Georgios Georgiadis,Geert Poels

DOI: https://doi.org/10.1016/j.clsr.2021.105640

2022-04-01

Abstract:Big Data Analytics enables today's businesses and organisations to process and utilise the raw data that is generated on a daily basis. While Big Data Analytics has improved efficiency and created many opportunities, it has also increased the risk of personal data being compromised or breached. The General Data Protection Regulation (GDPR) mandates Data Protection Impact Assessment (DPIA) as a means of identifying appropriate controls to mitigate risks associated with the protection of personal data. However, little is currently known about how to conduct such a DPIA in a Big Data Analytics context. To this end, we conducted a systematic literature review with the aim of identifying privacy and data protection risks specific to the Big Data Analytics context that could negatively impact individuals' rights and freedoms when they occur. Based on a sample of 159 articles, we applied a thematic analysis to all identified risks which resulted in the definition of nine Privacy Touch Points that summarise the identified risks. The coverage of these Privacy Touch Points was then analysed for ten Privacy Impact Assessment (PIA) methodologies. The insights gained from our analysis will inform the next phase of our research, in which we aim to develop a comprehensive DPIA methodology that will enable data processors and data controllers to identify, analyse and mitigate privacy and data protection risks when storing and processing data involving Big Data Analytics.

law

Luis Enriquez

2024-11-06

Abstract:What if the main data protection vulnerability is risk management? Data Protection merges three disciplines: data protection law, information security, and risk management. Nonetheless, very little research has been made on the field of data protection risk management, where subjectivity and superficiality are the dominant state of the art. Since the GDPR tells you what to do, but not how to do it, the solution for approaching GDPR compliance is still a gray zone, where the trend is using the rule of thumb. Considering that the most important goal of risk management is to reduce uncertainty in order to take informed decisions, risk management for the protection of the rights and freedoms of the data subjects cannot be disconnected from the impact materialization that data controllers and processors need to assess. This paper proposes a quantitative approach to data protection risk-based compliance from a data controllers perspective, with the aim of proposing a mindset change, where data protection impact assessments can be improved by using data protection analytics, quantitative risk analysis, and calibrating expert opinions.

Risk Management,Machine Learning

Pranith Shetty,

DOI: https://doi.org/10.47363/jaicc/2023(2)224

2023-12-31

Abstract:Data Privacy is relevant for majority of the firms conducting businesses in the international market today. Better privacy safeguards and implementations are one of the key contributors in driving business output, companies are reporting direct and indirect benefits as a result of privacy project related investments. To be compliant with the Privacy regulation landscape globally is the need of the hour, there have been significant business impacts in terms of both financial and reputational, as a result of noncompliance to privacy regulations. To manage these risks, it is imperative for the Privacy assessment teams, Legal teams and Risk management teams to work together and tackle these challenges. This paper firstly aims at giving a perspective on global risk landscape and how the privacy regulations are gaining more traction every passing day, bringing in more states and countries into the fold. This article also narrates the approach or solution explaining how Risk management teams can partner with the relevant stakeholders in legal and privacy teams and guide the data privacy risks across firms, across business sectors. Through the risk management lifecycle thus remediating these risks, helping businesses prosper and at the same time safeguard individual interests.

Antonio Capodieci,Luca Mainetti,Stefano Lisi,Roberto Paiano,Sara Matino,Mariavittoria Ugirashebuja

DOI: https://doi.org/10.1007/s11042-024-20308-6

IF: 2.577

2024-11-06

Multimedia Tools and Applications

Abstract:The European Parliament adopted the European General Data Protection Regulation (GDPR, EU 2016/679), which revolutionized the legislative framework for personal data protection within the European Union. The GDPR mandates organizations to shift from a passive approach, relying on minimum security measures outlined in the 1994 EU Directive, to a proactive accountability-based approach. Organizations are expected to implement verification systems, foster continuous improvement, and follow principles such as privacy by design and privacy by default. The latter principle emphasizes incorporating privacy considerations throughout the entire engineering process. The challenge for organizations lies in effectively auditing their compliance with the GDPR. This study proposes a structured approach based on the business process modeling to aid in GDPR compliance. It involves identifying crucial compliance points for the GDPR. A case study is presented where the method is applied to a purchase of a health insurance policy process in the context of the Secure Safe Apulia project.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Tamas Bisztray,Nils Gruschka

DOI: https://doi.org/10.48550/arXiv.2110.07366

2021-10-14

Cryptography and Security

Abstract:Privacy and data protection have become more and more important in recent years since an increasing number of enterprises and startups are harvesting personal data as a part of their business model. One central requirement of the GDPR is the implementation of a data protection impact assessment for privacy critical systems. However, the law does not dictate or recommend the use of any particular framework. In this paper we compare different data protection impact assessment frameworks. We have developed a comparison and evaluation methodology and applied this to three popular impact assessment frameworks. The result of this comparison shows the weaknesses and strengths, but also clearly indicates that none of the tested frameworks fulfill all desired properties. Thus, the development of a new or improved data protection impact assessment framework is an important open issue for future work, especially for sector specific applications.

