Excel G Chukwurah

DOI: https://doi.org/10.51594/csitrj.v5i4.1047

2024-04-17

Computer Science & IT Research Journal

Abstract:As data privacy concerns become increasingly prevalent, especially in the U.S. where regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are setting new standards, technology companies must adopt advanced risk management strategies to ensure compliance and protect consumer data. This review explores the concept of proactive privacy and outlines key strategies for integrating privacy considerations into product development processes. The review begins by highlighting the growing importance of data privacy in the U.S. tech industry, emphasizing the need for proactive approaches to privacy management. It then introduces the concept of proactive privacy, which involves identifying and mitigating privacy risks early in the product development lifecycle. The review emphasizes the importance of adopting a privacy-by-design approach, where privacy considerations are integrated into every stage of product development. The review then outlines several advanced risk management strategies for proactive privacy. This includes conducting thorough privacy impact assessments (PIAs) to identify potential privacy risks associated with new products or services. It also emphasizes the importance of implementing privacy-enhancing technologies, such as encryption and anonymization, to protect consumer data. Furthermore, the review discusses the importance of establishing a culture of privacy within tech companies, where privacy is viewed as a fundamental value and employees are educated about privacy best practices. It also highlights the benefits of engaging with privacy experts and regulators to stay informed about evolving privacy regulations and industry standards. In conclusion, the review emphasizes the importance of proactive privacy in product development and highlights key strategies for integrating privacy considerations into the development process. By adopting advanced risk management strategies and prioritizing privacy throughout the product lifecycle, U.S. technology companies can enhance consumer trust, ensure compliance with regulations, and mitigate privacy risks. Keywords: Proactive Privacy, Risk Management, Strategies, Product Development, Advanced

Seun Solomon Bakare,Adekunle Oyeyemi Adeniyi,Chidiogo Uzoamaka Akpuokwe,Nkechi Emmanuella Eneh

DOI: https://doi.org/10.51594/csitrj.v5i3.859

2024-03-09

Computer Science & IT Research Journal

Abstract:This Review provides an overview of the comparative review of data privacy laws and compliance, focusing on the European Union's General Data Protection Regulation (EU GDPR) and data protection regulations in the United States. The analysis explores key similarities and differences, emphasizing their implications for businesses and individuals. The EU GDPR, implemented in 2018, stands as a landmark regulation governing data protection and privacy for individuals within the European Union and the European Economic Area. In contrast, the United States lacks a comprehensive federal data privacy law. Instead, it relies on a patchwork of sector-specific laws and state regulations, such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA). One major distinction lies in the overarching principles of these regulations. The EU GDPR adopts a comprehensive and rights-based approach, emphasizing individual rights to privacy, data portability, and the "right to be forgotten." In contrast, the U.S. system often focuses on specific industries or types of data, leading to a more fragmented regulatory landscape. Both regulatory frameworks incorporate principles of transparency, consent, and data breach notification. However, differences in enforcement mechanisms and penalties exist. The EU GDPR imposes significant fines for non-compliance, reaching up to 4% of a company's global annual revenue. In the U.S., penalties vary by state, and enforcement is often reactive, triggered by data breaches. Businesses operating globally must navigate these distinct regulatory landscapes, necessitating a nuanced approach to data privacy compliance. Multinational corporations must adhere to the more stringent requirements when handling EU citizens' data while also considering the diverse regulations within the U.S. This review underscores the ongoing evolution of data privacy laws worldwide and the critical importance for organizations to stay abreast of these developments. It emphasizes the need for a proactive and adaptive approach to data privacy compliance, taking into account the unique requirements and expectations of both the EU GDPR and U.S. regulations. Keywords: Data Privacy, Laws, Compliance, EU GDPR, Regulations.

Chao Wu

DOI: https://doi.org/10.1016/j.techsoc.2024.102457

IF: 6.879

2024-01-01

Technology in Society

Abstract:In recent years, data privacy has attracted increasing public concerns, especially with public scandals from top Internet companies, emerging over inappropriate data collection, lack of transparency in data usage, and manipulation of users' preferences. This has led to responsive efforts from multiple sectors of society to constrain the violation of individuals’ data privacy. Among these efforts, the regulations like GDPR are the most influential, which are believed to be able to change the foundation of the whole data ecosystem. The main concern of current regulation is data transparency, designed to enable individuals to make rational decisions about their data. However, I argue that transparency cannot mitigate a key issue of data privacy, which is the right of receiving benefits from data. This issue is getting severe with the rapid development of the data economy and will become the essential problem of social welfare and fairness in the AI era. I further point out that the key to solving this issue is to migrate the current centralized data utilization paradigm to a new decentralized paradigm. Based on the recent technical advancements, I propose an applicable pathway to implement such a paradigm. And to realize a fair and sustainable data eco-system, joint efforts should be made within this paradigm.

