon sets. Third, we provide some tentative responses and indicate a way forward for evaluation of the effectiveness of privacy icons and their widespread adoption.

Web Data and the Relationship Between the General Data Protection Regulation in Europe and Brazil

2021 ◽  
pp. 222-233
Author(s):  
Moisés Rockembach ◽  
Armando Malheiro da Silva
Keyword(s):  
Business Model ◽  
Data Protection ◽  
Data Privacy ◽  
Ethical Issues ◽  
Personal Data ◽  
Web Data ◽  
General Data Protection Regulation ◽  
Regulatory Instruments ◽  
General Data ◽  
The Relationship

From the consolidation of the application of European data protection regulations and the recent adoption of Brazilian data protection regulations, we are faced with a scenario that crosses borders. In a world marked by companies whose business model is the analysis and commercialization of personal data and of governments that use their citizens' data for control and surveillance, it is imperative to discuss the necessary characteristics to foster a society that respects ethical and legal values regarding data privacy and consented uses there; the authors address concepts and cases that they consider important for the establishment of reflections on the use of web data. They also take into account ethical issues and regulatory instruments in Europe and Brazil, analyzing the strongness and weaknesses in the implementation of data protection and privacy.

scholarly journals Can the GDPR and Freedom of Expression Coexist?

AJIL Unbound ◽  
2020 ◽  
Vol 114 ◽  
pp. 31-34
Author(s):  
Nani Jansen Reventlow
Keyword(s):  
Data Protection ◽  
Data Privacy ◽  
Freedom Of Expression ◽  
Personal Information ◽  
Personal Data ◽  
Raw Material ◽  
Individual Data ◽  
General Data Protection Regulation ◽  
General Data ◽  
The Right

The General Data Protection Regulation (GDPR) imposes important transparency and accountability requirements on different actors who process personal data. This is great news for the protection of individual data privacy. However, given that “personal information and human stories are the raw material of journalism,” what does the GDPR mean for freedom of expression and especially for journalistic activity? This essay argues that, although EU states seem to have taken their data protection obligations under the GDPR seriously, efforts to balance this against the right to freedom of expression have been more uneven. The essay concludes that it is of key importance to ensure that the GDPR's safeguards for data privacy do not compromise a free press.

A Layered Approach to Jurisdiction

2017 ◽  
Author(s):  
Dan Jerker B. Svantesson
Keyword(s):  
Data Protection ◽  
Data Privacy ◽  
General Data Protection Regulation ◽  
Legal Rules ◽  
Privacy Laws ◽  
Scope Of Application ◽  
General Data ◽  
Layered Approach ◽  
Substantive Law

This chapter observes how it may be inappropriate to apply a single jurisdictional threshold to diverse instruments such as data privacy laws. In the light of this observation, a proposal is outlined for a ‘layered approach’ under which the substantive law rules of such instruments are broken up into different layers, with different jurisdictional thresholds applied to each such layer. This layered approach is discussed primarily as a technique to be utilized in legal drafting, but it may also be applied in the interpretation and application of legal rules. Article 3 of the European Union’s General Data Protection Regulation, which determines that regulation’s scope of application in a territorial sense, provides a particularly useful lens through which to approach this topic and, thus, the discussion is largely centred around that Article.

Sign in / Sign up

Export Citation Format

Share Document