Rohit Ravindra Nikam,Rekha Shahapurkar

DOI: https://doi.org/10.3233/apc210221

2021-12-01

Abstract:Data mining is a technique that explores the necessary data is extracted from large data sets. Privacy protection of data mining is about hiding the sensitive information or identity of breach security or without losing data usability. Sensitive data contains confidential information about individuals, businesses, and governments who must not agree upon before sharing or publishing his privacy data. Conserving data mining privacy has become a critical research area. Various evaluation metrics such as performance in terms of time efficiency, data utility, and degree of complexity or resistance to data mining techniques are used to estimate the privacy preservation of data mining techniques. Social media and smart phones produce tons of data every minute. To decision making, the voluminous data produced from the different sources can be processed and analyzed. But data analytics are vulnerable to breaches of privacy. One of the data analytics frameworks is recommendation systems commonly used by e-commerce sites such as Amazon, Flip Kart to recommend items to customers based on their purchasing habits that lead to characterized. This paper presents various techniques of privacy conservation, such as data anonymization, data randomization, generalization, data permutation, etc. such techniques which existing researchers use. We also analyze the gap between various processes and privacy preservation methods and illustrate how to overcome such issues with new innovative methods. Finally, our research describes the outcome summary of the entire literature.

Isabel Wagner,Eerke Boiten

DOI: https://doi.org/10.1007/978-3-030-00305-0_17

2018-09-09

Abstract:Privacy risk assessments aim to analyze and quantify the privacy risks associated with new systems. As such, they are critically important in ensuring that adequate privacy protections are built in. However, current methods to quantify privacy risk rely heavily on experienced analysts picking the "correct" risk level on e.g. a five-point scale. In this paper, we argue that a more scientific quantification of privacy risk increases accuracy and reliability and can thus make it easier to build privacy-friendly systems. We discuss how the impact and likelihood of privacy violations can be decomposed and quantified, and stress the importance of meaningful metrics and units of measurement. We suggest a method of quantifying and representing privacy risk that considers a collection of factors as well as a variety of contexts and attacker models. We conclude by identifying some of the major research questions to take this approach further in a variety of application scenarios.

Cryptography and Security

Praveen Banasode,Sunita Padmannavar

DOI: https://doi.org/10.1109/fabs52071.2021.9702689

2021-12-21

Abstract:the revolution caused by the advanced analysis features of Internet of Things and big data have made a big turnaround in the digital world. Data analysis is not only limited to collect useful data but also useful in analyzing information quickly. Therefore, most of the variants of the shared system based on the parallel structural model are explored simultaneously as the appropriate big data storage library stimulates researchers’ interest in the distributed system. Due to the emerging digital technologies, different groups such as healthcare facilities, financial institutions, e-commerce, food service and supply chain management generate a surprising amount of information. Although the process of statistical analysis is essential, it can cause significant security and privacy issues. Therefore, the analysis of data privacy protection is very important. Using the platform, technology should focus on providing Advanced Cryptography Policy (ACP). This research explores different security risks, evolutionary mechanisms and risks of privacy protection. It further recommends the post-statistical modern privacy protection act to manage data privacy protection in binary format, because it is kept confidential by the user. The user authentication program has already filed access restrictions. To maintain this purpose, everyone’s attitude is to achieve a changing identity. This article is designed to protect the privacy of users and propose a new system of restoration of controls.

Suvineetha Herath,Dakota State University,Haywood Gelman,Lisa McKee,

DOI: https://doi.org/10.32727/8.2023.18

2023-10-12

Abstract:In today's data-sharing paradigm, personal data has become a valuable resource that intensifies the risk of unauthorized access and data breach. Increased data mining techniques used to analyze big data have posed significant risks to data security and privacy. Consequently, data breaches are a significant threat to individual privacy. Privacy is a multifaceted concept covering many areas, including the right to access, erasure, and rectify personal data. This paper explores the legal aspects of privacy harm and how they transform into legal action. Privacy harm is the negative impact to an individual as a result of the unauthorized release, gathering, distillation, or expropriation of personal information. Privacy Enhancing Technologies (PETs) emerged as a solution to address data privacy issues and minimize the risk of privacy harm. It is essential to implement privacy enhancement mechanisms to protect Personally Identifiable Information (PII) from unlawful use or access. FIPPs (Fair Information Practice Principles), based on the 1973 Code of Fair Information Practice (CFIP), and the Organization for Economic Cooperation and Development (OECD), are a collection of widely accepted, influential US codes that agencies use when evaluating information systems, processes, programs, and activities affecting individual privacy. Regulatory compliance places a responsibility on organizations to follow best practices to ensure the protection of individual data privacy rights. This paper will focus on FIPPs, relevance to US state privacy laws, their influence on OECD, and reference to the EU General Data Processing Regulation. (GDPR).