Richmond Y. Wong,Andrew Chong,R. Cooper Aspegren

DOI: https://doi.org/10.1145/3579515

2023-04-14

Proceedings of the ACM on Human-Computer Interaction

Abstract:Power exercised by large technology companies has led to concerns over privacy and data protection, evidenced by the passage of legislation including the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). While much privacy research has focused on how users perceive privacy and interact with companies, we focus on how privacy legislation is discussed among a different set of relationships-those between companies and investors. This paper investigates how companies translate the GDPR and CCPA into business risks in documents created for investors. We conduct a qualitative document analysis of annual regulatory filings (Form 10-K) from nine major technology companies. We outline five ways that technology companies consider GDPR and CCPA as business risks, describing both direct and indirect ways that the legislation may affect their businesses. We highlight how these findings are relevant for the broader CSCW and privacy research communities in research, design, and practice. Creating meaningful privacy changes within existing institutional structures requires some understanding of the dynamics of these companies' decision-making processes and the role of capital.

Sean Sirur,Jason R. C. Nurse,Helena Webb,Jason R.C. Nurse

DOI: https://doi.org/10.48550/arXiv.1808.07338

2018-08-22

Computers and Society

Abstract:The EU General Data Protection Regulation (GDPR), enforced from 25th May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every aspect of personal data handling, includes hefty potential penalties for non-compliance, and can prosecute any company in the world that processes EU citizens' data. In this paper, we look behind the scenes to investigate the real challenges faced by organisations in engaging with the GDPR. This considers issues in working with the regulation, the implementation process, and how compliance is verified. Our research approach relies on literature but, more importantly, draws on detailed interviews with several organisations. Key findings include the fact that large organisations generally found GDPR compliance to be reasonable and doable. The same was found for small-to-medium organisations (SMEs/SMBs) that were highly security-oriented. SMEs with less focus on data protection struggled to make what they felt was a satisfactory attempt at compliance. The main issues faced in their compliance attempts emerged from: the sheer breadth of the regulation; questions around how to enact the qualitative recommendations of the regulation; and the need to map out the entirety of their complex data networks.

Serge Abiteboul,Julia Stoyanovich

DOI: https://doi.org/10.48550/arXiv.1903.03683

2019-03-09

Abstract:The data revolution continues to transform every sector of science, industry and government. Due to the incredible impact of data-driven technology on society, we are becoming increasingly aware of the imperative to use data and algorithms responsibly -- in accordance with laws and ethical norms. In this article we discuss three recent regulatory frameworks: the European Union's General Data Protection Regulation (GDPR), the New York City Automated Decisions Systems (ADS) Law, and the Net Neutrality principle, that aim to protect the rights of individuals who are impacted by data collection and analysis. These frameworks are prominent examples of a global trend: Governments are starting to recognize the need to regulate data-driven algorithmic technology. Our goal in this paper is to bring these regulatory frameworks to the attention of the data management community, and to underscore the technical challenges they raise and which we, as a community, are well-equipped to address. The main take-away of this article is that legal and ethical norms cannot be incorporated into data-driven systems as an afterthought. Rather, we must think in terms of responsibility by design, viewing it as a systems requirement.

Databases,Computers and Society

Suvineetha Herath,Dakota State University,Haywood Gelman,Lisa McKee,

DOI: https://doi.org/10.32727/8.2023.18

2023-10-12

Abstract:In today's data-sharing paradigm, personal data has become a valuable resource that intensifies the risk of unauthorized access and data breach. Increased data mining techniques used to analyze big data have posed significant risks to data security and privacy. Consequently, data breaches are a significant threat to individual privacy. Privacy is a multifaceted concept covering many areas, including the right to access, erasure, and rectify personal data. This paper explores the legal aspects of privacy harm and how they transform into legal action. Privacy harm is the negative impact to an individual as a result of the unauthorized release, gathering, distillation, or expropriation of personal information. Privacy Enhancing Technologies (PETs) emerged as a solution to address data privacy issues and minimize the risk of privacy harm. It is essential to implement privacy enhancement mechanisms to protect Personally Identifiable Information (PII) from unlawful use or access. FIPPs (Fair Information Practice Principles), based on the 1973 Code of Fair Information Practice (CFIP), and the Organization for Economic Cooperation and Development (OECD), are a collection of widely accepted, influential US codes that agencies use when evaluating information systems, processes, programs, and activities affecting individual privacy. Regulatory compliance places a responsibility on organizations to follow best practices to ensure the protection of individual data privacy rights. This paper will focus on FIPPs, relevance to US state privacy laws, their influence on OECD, and reference to the EU General Data Processing Regulation. (GDPR).

