Travis Greene,Galit Shmueli,Soumya Ray,Jan Fell

DOI: https://doi.org/10.1089/big.2018.0176

IF: 4.426

Big Data

Abstract:Rapid growth in the availability of behavioral big data (BBD) has outpaced the speed of updates to ethical research codes and regulation of data privacy and human subjects' data collection, storage, and use. The introduction of the European Union's (EU's) General Data Protection Regulation (GDPR) in May 2018 will have far-reaching effects on data scientists and researchers who use BBD, not only in the EU, but around the world. Consequently, many companies are struggling to comply with the Regulation. At the same time, academics interested in research collaborations with companies are finding it more difficult to obtain data. In light of the importance of BBD in both industry and academia, data scientists and behavioral researchers would benefit from a deeper understanding of the GDPR's key concepts, definitions, and principles, especially as they apply to the data science workflow. We identify key GDPR concepts and principles and describe how they can impact the work of data scientists and researchers in this new data privacy regulation era.

Gauthier Chassang

DOI: https://doi.org/10.3332/ecancer.2017.709

2017-01-03

ecancermedicalscience

Abstract:The use of personal data is critical to ensure quality and reliability in scientific research. The new Regulation [European Union (EU)] 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [general data protection regulation (GDPR)], repealing Directive 95/46/EC, strengthens and harmonises the rules for protecting individuals' privacy rights and freedoms within and, under certain conditions, outside the EU territory. This new and historic legal milestone both prolongs and updates the EU acquis of the previous Data Protection Directive 95/46/EC. The GDPR fixes both general rules applying to any kind of personal data processing and specific rules applying to the processing of special categories of personal data such as health data taking place in the context of scientific research, this including clinical and translational research areas. This article aims to provide an overview of the new rules to consider where scientific projects include the processing of personal health data, genetic data or biometric data and other kinds of sensitive information whose use is strictly regulated by the GDPR in order to give the main key facts to researchers to adapt their practices and ensure compliance to the EU law to be enforced in May 2018.

Andreas Kotsios,Matteo Magnani,Luca Rossi,Irina Shklovski,Davide Vega

DOI: https://doi.org/10.48550/arXiv.1903.03196

2019-10-06

Abstract:This article examines the principles outlined in the General Data Protection Regulation (GDPR) in the context of social network data. We provide both a practical guide to GDPR-compliant social network data processing, covering aspects such as data collection, consent, anonymization and data analysis, and a broader discussion of the problems emerging when the general principles on which the regulation is based are instantiated to this research area.

Social and Information Networks

Victoria Chico

DOI: https://doi.org/10.1093/bmb/ldy038

2018-11-17

British Medical Bulletin

Abstract:Background: On the May 25, 2018 the General Data Protection Regulation (hereafter the GDPR or the Regulation) came into force, replacing the Data Protection Directive 95/46/EC (upon which the Data Protection Act 1998 is based), and imposing new responsibilities on organizations which process the data of European Union citizens.Sources of data: This piece examines the impact of the Regulation on health research.Areas of agreement: The Regulation seeks to harmonize data privacy laws across Europe, to protect and empower all EU citizen's data privacy and to reshape the way that organizations approach data privacy (See the GDPR portal at: https://www.eugdpr.org/ (accessed 8 May 2018). As a Regulation the GDPR is directly applicable in all member states as opposed to a directive which requires national implementing measures (In the UK the Data Protection Act 1998 was the implementing legislation for the Data Protection Directive 95/46/EC.).Areas of controversy: The Regulation is sector wide, but its impact on organizations us sector specific. In some sectors, the Regulation inhibits the processing of personal data, whilst in others it enables that processing. The Regulation takes the position that the 'processing of data should be designed to serve mankind' (Recital 4). Whilst it does not spell out what exactly is meant by this, it indicates that a proportionate approach will be taken to the protection of personal data, where that data can be processed for common goods such as healthcare. Thus, the protection of personal data is not absolute, but considered in relation to its function in society and balance with other fundamental rights in accordance with the principle of proportionality (Recital 4). Differing interpretations of proportionality can detract from the harmonization objective of the Regulation.Growing points: Reflecting the commitment to proportionality, scientific research holds a privileged position in the Regulation. Throughout the Regulation provision is made for organizations that process personal data for scientific research purposes to avoid restrictive measures which might impede the increase of knowledge. However, the application of the Regulation differs across health research sectors and across jurisdictions. Transparency and engagement across the health research sector is required to promote alignment.Areas timely for developing research: Research which focuses on the particular problems which arise in the context of the regulation's application to health research would be welcome. Particularly in the context of the operation of the Regulation alongside the duty of confidentiality and the variation in approaches across Member States.