Sajid Momin,Sachin Avghade,Sonali Chavan

DOI: https://doi.org/10.48175/ijarsct-9020

2023-04-03

Abstract:This paper deals with the privacy issue in Indian perspective with respect to challenges in three different dimensions like Legal, Technical and Political domain. We have research to deal with these challenges. Advancement in technology such as remote accessibility, Data interchange Mining, Cloud computing etc. brings unforeseen challenges and one of the major challenges is threat to “privacy and protection”. There have been a plethora of developments in the privacy and data protection space in India. Data, off late, has been looked at by many very differently today in terms of value and treatment. There appears to be some rationale in the new saying that data is the new mark material [8].

Prathamesh Churi,Ambika Pawar,Antonio-José Moreno-Guerrero

DOI: https://doi.org/10.3390/inventions6030045

IF: 3.4

2021-06-23

Inventions

Abstract:Background: According to the renowned and Oscar award-winning American actor and film director Marlon Brando, “privacy is not something that I am merely entitled to, it is an absolute prerequisite.” Privacy threats and data breaches occur daily, and countries are mitigating the consequences caused by privacy and data breaches. The Indian healthcare industry is one of the largest and rapidly developing industry. Overall, healthcare management is changing from disease-centric into patient-centric systems. Healthcare data analysis also plays a crucial role in healthcare management, and the privacy of patient records must receive equal attention. Purpose: This paper mainly presents the utility and privacy factors of the Indian healthcare data and discusses the utility aspect and privacy problems concerning Indian healthcare systems. It defines policies that reform Indian healthcare systems. The case study of the NITI Aayog report is presented to explain how reformation occurs in Indian healthcare systems. Findings: It is found that there have been numerous research studies conducted on Indian healthcare data across all dimensions; however, privacy problems in healthcare, specifically in India, are caused by prevalent complacency, culture, politics, budget limitations, large population, and existing infrastructures. This paper reviews the Indian healthcare system and the applications that drive it. Additionally, the paper also maps that how privacy issues are happening in every healthcare sector in India. Originality/Value: To understand these factors and gain insights, understanding Indian healthcare systems first is crucial. To the best of our knowledge, we found no recent papers that thoroughly reviewed the Indian healthcare system and its privacy issues. The paper is original in terms of its overview of the healthcare system and privacy issues. Social Implications: Privacy has been the most ignored part of the Indian healthcare system. With India being a country with a population of 130 billion, much healthcare data are generated every day. The chances of data breaches and other privacy violations on such sensitive data cannot be avoided as they cause severe concerns for individuals. This paper segregates the healthcare system’s advances and lists the privacy that needs to be addressed first.

P. Geetha,Chandrakant Naikodi,Suresh Lakshmi Narasimha Setty

DOI: https://doi.org/10.1007/978-981-15-0372-6_19

2019-12-03

Abstract:Technological advancements in the field of Big Data and IoT have led to unprecedented growth in digital data. Data is collected from multiple distributed sources by business organizations, government agencies, and healthcare sectors. Data collected is mined to uncover valuable data, and the insights they provide are used by these organizations for optimized decision making. Data thus amassed may also contain sensitive personal information of individuals that are at risk of disclosure during analytics. Hence, there is a need for a privacy-aware system that enforces sensitive data protection. But such a system constrains the usefulness of data. Study shows that although significant findings do exist for balancing these contradicting objectives, the efficacy and scalability of these solutions continue to challenge the research community, given the volume of Big Data. Assessing the appropriate blend of these objectives for mutual benefit of organizations and customers requires leveraging the benefit of the modern tools and technologies in the Big Data ecosystem. This research study extensively reviews the previous work in the direction of privacy preserved Big Data analytics, and the review is first of its kind in exploring the challenges that have to be overcome in striking a balance between data value, privacy, scalability, and performance.