Pranith Shetty,

DOI: https://doi.org/10.47363/jaicc/2023(2)224

2023-12-31

Abstract:Data Privacy is relevant for majority of the firms conducting businesses in the international market today. Better privacy safeguards and implementations are one of the key contributors in driving business output, companies are reporting direct and indirect benefits as a result of privacy project related investments. To be compliant with the Privacy regulation landscape globally is the need of the hour, there have been significant business impacts in terms of both financial and reputational, as a result of noncompliance to privacy regulations. To manage these risks, it is imperative for the Privacy assessment teams, Legal teams and Risk management teams to work together and tackle these challenges. This paper firstly aims at giving a perspective on global risk landscape and how the privacy regulations are gaining more traction every passing day, bringing in more states and countries into the fold. This article also narrates the approach or solution explaining how Risk management teams can partner with the relevant stakeholders in legal and privacy teams and guide the data privacy risks across firms, across business sectors. Through the risk management lifecycle thus remediating these risks, helping businesses prosper and at the same time safeguard individual interests.

Bisola Beatrice Oguejiofor,Adedolapo Omotosho,Kehinde Mobolaji Abioye,Ayoola Maxwell Alabi,Fuzzy Naomi Oguntoyinbo,Andrew Ifesinachi Daraojimba,Chibuike Daraojimba

DOI: https://doi.org/10.51594/ijarss.v5i8.571

2023-10-03

International Journal of Applied Research in Social Sciences

Abstract:In Nigeria's dynamic regulatory landscape, compliance challenges pose formidable obstacles to businesses and organizations across various sectors. This research explores Nigeria's multifaceted world of compliance, highlighting the intricacies of regulatory requirements, bureaucratic complexities, and resource constraints that organizations face. Amid these challenges, the pivotal role of data-driven approaches and technology in enhancing compliance efforts emerges as a central theme. The study's key findings reveal the complexity of Nigeria's regulatory environment, characterized by multiple authorities, inconsistencies, and persistent challenges like corruption and bureaucracy. Smaller organizations often grapple with resource limitations, hindering their ability to implement comprehensive compliance strategies. However, the research unveils the transformative power of data-driven solutions in addressing these compliance hurdles. Through real-world case studies spanning diverse sectors, it becomes evident that organizations can leverage data and technology to automate compliance processes, make informed decisions, and achieve real-time monitoring. These advancements lead to enhanced compliance, cost savings, improved reputations, and greater efficiency. The study provides a roadmap for organizations, emphasizing the importance of investing in data infrastructure, automation, and ethical data usage. Additionally, it underscores the need for collaboration with regulators, data privacy compliance, and a commitment to transparency. For regulators, the research recommends embracing regulatory technology (RegTech) solutions, fostering data-sharing platforms, ensuring transparency, and maintaining consistency in enforcement. Furthermore, it highlights the significance of educational initiatives and adaptive regulations to keep pace with technological advancements. Ultimately, the research illuminates the way forward in Nigeria's compliance landscape. Organizations that adopt data-driven approaches stand to navigate complex regulations more efficiently and proactively manage risks, contributing to business growth and sustainability in an ever-evolving environment. Meanwhile, regulators with data-driven tools can enhance oversight and enforcement, creating a more transparent and compliant business environment. Together, these efforts pave the path toward a future where compliance is not just a requirement but a strategic advantage in Nigeria's vibrant economy. Keywords: Compliance, Regulatory Landscape, Data-Driven Solutions, Nigeria, Regulatory Challenges, Technology, Data Analytics, Regulatory Bodies, Corruption, Data Privacy.