medicine, general & internal

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.48550/arXiv.2002.06830

2020-02-17

Abstract:The enactment of the General Data Protection Regulation (GDPR) in 2018 forced any organization that collects and/or processes EU-based personal data to comply with stringent privacy regulations. Software organizations have struggled to achieve GDPR compliance both before and after the GDPR deadline. While some studies have relied on surveys or interviews to find general implications of the GDPR, there is a lack of in-depth studies that investigate compliance practices and compliance challenges of software organizations. In particular, there is no information on small and medium enterprises (SMEs), which represent the majority of organizations in the EU, nor on organizations that practice continuous integration. Using design science methodology, we conducted an in-depth study over the span of 20 months regarding GDPR compliance practices and challenges in collaboration with a small, startup organization. We first identified our collaborator's business problems and then iteratively developed two artifacts to address those problems: a set of operationalized GDPR principles, and an automated GDPR tool that tests those GDPR-derived privacy requirements. This design science approach resulted in four implications for research and for practice. For example, our research reveals that GDPR regulations can be partially operationalized and tested through automated means, which improves compliance practices, but more research is needed to create more efficient and effective means to disseminate and manage GDPR knowledge among software developers.

Software Engineering

Aashaka Shah,Vinay Banakar,Supreeth Shastri,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.48550/arXiv.1903.04880

2019-05-16

Abstract:The recently introduced General Data Protection Regulation (GDPR) is forcing several companies to make significant changes to their systems to achieve compliance. Motivated by the finding that more than 30% of GDPR articles are related to storage, we investigate the impact of GDPR compliance on storage systems. We illustrate the challenges of retrofitting existing systems into compliance by modifying Redis to be GDPR-compliant. We show that despite needing to introduce a small set of new features, a strict real-time compliance (eg logging every user request synchronously) lowers Redis' throughput by 20x. Our work reveals how GDPR allows compliance to be a spectrum, and what its implications are for system designers. We discuss the technical challenges that need to be solved before strict compliance can be efficiently achieved.

Distributed, Parallel, and Cluster Computing,Databases

John Mark Michael Rumbold,Barbara Pierscionek

DOI: https://doi.org/10.2196/jmir.7108

IF: 7.076

2017-02-24

Journal of Medical Internet Research

Abstract:BACKGROUND: The enactment of the General Data Protection Regulation (GDPR) will impact on European data science. Particular concerns relating to consent requirements that would severely restrict medical data research have been raised.OBJECTIVE: Our objective is to explain the changes in data protection laws that apply to medical research and to discuss their potential impact.METHODS: Analysis of ethicolegal requirements imposed by the GDPR.RESULTS: The GDPR makes the classification of pseudonymised data as personal data clearer, although it has not been entirely resolved. Biomedical research on personal data where consent has not been obtained must be of substantial public interest.CONCLUSIONS: The GDPR introduces protections for data subjects that aim for consistency across the EU. The proposed changes will make little impact on biomedical data research.

health care sciences & services,medical informatics

Klaus M. Miller,Julia Schmitt,Bernd Skiera

2024-11-18

Abstract:Privacy regulations often necessitate a balance between safeguarding consumer privacy and preventing economic losses for firms that utilize consumer data. However, little empirical evidence exists on how such laws affect firm performance. This study aims to fill that gap by quantifying the impact of the European Union's General Data Protection Regulation (GDPR) on online usage behavior over time. We analyzed data from 6,286 websites across 24 industries, covering 10 months before and 18 months after the GDPR's enactment in 2018. Employing a generalized synthetic control estimator, we isolated the short- and long-term effects of the GDPR on user behavior. Our results show that the GDPR negatively affected online usage per website on average; specifically, weekly visits decreased by 4.88% in the first 3 months and 10.02% after 18 months post-enactment. At the 18-month mark, these declines translated into average revenue losses of about USD 7 million for e-commerce websites and nearly USD 2.5 million for ad-based websites. Nonetheless, the GDPR's impact varied across website size, industry, and user origin, with some large websites and industries benefiting from the regulation. Notably, the largest 10% of websites pre-GDPR suffered less, suggesting that the GDPR has increased market concentration.