Sambhabi Patnaik,Kyvalya Garikapati,Lipsa Dash,Ramyani Bhattacharya,Arpita Mohapatra

DOI: https://doi.org/10.4108/eetpht.10.5583

2024-03-29

EAI Endorsed Transactions on Pervasive Health and Technology

Abstract:INTRODUCTION: Health information amassed during the treatment of a medical condition is termed health data. This data encompasses information gathered about a patient and their family, forming a patient history. The internet has progressively transformed communication, commerce, and information acquisition. Among the diverse domains it has influenced, the healthcare sector stands out as one of the most intricate and unique realms of integration. Big data are the results of normal online transactions and interactions that take place online, the detectors that are implanted in devices and actual locations, as well as the generation of digital contents by individuals whenever they submit data over internet. OBJECTIVES: The need of protection of health data and methods of safeguarding patient privacy. The study also helps \understand and appreciate the best practices which will help India in implementing the law more effectively. METHODS: A doctrinal method of research was employed to analyse the laws and regulations. A comparative approach of different countries gives us the understanding of the gaps and issues. The efficacy of the laws was tested as the paper explores the laws of Canada & Indonesia regarding data protection. RESULTS: In this study, we understood the generation, processing, and interchange of these massive amounts of data can now be facilitated by cloud computing technology. As India, recently enacted 'The Digital Data Protection Act 2023' which might be a ray of hope for protection of sensitive health data of individuals from misuse. CONCLUSION: The journey towards optimal data protection is ongoing, requiring continuous adaptation to the dynamic nature of technology and the ever-changing healthcare environment.

Majid Mollaeefar,Silvio Ranise

DOI: https://doi.org/10.1016/j.cose.2023.103206

2022-07-15

Abstract:Cybersecurity risk management consists of several steps including the selection of appropriate controls to minimize risks. This is a difficult task that requires to search through all possible subsets of a set of available controls and identify those that minimize the risks of all stakeholders. Since stakeholders may have different perceptions of the risks (especially when considering the impact of threats), conflicting goals may arise that require to find the best possible trade-offs among the various needs. In this work, we propose a quantitative and (semi)automated approach to solve this problem based on the well-known notion of Pareto optimality. For validation, we show how a prototype tool based on our approach can assist in the Data Protection Impact Assessment mandated by the General Data Protection Regulation on a simplified but realistic use case scenario. We also evaluate the scalability of the approach by conducting an experimental evaluation with the prototype with encouraging results.

Cryptography and Security

Inderjeet Singh Sodhi,Mankirat Kaur,Jaskirat Kaur

DOI: https://doi.org/10.1177/00195561241271579

2024-08-29

Indian Journal of Public Administration

Abstract:In the 21st century, data privacy, data protection and cybersecurity have become challenging issues with increasing cases of data breaches and data disasters. Data privacy has emerged as one of the challenging issues after numerous cases of data breaches and manipulations in many departments, agencies, bodies and organisations in every country. A well-designed data framework may enable not just secure data privacy/protection but also enable users’ control over data through a protective and safe system to share data across organisations, leading to individual empowerment and well-being. In India, privacy still remains a complex area, which has affected data safety and protection. A number of government websites clearly mention that data will not be shared with anyone until and unless for the purpose enshrined so far. In India, there have been various policies, guidelines, strategies and initiatives for cybersecurity, data privacy, data protection and data measures, including the Digital Personal Data Protection Act, 2023; the National Cyber Security Policy, 2013; the Information Technology Act 2000; the Information Technology (Amendment) Act, 2008; the Information Technology Rules, 2011 and so on. This article tries to examine policies/regulations for data privacy, data protection and data safety in South Indian states.

JAYA THAPA -

DOI: https://doi.org/10.36948/ijfmr.2024.v06i03.23530

2024-06-29

International Journal For Multidisciplinary Research

Abstract:The right to privacy is an essential human entitlement that involves an individual's independence and authority over their personal data. In an era dominated by digital interactions and data-driven technologies, the right to privacy has become increasingly pertinent. The concept of data privacy encompasses the protection of personal information from unauthorized access, use, and disclosure. With the proliferation of online platforms and digital services, individuals are generating vast amounts of data, raising concerns about its misuse and exploitation. Data privacy in India has become a significant issue with the increasing digitization of services and the proliferation of personal data collection by both government and private entities. In 2023, the digital data protection act was enacted to specifically deal with Data privacy as well as Data protection. This paper attempts to analyse the right to privacy vis-à-vis the digital data protection act, 2023 and this analysis explores how these regulatory provisions address the emerging challenges to the protection of sensitive personal data.