Supreeth Shastri,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.48550/arXiv.1911.00498

2019-11-01

Abstract:In recent years, our society is being plagued by unprecedented levels of privacy and security breaches. To rein in this trend, the European Union, in 2018, introduced a comprehensive legislation called the General Data Protection Regulation (GDPR). In this article, we review GDPR from a systems perspective, and identify how the design and operation of modern cloud-scale systems conflict with this regulation. We illustrate these conflicts via six GDPR anti-patterns: storing data without a clear timeline for deletion; reusing data indiscriminately; creating walled gardens and black markets; risk-agnostic data processing; hiding data breaches; making unexplainable decisions. Our findings reveal deep-rooted tussle between GDPR requirements and how cloud-scale systems that process personal data have evolved in the modern era. While it is imperative to avoid these anti-patterns, we believe that achieving compliance requires comprehensive, grounds up solutions; anything short would amount to fixing a leaky faucet in a sinking ship.

Computers and Society

Jayashree Mohan,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.1007/978-3-030-33752-0_6

2019-01-01

Abstract:AbstractWith the arrival of the European Union’s General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems which process personal data. Privacy policy is the main medium of information dissemination between the data controller and the users. This work analyzes the privacy policies of large-scaled cloud services which seek to be GDPR compliant. We show that many services that claim compliance today do not have clear and concise privacy policies. We identify several points in the privacy policies which potentially indicate non-compliance; we term these GDPR dark patterns. We identify GDPR dark patterns in ten large-scale cloud services. Based on our analysis, we propose seven best practices for crafting GDPR privacy policies.

Matthew S. McCoy,Anita L. Allen,Katharina Kopp,Michelle M. Mello,D. J. Patil,Pilar Ossorio,Steven Joffe,Ezekiel J. Emanuel

DOI: https://doi.org/10.1080/15265161.2023.2209535

2023-06-03

Abstract:It has become increasingly difficult for individuals to exercise meaningful control over the personal data they disclose to companies or to understand and track the ways in which that data is exchanged and used. These developments have led to an emerging consensus that existing privacy and data protection laws offer individuals insufficient protections against harms stemming from current data practices. However, an effective and ethically justified way forward remains elusive. To inform policy in this area, we propose the Ethical Data Practices framework. The framework outlines six principles relevant to the collection and use of personal data—minimizing harm, fairly distributing benefits and burdens, respecting autonomy, transparency, accountability, and inclusion—and translates these principles into action-guiding practical imperatives for companies that process personal data. In addition to informing policy, the practical imperatives can be voluntarily adopted by companies to promote ethical data practices.

ethics,medical ethics,social issues,social sciences, biomedical

Ayesha Qamar,Tehreem Javed,Mirza Omer Beg

DOI: https://doi.org/10.48550/arXiv.2102.12362

2021-02-21

Abstract:Privacy Policies are the legal documents that describe the practices that an organization or company has adopted in the handling of the personal data of its users. But as policies are a legal document, they are often written in extensive legal jargon that is difficult to understand. Though work has been done on privacy policies but none that caters to the problem of verifying if a given privacy policy adheres to the data protection laws of a given country or state. We aim to bridge that gap by providing a framework that analyzes privacy policies in light of various data protection laws, such as the General Data Protection Regulation (GDPR). To achieve that, firstly we labeled both the privacy policies and laws. Then a correlation scheme is developed to map the contents of a privacy policy to the appropriate segments of law that a policy must conform to. Then we check the compliance of privacy policy's text with the corresponding text of the law using NLP techniques. By using such a tool, users would be better equipped to understand how their personal data is managed. For now, we have provided a mapping for the GDPR and PDPA, but other laws can easily be incorporated in the already built pipeline.

Cryptography and Security,Computation and Language

V. Kravchuk

DOI: https://doi.org/10.24144/2307-3322.2023.78.2.7

2023-08-31

Abstract:The article analyzes the protection of personal data based on foreign experience. Social networking has been identified as one of the most prominent cultural phenomena to emerge in the Web 2.0 era. They keep users connected and facilitate the exchange of information between them. The European Union has adopted a new personal data protection system called the General Data Protection Regulation (GDPR). Its main goals include providing individuals with tools to control their personal data, implementing modern standards for the protection of personal information, developing the digital space of the European Union to safeguard personal data, ensuring strict compliance by all parties, and providing legal support for the international transfer of personal information. United States legislative documents related to aspects of data protection and privacy were analyzed, namely: California Consumer Privacy Act (CCPA); Children’s Online Privacy Protection Act (COPPA); Health Insurance Portability and Accountability Act (HIPAA); State data breach notification laws. It is noted that China has a comprehensive legal framework that regulates the protection of personal data, and includes the following legal acts: Personal Information Protection Law (PIPL) and Data Security Law (DSL). Conclusions were made that the urgency and importance of protecting personal data in social networks is due to rapid technological progress, the growth of cyber security threats and the spread of these platforms. By protecting personal data, people can maintain privacy, prevent abuse, maintain user trust, reduce risk, and comply with legal obligations. The issue of ensuring mobility and interoperability in social networks gives particular importance to the protection of personal data, as it relates to this particular data, and not just to technology, as it may be in the telecommunications sector. This requires additional thought and measures to ensure privacy and data security. Therefore, when developing legal protection mechanisms for online social networks, it is necessary to take into account and solve problems related to the protection of personal data.