General Economics

Moutaz Haddara,A Salazar,Marius Langseth

DOI: https://doi.org/10.1016/j.procs.2023.01.350

2023-01-01

Procedia Computer Science

Abstract:This research explores the impact of data privacy and protection laws on e-commerce companies in the Netherlands. Specifically, this study focuses on the General Data Protection Regulation (GDPR). The purpose of this regulation is to refine privacy laws and emphasize the importance of consumer protection and consent. GDPR might challenge enterprises, especially data-driven organizations. Notably, the e-commerce industry is known for relying heavily on big data analytics, business intelligence, and other data-related technologies. Multiple semi-structured interviews with e-commerce professionals and consumers were conducted to gain a deeper understanding of the impact of GDPR based on the strategies employed by e-commerce companies and the online user experience of customers in the Netherlands. The main findings show that while GDPR compliance incurred additional costs for companies, it also improved data security and increased customer trust. Furthermore, the results also suggest that GDPR affects the e-commerce analytics operations in organizations after its adoption. Thus, many organizations have altered their practices to achieve compliance with the laws. The findings of this research contribute to the ongoing exploration of the effects of GDPR on online retail businesses that utilize (big) data analytics.

Rolly R. Tang, Jae Kyu Lee, Shan Liu

DOI: https://doi.org/10.52783/jes.1612

2024-04-04

Abstract:Will General Data Protection Regulation (GDPR) be adopted globally in business? The GDPR was approved in the European Union (EU) in April 2016 and officially put into effect in May 2018, thus the research in this field has an obvious upward trend. The development of GDPR is aimed at adapting to new trends, conducting scientific econometric analysis in the fields of privacy and GDPR, and analyzing and visualizing emerging trends. First, summarizing the privacy and GDPR studies publicly published between 1995 and 2023 through statistical analysis of terminology categories and high-yield journals. Then, understand the overall research status of privacy rights and GDPR from the perspectives of author, journal, literature co citation analysis, and collaborative networks. Finally, based on keyword analysis and literature co citation cluster analysis, a knowledge graph was constructed that includes knowledge domains, evolutionary trends, and future research directions. As a globally influential regulation, GDPR emphasizes the protection and lawful processing of personal data, which is of great significance for protecting personal data privacy and enhancing data security.

Klaus M. Miller,Karlo Lukic,Bernd Skiera

2024-11-11

Abstract:This study explores the impact of the General Data Protection Regulation (GDPR), introduced on May 25th, 2018, on online trackers, vital elements in the online advertising ecosystem. Using a difference-in-differences approach with a balanced panel of 294 publishers, we compare publishers subject to the GDPR with those unaffected (the control group). Drawing on data from <a class="link-external link-http" href="http://WhoTracks.me" rel="external noopener nofollow">this http URL</a>, which spans 32 months from May 2017 to December 2019, we analyze how the number of trackers used by publishers changed before and after the GDPR. The findings reveal that although online tracking increased for both groups, the rise was less significant for EU-based publishers subject to the GDPR. Specifically, the GDPR reduced about four trackers per publisher, equating to a 14.79% decrease compared to the control group. The GDPR was particularly effective in curbing privacy invasive trackers that collect and share personal data, thereby strengthening user privacy. However, it had a limited impact on advertising trackers and only slightly reduced the presence of analytics trackers.

General Economics

Serge Abiteboul,Julia Stoyanovich

DOI: https://doi.org/10.48550/arXiv.1903.03683

2019-03-09

Abstract:The data revolution continues to transform every sector of science, industry and government. Due to the incredible impact of data-driven technology on society, we are becoming increasingly aware of the imperative to use data and algorithms responsibly -- in accordance with laws and ethical norms. In this article we discuss three recent regulatory frameworks: the European Union's General Data Protection Regulation (GDPR), the New York City Automated Decisions Systems (ADS) Law, and the Net Neutrality principle, that aim to protect the rights of individuals who are impacted by data collection and analysis. These frameworks are prominent examples of a global trend: Governments are starting to recognize the need to regulate data-driven algorithmic technology. Our goal in this paper is to bring these regulatory frameworks to the attention of the data management community, and to underscore the technical challenges they raise and which we, as a community, are well-equipped to address. The main take-away of this article is that legal and ethical norms cannot be incorporated into data-driven systems as an afterthought. Rather, we must think in terms of responsibility by design, viewing it as a systems requirement.