Gunjan Balde,Aryendra Singh,Niloy Ganguly,Mainack Mondal

2023-06-20

Abstract:Data privacy in healthcare is of paramount importance (and thus regulated using laws like HIPAA) due to the highly sensitive nature of patient data. To that end, healthcare organizations mention how they collect/process/store/share this data (i.e., data practices) via their privacy policies. Thus there is a need to audit these policies and check compliance with respective laws. This paper addresses this need and presents a large-scale data-driven study to audit privacy policies from healthcare organizations in three countries -- USA, UK, and India. We developed a three-stage novel \textit{workflow} for our audit. First, we collected the privacy policies of thousands of healthcare organizations in these countries and cleaned this privacy policy data using a clustering-based mixed-method technique. We identified data practices regarding users' private medical data (medical history) and site privacy (cookie, logs) in these policies. Second, we adopted a summarization-based technique to uncover exact broad data practices across countries and notice important differences. Finally, we evaluated the cross-country data practices using the lens of legal compliance (with legal expert feedback) and grounded in the theory of Contextual Integrity (CI). Alarmingly, we identified six themes of non-alignment (observed in 21.8\% of data practices studied in India) pointed out by our legal experts. Furthermore, there are four \textit{potential violations} according to case verdicts from Indian Courts as pointed out by our legal experts. We conclude this paper by discussing the utility of our auditing workflow and the implication of our findings for different stakeholders.

Computers and Society,Cryptography and Security,Human-Computer Interaction

Isabel Ebert,Isabelle Wildhaber,Jeremias Adams-Prassl

DOI: https://doi.org/10.1177/20539517211013051

2021-01-01

Abstract:Data-driven technologies have come to pervade almost every aspect of business life, extending to employee monitoring and algorithmic management. How can employee privacy be protected in the age of datafication? This article surveys the potential and shortcomings of a number of legal and technical solutions to show the advantages of human rights-based approaches in addressing corporate responsibility to respect privacy and strengthen human agency. Based on this notion, we develop a process-oriented model of Privacy Due Diligence to complement existing frameworks for safeguarding employee privacy in an era of Big Data surveillance.

social sciences, interdisciplinary

Ashish Dandekar,Debabrota Basu,Stéphane Bressan

DOI: https://doi.org/10.2478/popets-2021-0005

2020-11-09

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract The calibration of noise for a privacy-preserving mechanism depends on the sensitivity of the query and the prescribed privacy level. A data steward must make the non-trivial choice of a privacy level that balances the requirements of users and the monetary constraints of the business entity. Firstly, we analyse roles of the sources of randomness, namely the explicit randomness induced by the noise distribution and the implicit randomness induced by the data-generation distribution, that are involved in the design of a privacy-preserving mechanism. The finer analysis enables us to provide stronger privacy guarantees with quantifiable risks. Thus, we propose privacy at risk that is a probabilistic calibration of privacy-preserving mechanisms. We provide a composition theorem that leverages privacy at risk. We instantiate the probabilistic calibration for the Laplace mechanism by providing analytical results. Secondly, we propose a cost model that bridges the gap between the privacy level and the compensation budget estimated by a GDPR compliant business entity. The convexity of the proposed cost model leads to a unique fine-tuning of privacy level that minimises the compensation budget. We show its effectiveness by illustrating a realistic scenario that avoids overestimation of the compensation budget by using privacy at risk for the Laplace mechanism. We quantitatively show that composition using the cost optimal privacy at risk provides stronger privacy guarantee than the classical advanced composition. Although the illustration is specific to the chosen cost model, it naturally extends to any convex cost model. We also provide realistic illustrations of how a data steward uses privacy at risk to balance the trade-off between utility and privacy.

Kunal Taneja,Mark Grechanik,Rayid Ghani,Tao Xie

DOI: https://doi.org/10.1145/2025113.2025143

2011-01-01

Abstract:ABSTRACTDatabase-centric applications (DCAs) are common in enterprise computing, and they use nontrivial databases. Testing of DCAs is increasingly outsourced to test centers in order to achieve lower cost and higher quality. When proprietary DCAs are released, their databases should also be made available to test engineers. However, different data privacy laws prevent organizations from sharing this data with test centers because databases contain sensitive information. Currently, testing is performed with anonymized data, which often leads to worse test coverage (such as code coverage) and fewer uncovered faults, thereby reducing the quality of DCAs and obliterating benefits of test outsourcing. To address this issue, we offer a novel approach that combines program analysis with a new data privacy framework that we design to address constraints of software testing. With our approach, organizations can balance the level of privacy with needs of testing. We have built a tool for our approach and applied it to nontrivial Java DCAs. Our results show that test coverage can be preserved at a higher level by anonymizing data based on their effect on corresponding DCAs.