Oluwatosin Reis,Nkechi Emmanuella Eneh,Benedicta Ehimuan,Anthony Anyanwu,Temidayo Olorunsogo,Temitayo Oluwaseun Abrahams

DOI: https://doi.org/10.51594/ijarss.v6i1.733

2024-01-25

International Journal of Applied Research in Social Sciences

Abstract:As the world becomes increasingly interconnected through digital technologies, the protection of individuals' privacy has emerged as a critical concern. This paper conducts a comprehensive global review of privacy legislation and enforcement mechanisms, shedding light on the challenges posed by the digital age. With a focus on the intricate balance between technological advancements and the fundamental right to privacy, the study explores the evolving legal landscape and its implications for individuals, businesses, and governments. The analysis encompasses diverse jurisdictions, highlighting the variations in privacy laws and enforcement approaches across regions. From the European Union's robust General Data Protection Regulation (GDPR) to the nuanced approaches in Asia and the Americas, this review synthesizes the evolving regulatory frameworks. Special attention is given to emerging issues such as the use of artificial intelligence, biometrics, and surveillance technologies, which pose unique challenges to existing privacy paradigms. Moreover, the paper investigates the effectiveness of enforcement mechanisms in ensuring compliance with privacy laws. It examines the role of governmental agencies, regulatory bodies, and international collaborations in addressing cross-border data flows and global privacy challenges. The study also evaluates the impact of recent high-profile privacy incidents on shaping legislative responses and enforcement strategies. By presenting a holistic view of privacy law challenges in the digital age, this research contributes to the ongoing discourse on safeguarding individuals' privacy rights in an era of rapid technological innovation. The findings provide valuable insights for policymakers, legal practitioners, businesses, and individuals seeking a deeper understanding of the evolving dynamics surrounding privacy legislation and enforcement on a global scale. Keywords: Law, Privacy Law, Digital Age, Review, Data Protection.

Graham Pearce,Nicholas Platten

DOI: https://doi.org/10.1111/1468-5965.00138

1998-12-01

Abstract:Actions aimed at exploiting the benefits of information and communication technologies have become a major focus of European Community (EC) policy.The new technologies offer considerable benefits to consumers, businesses and governments, but there is growing concern that their widespread use may threaten the privacy of personal information. Increases in transborder data flows, within the EC and globally, imply that a EC‐wide, and ultimately a global, approach is more appropriate than one based upon national rules. This article examines the evolution of EC personal data protection policies and concludes that, whilst considerable progress has been made towards establishing a regulatory framework, advances in technology and continuing variations in national responses seeking to protect personal privacy, are major obstacles to achieving data protection equivalence, both within the EC and in third countries.

economics,international relations,political science

Atheer Aljeraisy,Masoud Barati,Omer Rana,Charith Perera

DOI: https://doi.org/10.48550/arXiv.2210.03520

2022-10-06

Cryptography and Security

Abstract:Internet of Things (IoT) applications have the potential to derive sensitive information about individuals. Therefore, developers must exercise due diligence to make sure that data are managed according to the privacy regulations and data protection laws. However, doing so can be a difficult and challenging task. Recent research has revealed that developers typically face difficulties when complying with regulations. One key reason is that, at times, regulations are vague, and could be challenging to extract and enact such legal requirements. In our research paper, we have conducted a systematic analysis of the data protection laws that are used across different continents, namely: (i) General Data Protection Regulations (GDPR), (ii) the Personal Information Protection and Electronic Documents Act (PIPEDA), (iii) the California Consumer Privacy Act (CCPA), (iv) Australian Privacy Principles (APPs), and (v) New Zealand's Privacy Act 1993. In this technical report, we presented the detailed results of the conducted framework analysis method to attain a comprehensive view of different data protection laws and highlighted the disparities, in order to assist developers in adhering to the regulations across different regions, along with creating a Combined Privacy Law Framework (CPLF). After that, we gave an overview of various Privacy by Design (PbD) schemes developed previously by different researchers. Then, the key principles and individuals' rights of the CPLF were mapped with the privacy principles, strategies, guidelines, and patterns of the Privacy by Design (PbD) schemes in order to investigate the gaps in existing schemes.