Databases,Computers and Society

John KC Kingston

DOI: https://doi.org/10.48550/arXiv.1809.05762

IF: 14.4

2018-09-15

Artificial Intelligence

Abstract:The General Data Protection Regulation (GDPR) is a European Union regulation that will replace the existing Data Protection Directive on 25 May 2018. The most significant change is a huge increase in the maximum fine that can be levied for breaches of the regulation. Yet fewer than half of UK companies are fully aware of GDPR - and a number of those who were preparing for it stopped doing so when the Brexit vote was announced. A last-minute rush to become compliant is therefore expected, and numerous companies are starting to offer advice, checklists and consultancy on how to comply with GDPR. In such an environment, artificial intelligence technologies ought to be able to assist by providing best advice; asking all and only the relevant questions; monitoring activities; and carrying out assessments. The paper considers four areas of GDPR compliance where rule based technologies and/or machine learning techniques may be relevant: * Following compliance checklists and codes of conduct; * Supporting risk assessments; * Complying with the new regulations regarding technologies that perform automatic profiling; * Complying with the new regulations concerning recognising and reporting breaches of security. It concludes that AI technology can support each of these four areas. The requirements that GDPR (or organisations that need to comply with GDPR) state for explanation and justification of reasoning imply that rule-based approaches are likely to be more helpful than machine learning approaches. However, there may be good business reasons to take a different approach in some circumstances.

Lucas Franke,Huayu Liang,Sahar Farzanehpour,Aaron Brantly,James C. Davis,Chris Brown

2024-06-21

Abstract:Background: Governments worldwide are considering data privacy regulations. These laws, e.g. the European Union's General Data Protection Regulation (GDPR), require software developers to meet privacy-related requirements when interacting with users' data. Prior research describes the impact of such laws on software development, but only for commercial software. Open-source software is commonly integrated into regulated software, and thus must be engineered or adapted for compliance. We do not know how such laws impact open-source software development. Aims: To understand how data privacy laws affect open-source software development. We studied the European Union's GDPR, the most prominent such law. We investigated how GDPR compliance activities influence OSS developer activity (RQ1), how OSS developers perceive fulfilling GDPR requirements (RQ2), the most challenging GDPR requirements to implement (RQ3), and how OSS developers assess GDPR compliance (RQ4). Method: We distributed an online survey to explore perceptions of GDPR implementations from open-source developers (N=56). We further conducted a repository mining study to analyze development metrics on pull requests (N=31462) submitted to open-source GitHub repositories. Results: GDPR policies complicate open-source development processes and introduce challenges for developers, primarily regarding the management of users' data, implementation costs and time, and assessments of compliance. Moreover, we observed negative perceptions of GDPR from open-source developers and significant increases in development activity, in particular metrics related to coding and reviewing activity, on GitHub pull requests related to GDPR compliance. Conclusions: Our findings motivate policy-related resources and automated tools to support data privacy regulation implementation and compliance efforts in open-source software.

Software Engineering

DOI: https://doi.org/10.34104/ajeit.024.0930103

2024-10-11

Canadian Journal of Business and Information Studies

Abstract:In the era of rapid technological advancements, machine learning (ML) and big data analytics have become pivotal in harnessing vast amounts of data for insights, efficiency, and innovation across various sectors. However, the widespread collection and analysis of data raise significant privacy concerns, highlighting the delicate balance between leveraging technology for societal benefits and safeguarding individual privacy. This article delves into the complexities of data collection and analysis practices, emphasizing the potential for privacy breaches through methods such as location tracking, browsing habits analysis, and the creation of detailed personal profiles. It discusses the implications of ML algorithms capable of de-anonymizing data, despite measures like data anonymization and encryption aimed at protecting privacy. The article also examines the existing legal frameworks, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), designed to enhance privacy protection, alongside the ethical considerations for developers and companies in using ML and big data. Furthermore, it explores future outlooks, including developments in technologies like federated learning and differential privacy, that promise enhanced privacy protection. The conclusion calls for a concerted effort among policymakers, technologists, and the public to engage in ongoing dialogue and develop solutions that ensure the ethical use of ML and big data while upholding privacy rights.

Katarzyna Kolasa,W Ken Redekop,Alexander Berler,Vladimir Zah,Carl V Asche

DOI: https://doi.org/10.1007/s40273-020-00927-1

PharmacoEconomics

Abstract:The development of evidence to demonstrate 'value for money' is regarded as an important step in facilitating the search for the optimal allocation of limited resources and has become an essential component in healthcare decision making. Real-world evidence collected from de-identified individuals throughout the continuum of healthcare represents the most valuable source in technology evaluation. However, in the European Union, the value assessment based on real-world data has become challenging as individuals have recently been given the right to have their personal data erased in the case of consent withdrawal or when the data are regarded as being no longer necessary. This act may limit the usefulness of data in the future as it may introduce information bias. Among healthcare stakeholders, this has become an important topic of discussion because it relates to the importance of data on one side and to the need for personal data protection on the other side, especially when it comes to "personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status". At the forefront of these discussions are data protection issues as well as the population's trust in digital services. It seems that the new era has begun, where citizens and patients will have the ability to manage their personal or self-generated data. The European Commission has laid the groundwork for this paradigm shift that will steadily emerge in the coming years. To prepare for this change, we believe attention should be given to data security and other rules of data privacy. It has become increasingly important to ensure that individuals are properly introduced into complex environments with multiple sources of Big Data for clinical and behavioral purposes to provide an optimal balance between societal and individual benefits. In this article, a number of issues are considered and discussed, based upon the authors' experience, with the aim of helping the reader better understand the implications of the use of Big Data and the importance of data protection in the coming years.