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.1016/j.infsof.2022.106868

IF: 3.9

2022-06-01

Information and Software Technology

Abstract:Context: Complying with privacy regulations has taken on new importance with the introduction of the EU’s General Data Protection Regulation (GDPR) and other privacy regulations. Privacy measures are becoming a paramount requirement demanding software organizations’ attention as recent privacy breaches such as the Capital One data breach affected millions of customers. Software organizations, however, struggle with achieving privacy compliance. In particular, there is a lack of research into the organizational practices and challenges involved in compliance, particularly for small and medium enterprises (SMEs), which represent a sizeable portion of organizations. Many SMEs use a continuous software engineering (CSE) approach, which introduces additional adoption and application challenges. For example, the fast pace of CSE makes it harder for SMEs that are already more resource constrained to prioritize non-functional requirements such as privacy. Objective: This paper aims to fill a gap in the under-researched area of continuous compliance with privacy requirements in practice, by investigating how a continuous practicing SME dealt with GDPR compliance. Method: Using design science, we conducted an in-depth ethnographically informed study over the span of 16 months and iteratively developed two artifacts to help address the organization’s challenges in addressing GDPR compliance. Results: We identified 3 main challenges that our collaborating organization experienced when trying to comply with the GDPR. To help mitigate the challenges, we developed two design science artifacts, which include a list of privacy requirements that operationalized the GDPR principles for automated verification, and an automated testing tool that helps to verify these privacy requirements. We validated these artifacts through close collaboration with our partner organization and applying our artifacts to the partner organization’s system. Conclusions: We conclude with a discussion of opportunities and obstacles in leveraging CSE to achieve continuous compliance with the GDPR. We also highlight the importance of building a shared understanding of privacy non-functional requirements and how risk management plays an important role in an organization’s GDPR compliance.

computer science, information systems, software engineering

,Teng Zhang

DOI: https://doi.org/10.55574/fhbx7722

2024-08-30

Abstract:With the rapid development of China’s digital economy and increasingly stringent global data protection regulations, corporate data security and compliance have become key factors that determine the competitiveness and sustainable development of enterprises. However, China’s data compliance governance still faces three main challenges: inadequate self-regulation of corporate data compliance, imperfect internal management system, and the risk of violations throughout the entire data lifecycle. To address these issues, China needs to comprehensively improve data security and compliance of Chinese enterprises by improving the system to strengthen corporate behavior guidance, intensifying internal compliance mechanisms, and identifying the compliance process for data processing. Based on the world’s most typical legal systems related to data security and corporate compliance, and drawing on local Chinese judicial cases, this paper provides an in-depth analysis of the current challenges faced by Chinese enterprises in data security compliance. Finally, the paper explores and proposes a comprehensive governance path. Through the implementation of the comprehensive measures proposed in this study, Chinese enterprises now have practical guidance in the increasingly complex data security environment, thereby promoting their stable and sustainable development. Keywords: Data Compliance, Chinese Enterprises, Corporate Governance, Information Security, Compliance

Alex Bowyer,Jack Holt,Josephine Go Jefferies,Rob Wilson,David Kirk,Jan David Smeddinck

DOI: https://doi.org/10.1145/3491102.3501947

2022-03-10

Abstract:In our data-centric world, most services rely on collecting and using personal data. The EU's General Data Protection Regulation (GDPR) aims to enhance individuals' control over their data, but its practical impact is not well understood. We present a 10-participant study, where each participant filed 4-5 data access requests. Through interviews accompanying these requests and discussions scrutinising returned data, it appears that GDPR falls short of its goals due to non-compliance and low-quality responses. Participants found their hopes to understand providers' data practices or harness their own data unmet. This causes increased distrust without any subjective improvement in power, although more transparent providers do earn greater trust. We propose designing more effective, data-inclusive and open policies and data access systems to improve both customer relations and individual agency, and also that wider public use of GDPR rights could help with delivering accountability and motivating providers to improve data practices.

Human-Computer Interaction