Gaëlle Kermorgant,Michèle Guilbot

DOI: https://doi.org/10.1007/978-3-030-14156-1_22

2019-01-01

Abstract:The General Data Protection Regulation (GDPR) is in force since May 25 2018. This has an important impact on the design and development of new technologies based on exploitation of data, in particular private data. Not complying with the requirements can have high financial consequences up to 4% of the worldwide turnover of a company as a fine. At first glance, GDPR seems to be a constraint. However the, this regulation offers also the opportunity to develop new services based on big data processing and become competitive in a domain, which is considered being the petroleum of the 21st century. The paper describes the impact and opportunities of the GDPR on the Internet of things (IoT) and connected cars by highlighting two examples:the first aims at improving road safety by calculating a risk factor based on analysis of driver behaviour, data collection and artificial intelligencethe second aims at improving road infrastructure by detecting road deficiencies or risk zone through in car data collection.

Fadye Saud Al-Fayad

DOI: https://doi.org/10.5539/ijms.v12n1p39

2020-02-24

International Journal of Marketing Studies

Abstract:This research paper analyzes the developing effect that the European Union&rsquo;s (EU) recently developed General Data Protection Regulation (GDPR) will have on the marketing strategies of firms that rely on big data. Big data is identified as consisting of data and data analytics involving a huge volume of data, a diverse variety of data, and a high velocity of data capture and collection. This analysis begins with some discussion of the concept of big data and follows this up with overviews of both the GDPR and big data use in the marketplace. The EU replaced its older Data Protection Directive or DPD with the GDPR. The GDPR consists of a series of chapters and articles that require, among other things, consent to collect and store data, the anonymization of data, announcement in 72 hours of a data breach, provision of encryption and the identification of a Data Protection Officer. Marketing and the marketing function can implement emergent technologies that augment big data and its analysis while simultaneously achieving compliance with regulatory frameworks like the GDPR. These marketing related solutions are those such as blockchain marketing applications like Brave Browser and Blockstack among others. The report also examines the way in which enterprises use big data in their marketing strategies and how they are affected by it now that it has come into effect. Some of the more marketing-oriented uses and applications of big data are found in sophisticated loyalty programs, demand forecasting and customization either of experience or product/service. This study also offers some final recommendations related to GDPR compliant marketing strategies. These include the development of a comprehensive program to purchase consumer data directly from consumers and the introduction of blockchain as a means to facilitate a smoother transition to GDPR compliance.

He Li,Lu Yu,Wu He

DOI: https://doi.org/10.1080/1097198X.2019.1569186

2019-10-04

Journal of Global Information Technology Management

Abstract:ABSTRACT The European Union’s General Data Protection Regulation (GDPR) demands significant data protection safeguards and poses both new challenges and potential opportunities to organizations around the world. Most organizations are not yet adequately prepared for compliance with the GDPR. To minimize liability under the GDPR, organizations around the world need to make changes to be in compliance with the GDPR. This editorial preface discusses GDPR’s impact on global technology development including both challenges and opportunities. Furthermore, we discuss how China and the U.S., the two leading global economic power, can better respond to the challenges and opportunities brought up by GDPR.

information science & library science

Antonia Vlahou,Dara Hallinan,Rolf Apweiler,Angel Argiles,Joachim Beige,Ariela Benigni,Rainer Bischoff,Peter C Black,Franziska Boehm,Jocelyn Céraline,George P Chrousos,Christian Delles,Pieter Evenepoel,Ivo Fridolin,Griet Glorieux,Alain J van Gool,Isabel Heidegger,John P A Ioannidis,Joachim Jankowski,Vera Jankowski,Carmen Jeronimo,Ashish M Kamat,Rosalinde Masereeuw,Gert Mayer,Harald Mischak,Alberto Ortiz,Giuseppe Remuzzi,Peter Rossing,Joost P Schanstra,Bernd J Schmitz-Dräger,Goce Spasovski,Jan A Staessen,Dimitrios Stamatialis,Peter Stenvinkel,Christoph Wanner,Stephen B Williams,Faiez Zannad,Carmine Zoccali,Raymond Vanholder

DOI: https://doi.org/10.1161/HYPERTENSIONAHA.120.16340

IF: 9.8968

Hypertension

Abstract:The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.